Project

General

Profile

RealmJoinIntegration » History » Version 7

Dominic Cleal, 04/02/2014 03:28 PM
merged

1 1 Dominic Cleal
h1. Realm Join Integration
2
3 7 Dominic Cleal
h2. Status
4
5
*This has been implemented and merged into Foreman 1.5 via #1809*
6
7
h2. Intro
8 1 Dominic Cleal
9
This page covers ideas for joining hosts to FreeIPA realms or Active Directory domains when they're built, using a hypothetical foreman_realm plugin.
10
11
h2. DNS management
12
13 2 Dominic Cleal
Related, but not actually realm joining.  Updates to DNS can be made via the normal smart proxy route, however for both FreeIPA and AD we require GSS-TSIG support for nsupdate.  This was completed for Foreman 1.2 via #1685.
14 1 Dominic Cleal
15
h2. Realm configuration
16
17
foreman_realm should add a realm model and associate them with domains, plus everything needed to manage them.
18
19 4 Dominic Cleal
* model: ForemanRealm::Realm
20
** associated with domain (one realm to many domains?)
21
** attribute: realm name
22
** attribute: proxy id
23
* controller and views: ForemanRealm::Realms
24
** index, update, edit, delete realms
25
* API controller: ForemanRealm::Api::V2::Realms
26
** index, update, delete realms
27
28 6 Dominic Cleal
This would allow users to add/remove/edit realm information, have it associated with a remote smart proxy instance and associate with a domain (does this make sense?), which in turn is associated to a host.
29 1 Dominic Cleal
30 6 Dominic Cleal
A new orchestration hook (which runs when a host is created/destroyed) needs adding to call the proxy (via Foreman's proxy API) if the associated domain has a realm:
31
32 4 Dominic Cleal
* app/models/foreman_realm/orchestration/realm.rb
33 1 Dominic Cleal
** include this into Host::Managed
34 4 Dominic Cleal
** calls proxy API to add/remove host from realm
35 6 Dominic Cleal
** saves OTP into host.params (key/value attributes) for now, perhaps to a separate model later
36 4 Dominic Cleal
37
The "kickstart templates":https://github.com/theforeman/community-templates would need updating to check for @@host.params["realm-otp"]@ or similar, then run the appropriate join command.
38
39 3 Dominic Cleal
To support classes and hostgroups in IPA (see below), additional attributes could be added to Foreman's host groups (or whatever they get replaced with) to define the IPA classes that the host would have when created.
40 1 Dominic Cleal
41 5 Dominic Cleal
Guy Matz has implemented the orchestration and proxy API bit of this OK: https://github.com/guymatz/foreman/compare/develop...1809-add_IPA_support.  I'm not sure about the controllers and associating realms directly to hosts - needs some thought, perhaps associating with a domain isn't correct either.
42
43 1 Dominic Cleal
h2. Host/computer creation
44
45
h3. Proxy support
46
47 4 Dominic Cleal
The proxy should provide an API for creating hosts in realms (or computer objects in AD domains).  As an example:
48 1 Dominic Cleal
49 4 Dominic Cleal
* POST @/realm/:domain/:hostname@
50
** param: classes, array of clases to apply to host
51
* DELETE @/realm/:domain/:hostname@
52
53
(http://projects.theforeman.org/projects/smart-proxy/wiki/API)
54
55
It should advertise the "Realm" API feature.  Foreman core's proxy API and smart proxy model will need updating to understand this new feature.
56
57
Guy Matz has implemented much of this already, complete with vendor/provider support so IPA and other implementations can be swapped: https://github.com/guymatz/smart-proxy/compare/develop...1809-add_IPA_support
58
59 3 Dominic Cleal
h4. FreeIPA
60 1 Dominic Cleal
61 3 Dominic Cleal
For FreeIPA, this can either call the @ipa host-add@ command or the XMLRPC API that backs it.  Here's an example of creating a user with minimal privileges that can create new hosts:
62
63
<pre>
64
# kinit admin
65
# ipa user-add --first=Host --last=Adder hadder
66
67
# ipa privilege-add "Add computers" --desc"Add computers"
68
# ipa privilege-add-permission "Add computers" --permissions="add hosts"
69
70
# ipa role-add "Host Adder" --desc="Can add new hosts"
71
# ipa role-add-privilege "Computer creator" --privilege="Add computers"
72
# ipa role-add-member "Computer creator" --user=hadder
73
74
# ipa-getkeytab -s `hostname` -p hadder@IDM.LAB.BOS.REDHAT.COM -k /root/hadder.keytab
75
# kinit -kt /root/hadder.keytab hadder@IDM.LAB.BOS.REDHAT.COM
76
# klist
77
Ticket cache: DIR::/run/user/0/krb5cc/tkt3GbmCZ
78
Default principal: hadder@IDM.LAB.BOS.REDHAT.COM    <<<<<
79
80
Valid starting       Expires              Service principal
81
06/14/2013 21:54:06  06/15/2013 21:54:06
82
krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM
83
</pre>
84
85
System user is now privileged to add hosts to IPA:
86
87
<pre>
88
# ipa host-add random.host.test --random --force
89
-----------------------------
90
Added host "random.host.test"
91
-----------------------------
92
  Host name: random.host.test
93
  Random password: K8-5rr0U8vL,
94
  Password: True
95
  Keytab: False
96
  Managed by: random.host.test
97
</pre>
98
99
He is unable to perform other administrative tasks as expected:
100
101
<pre>
102
# ipa host-mod random.host.test --desc=foo
103
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
104
'description' attribute of entry
105
'fqdn=random.host.test,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'.
106
</pre>
107
108
As a later step, classes can be assigned to hosts in IPA that associate it with hostgroups (not to be confused with Foreman host groups).
109
110
The attribute is called "userClass" in IPA LDAP, it is available by default with host entries under "--class" option. This is how it works:
111
112
1. We create a hostgroups to demonstrate how the automatic assignment of hosts to host groups works
113
114
<pre>
115
# ipa hostgroup-add webservers
116
Description: web servers
117
----------------------------
118
Added hostgroup "webservers"
119
----------------------------
120
  Host-group: webservers
121
  Description: web servers
122
</pre>
123
124
2. Create an automember rule for this hostgroup
125
126
<pre>
127
# ipa automember-add --type=hostgroup webservers
128
----------------------------------
129
Added automember rule "webservers"
130
----------------------------------
131
  Automember Rule: webservers
132
</pre>
133
134
3. The automember condition is hooked to the host's userclass attribute
135
136
<pre>
137
# ipa automember-add-condition --key=userclass --type=hostgroup
138
--inclusive-regex=^webserver webservers
139
----------------------------------
140
Added condition(s) to "webservers"
141
----------------------------------
142
  Automember Rule: webservers
143
  Inclusive Regex: userclass=^webserver
144
----------------------------
145
Number of conditions added 1
146
----------------------------
147
</pre>
148
149
Steps 1, 2 and 3 need to be done just once when the IPA is being configured.
150
151
4. Now this is the best part. When Foreman proxy adds a host, it can specify
152
the host class which will automatically triggers
153
154
<pre>
155
# ipa host-add web.example.com --force --class=webserver --class=mailserver
156
----------------------------
157
Added host "web.example.com"
158
----------------------------
159
  Host name: web.example.com
160
  Principal name: host/web.example.com@EXAMPLE.COM
161
  Class: webserver, mailserver                    <<<<<<<<<<
162
  Password: False
163
  Member of host-groups: webservers               <<<<<<<<<<
164
  Indirect Member of netgroup: webservers
165
  Keytab: False
166
  Managed by: web.example.com
167
</pre>
168
169
You can have more these rules in parallel.
170
171
h4. Active Directory
172 1 Dominic Cleal
173
For AD, adcli can be used (available in F18+):
174
* http://fedoraproject.org/wiki/Features/ActiveDirectory
175
* https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration (has an adcli example)
176
177
h3. Foreman support
178
179
foreman_realm should add an orchestration step to create and destroy the host object via the proxy.  The OTP used when creating should be stored.
180
181
h2. Joining hosts
182
183 4 Dominic Cleal
foreman_realm could add a new %post snippet which uses the "realm" command (part of realmd) to join the host to the specified realm.
184 1 Dominic Cleal
* http://www.freedesktop.org/software/realmd/docs/index.html (see joining sections)
185
186
For new anacondas, we could use this instead (maybe a second snippet):
187
* https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration
188
189
For older (EL5/6/F18), it should also support the ipa* client tools as realm is only just getting FreeIPA support:
190
* http://fedoraproject.org/wiki/Features/RealmdFreeIpaSupport
191 3 Dominic Cleal
192
Example: @ipa-client-install --password K8-5rr0U8vL,@