feat(spnego): add ha support with kerberos

playbooks/ranger_kerberos_install.yml

@@ -13,6 +13,17 @@
         name: tosit.tdp.ranger.admin
         tasks_from: kerberos
     - ansible.builtin.meta: clear_facts # noqa unnamed-task
+- name: Kerberos Ranger Admin HA install
+  hosts: spnego_ha
+  strategy: linear
+  tasks:
+    - tosit.tdp.resolve: # noqa unnamed-task
+        node_name: ranger_kerberos
+    - name: Install Ranger Admin Kerberos
+      ansible.builtin.import_role:
+        name: tosit.tdp.ranger.admin
+        tasks_from: kerberos-spnego-ha
+    - ansible.builtin.meta: clear_facts # noqa unnamed-task
 - name: Kerberos Ranger UserSync install
   hosts: ranger_usersync
   strategy: linear

roles/ranger/admin/tasks/kerberos-spnego-ha.yml

@@ -0,0 +1,27 @@
+# Copyright 2022 TOSIT.IO
+# SPDX-License-Identifier: Apache-2.0
+
+---
+- name: Ensure HTTP HA spnego user's principal and keytab exist
+  ansible.builtin.import_role:
+    name: tosit.tdp.utils.kerberos
+    tasks_from: create_headless_principal_keytab
+  vars:
+    principal: HTTP/{{ ranger_ha_address | urlsplit("hostname") }}
+    keytab: '{{ ranger_ha_address | urlsplit("hostname") }}.service.keytab'
+    user: root
+    group: "{{ hadoop_group }}"
+    mode: "0640"
+  when: ranger_ha_address is defined
+
+- name: Ensure HA HTTP spnego's keytab is working
+  ansible.builtin.import_role:
+    name: tosit.tdp.utils.kerberos
+    tasks_from: check_secure_keytab
+  vars:
+    principal: HTTP/{{ ranger_ha_address | urlsplit("hostname") }}
+    keytab: '{{ ranger_ha_address | urlsplit("hostname") }}.service.keytab'
+    user: root
+    group: "{{ hadoop_group }}"
+    mode: "0640"
+  when: ranger_ha_address is defined

roles/ranger/admin/tasks/kerberos.yml

@@ -43,18 +43,6 @@
         group: "{{ hadoop_group }}"
         mode: "0640"
 
-    - name: Ensure HTTP HA spnego user's principal and keytab exist
-      ansible.builtin.import_role:
-        name: tosit.tdp.utils.kerberos
-        tasks_from: create_headless_principal_keytab
-      vars:
-        principal: HTTP/{{ ranger_ha_address | urlsplit("hostname") }}
-        keytab: ranger-ha.service.keytab
-        user: root
-        group: "{{ hadoop_group }}"
-        mode: "0640"
-      when: ranger_ha_address is defined
-
 - name: Ranger Admin keytabs check
   when: not krb_create_principals_keytabs
   block:
@@ -91,15 +79,3 @@
         group: "{{ hadoop_group }}"
         mode: "0640"
       when: not krb_create_principals_keytabs
-
-    - name: Ensure HA HTTP spnego's keytab is working
-      ansible.builtin.import_role:
-        name: tosit.tdp.utils.kerberos
-        tasks_from: check_secure_keytab
-      vars:
-        principal: HTTP/{{ ranger_ha_address | urlsplit("hostname") }}
-        keytab: ranger-ha.service.keytab
-        user: root
-        group: "{{ hadoop_group }}"
-        mode: "0640"
-      when: ranger_ha_address is defined

roles/ranger/common/templates/install.properties.j2

@@ -195,7 +195,7 @@ xa_ldap_ad_userSearchFilter=
 
 #------------ Kerberos Config -----------------
 spnego_principal=HTTP/{% if ranger_ha_address is defined %}{{ ranger_ha_address | urlsplit("hostname") }}{% else %}{{ ansible_fqdn }}{% endif %}@{{ realm }}
-spnego_keytab=/etc/security/keytabs/{% if ranger_ha_address is defined %}ranger-ha.service.keytab{% else %}spnego.service.keytab{% endif %} 
+spnego_keytab=/etc/security/keytabs/{% if ranger_ha_address is defined %}{{ ranger_ha_address | urlsplit("hostname") }}.service.keytab{% else %}spnego.service.keytab{% endif %}
 token_valid=30
 cookie_domain=
 cookie_path=/

topology.ini

@@ -111,6 +111,9 @@ edge
 [knox:children]
 edge
 
+[spnego_ha:children]
+ranger_admin
+
 # Section Postgresql_client from tdp_prerequisites 
 [postgresql_client:children]
 ranger_admin