RealmJoinIntegration » History » Version 7
Dominic Cleal, 04/02/2014 03:28 PM
merged
1 | 1 | Dominic Cleal | h1. Realm Join Integration |
---|---|---|---|
2 | |||
3 | 7 | Dominic Cleal | h2. Status |
4 | |||
5 | *This has been implemented and merged into Foreman 1.5 via #1809* |
||
6 | |||
7 | h2. Intro |
||
8 | 1 | Dominic Cleal | |
9 | This page covers ideas for joining hosts to FreeIPA realms or Active Directory domains when they're built, using a hypothetical foreman_realm plugin. |
||
10 | |||
11 | h2. DNS management |
||
12 | |||
13 | 2 | Dominic Cleal | Related, but not actually realm joining. Updates to DNS can be made via the normal smart proxy route, however for both FreeIPA and AD we require GSS-TSIG support for nsupdate. This was completed for Foreman 1.2 via #1685. |
14 | 1 | Dominic Cleal | |
15 | h2. Realm configuration |
||
16 | |||
17 | foreman_realm should add a realm model and associate them with domains, plus everything needed to manage them. |
||
18 | |||
19 | 4 | Dominic Cleal | * model: ForemanRealm::Realm |
20 | ** associated with domain (one realm to many domains?) |
||
21 | ** attribute: realm name |
||
22 | ** attribute: proxy id |
||
23 | * controller and views: ForemanRealm::Realms |
||
24 | ** index, update, edit, delete realms |
||
25 | * API controller: ForemanRealm::Api::V2::Realms |
||
26 | ** index, update, delete realms |
||
27 | |||
28 | 6 | Dominic Cleal | This would allow users to add/remove/edit realm information, have it associated with a remote smart proxy instance and associate with a domain (does this make sense?), which in turn is associated to a host. |
29 | 1 | Dominic Cleal | |
30 | 6 | Dominic Cleal | A new orchestration hook (which runs when a host is created/destroyed) needs adding to call the proxy (via Foreman's proxy API) if the associated domain has a realm: |
31 | |||
32 | 4 | Dominic Cleal | * app/models/foreman_realm/orchestration/realm.rb |
33 | 1 | Dominic Cleal | ** include this into Host::Managed |
34 | 4 | Dominic Cleal | ** calls proxy API to add/remove host from realm |
35 | 6 | Dominic Cleal | ** saves OTP into host.params (key/value attributes) for now, perhaps to a separate model later |
36 | 4 | Dominic Cleal | |
37 | The "kickstart templates":https://github.com/theforeman/community-templates would need updating to check for @@host.params["realm-otp"]@ or similar, then run the appropriate join command. |
||
38 | |||
39 | 3 | Dominic Cleal | To support classes and hostgroups in IPA (see below), additional attributes could be added to Foreman's host groups (or whatever they get replaced with) to define the IPA classes that the host would have when created. |
40 | 1 | Dominic Cleal | |
41 | 5 | Dominic Cleal | Guy Matz has implemented the orchestration and proxy API bit of this OK: https://github.com/guymatz/foreman/compare/develop...1809-add_IPA_support. I'm not sure about the controllers and associating realms directly to hosts - needs some thought, perhaps associating with a domain isn't correct either. |
42 | |||
43 | 1 | Dominic Cleal | h2. Host/computer creation |
44 | |||
45 | h3. Proxy support |
||
46 | |||
47 | 4 | Dominic Cleal | The proxy should provide an API for creating hosts in realms (or computer objects in AD domains). As an example: |
48 | 1 | Dominic Cleal | |
49 | 4 | Dominic Cleal | * POST @/realm/:domain/:hostname@ |
50 | ** param: classes, array of clases to apply to host |
||
51 | * DELETE @/realm/:domain/:hostname@ |
||
52 | |||
53 | (http://projects.theforeman.org/projects/smart-proxy/wiki/API) |
||
54 | |||
55 | It should advertise the "Realm" API feature. Foreman core's proxy API and smart proxy model will need updating to understand this new feature. |
||
56 | |||
57 | Guy Matz has implemented much of this already, complete with vendor/provider support so IPA and other implementations can be swapped: https://github.com/guymatz/smart-proxy/compare/develop...1809-add_IPA_support |
||
58 | |||
59 | 3 | Dominic Cleal | h4. FreeIPA |
60 | 1 | Dominic Cleal | |
61 | 3 | Dominic Cleal | For FreeIPA, this can either call the @ipa host-add@ command or the XMLRPC API that backs it. Here's an example of creating a user with minimal privileges that can create new hosts: |
62 | |||
63 | <pre> |
||
64 | # kinit admin |
||
65 | # ipa user-add --first=Host --last=Adder hadder |
||
66 | |||
67 | # ipa privilege-add "Add computers" --desc"Add computers" |
||
68 | # ipa privilege-add-permission "Add computers" --permissions="add hosts" |
||
69 | |||
70 | # ipa role-add "Host Adder" --desc="Can add new hosts" |
||
71 | # ipa role-add-privilege "Computer creator" --privilege="Add computers" |
||
72 | # ipa role-add-member "Computer creator" --user=hadder |
||
73 | |||
74 | # ipa-getkeytab -s `hostname` -p hadder@IDM.LAB.BOS.REDHAT.COM -k /root/hadder.keytab |
||
75 | # kinit -kt /root/hadder.keytab hadder@IDM.LAB.BOS.REDHAT.COM |
||
76 | # klist |
||
77 | Ticket cache: DIR::/run/user/0/krb5cc/tkt3GbmCZ |
||
78 | Default principal: hadder@IDM.LAB.BOS.REDHAT.COM <<<<< |
||
79 | |||
80 | Valid starting Expires Service principal |
||
81 | 06/14/2013 21:54:06 06/15/2013 21:54:06 |
||
82 | krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM |
||
83 | </pre> |
||
84 | |||
85 | System user is now privileged to add hosts to IPA: |
||
86 | |||
87 | <pre> |
||
88 | # ipa host-add random.host.test --random --force |
||
89 | ----------------------------- |
||
90 | Added host "random.host.test" |
||
91 | ----------------------------- |
||
92 | Host name: random.host.test |
||
93 | Random password: K8-5rr0U8vL, |
||
94 | Password: True |
||
95 | Keytab: False |
||
96 | Managed by: random.host.test |
||
97 | </pre> |
||
98 | |||
99 | He is unable to perform other administrative tasks as expected: |
||
100 | |||
101 | <pre> |
||
102 | # ipa host-mod random.host.test --desc=foo |
||
103 | ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the |
||
104 | 'description' attribute of entry |
||
105 | 'fqdn=random.host.test,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'. |
||
106 | </pre> |
||
107 | |||
108 | As a later step, classes can be assigned to hosts in IPA that associate it with hostgroups (not to be confused with Foreman host groups). |
||
109 | |||
110 | The attribute is called "userClass" in IPA LDAP, it is available by default with host entries under "--class" option. This is how it works: |
||
111 | |||
112 | 1. We create a hostgroups to demonstrate how the automatic assignment of hosts to host groups works |
||
113 | |||
114 | <pre> |
||
115 | # ipa hostgroup-add webservers |
||
116 | Description: web servers |
||
117 | ---------------------------- |
||
118 | Added hostgroup "webservers" |
||
119 | ---------------------------- |
||
120 | Host-group: webservers |
||
121 | Description: web servers |
||
122 | </pre> |
||
123 | |||
124 | 2. Create an automember rule for this hostgroup |
||
125 | |||
126 | <pre> |
||
127 | # ipa automember-add --type=hostgroup webservers |
||
128 | ---------------------------------- |
||
129 | Added automember rule "webservers" |
||
130 | ---------------------------------- |
||
131 | Automember Rule: webservers |
||
132 | </pre> |
||
133 | |||
134 | 3. The automember condition is hooked to the host's userclass attribute |
||
135 | |||
136 | <pre> |
||
137 | # ipa automember-add-condition --key=userclass --type=hostgroup |
||
138 | --inclusive-regex=^webserver webservers |
||
139 | ---------------------------------- |
||
140 | Added condition(s) to "webservers" |
||
141 | ---------------------------------- |
||
142 | Automember Rule: webservers |
||
143 | Inclusive Regex: userclass=^webserver |
||
144 | ---------------------------- |
||
145 | Number of conditions added 1 |
||
146 | ---------------------------- |
||
147 | </pre> |
||
148 | |||
149 | Steps 1, 2 and 3 need to be done just once when the IPA is being configured. |
||
150 | |||
151 | 4. Now this is the best part. When Foreman proxy adds a host, it can specify |
||
152 | the host class which will automatically triggers |
||
153 | |||
154 | <pre> |
||
155 | # ipa host-add web.example.com --force --class=webserver --class=mailserver |
||
156 | ---------------------------- |
||
157 | Added host "web.example.com" |
||
158 | ---------------------------- |
||
159 | Host name: web.example.com |
||
160 | Principal name: host/web.example.com@EXAMPLE.COM |
||
161 | Class: webserver, mailserver <<<<<<<<<< |
||
162 | Password: False |
||
163 | Member of host-groups: webservers <<<<<<<<<< |
||
164 | Indirect Member of netgroup: webservers |
||
165 | Keytab: False |
||
166 | Managed by: web.example.com |
||
167 | </pre> |
||
168 | |||
169 | You can have more these rules in parallel. |
||
170 | |||
171 | h4. Active Directory |
||
172 | 1 | Dominic Cleal | |
173 | For AD, adcli can be used (available in F18+): |
||
174 | * http://fedoraproject.org/wiki/Features/ActiveDirectory |
||
175 | * https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration (has an adcli example) |
||
176 | |||
177 | h3. Foreman support |
||
178 | |||
179 | foreman_realm should add an orchestration step to create and destroy the host object via the proxy. The OTP used when creating should be stored. |
||
180 | |||
181 | h2. Joining hosts |
||
182 | |||
183 | 4 | Dominic Cleal | foreman_realm could add a new %post snippet which uses the "realm" command (part of realmd) to join the host to the specified realm. |
184 | 1 | Dominic Cleal | * http://www.freedesktop.org/software/realmd/docs/index.html (see joining sections) |
185 | |||
186 | For new anacondas, we could use this instead (maybe a second snippet): |
||
187 | * https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration |
||
188 | |||
189 | For older (EL5/6/F18), it should also support the ipa* client tools as realm is only just getting FreeIPA support: |
||
190 | * http://fedoraproject.org/wiki/Features/RealmdFreeIpaSupport |
||
191 | 3 | Dominic Cleal | |
192 | Example: @ipa-client-install --password K8-5rr0U8vL,@ |