diff --git a/playbooks/ranger_kerberos_install.yml b/playbooks/ranger_kerberos_install.yml index 3ac85cd7..590b5a91 100644 --- a/playbooks/ranger_kerberos_install.yml +++ b/playbooks/ranger_kerberos_install.yml @@ -13,6 +13,17 @@ name: tosit.tdp.ranger.admin tasks_from: kerberos - ansible.builtin.meta: clear_facts # noqa unnamed-task +- name: Kerberos Ranger Admin HA install + hosts: spnego_ha + strategy: linear + tasks: + - tosit.tdp.resolve: # noqa unnamed-task + node_name: ranger_kerberos + - name: Install Ranger Admin Kerberos + ansible.builtin.import_role: + name: tosit.tdp.ranger.admin + tasks_from: kerberos-spnego-ha + - ansible.builtin.meta: clear_facts # noqa unnamed-task - name: Kerberos Ranger UserSync install hosts: ranger_usersync strategy: linear diff --git a/roles/ranger/admin/tasks/kerberos-spnego-ha.yml b/roles/ranger/admin/tasks/kerberos-spnego-ha.yml new file mode 100644 index 00000000..9f59d3a6 --- /dev/null +++ b/roles/ranger/admin/tasks/kerberos-spnego-ha.yml @@ -0,0 +1,27 @@ +# Copyright 2022 TOSIT.IO +# SPDX-License-Identifier: Apache-2.0 + +--- +- name: Ensure HTTP HA spnego user's principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_headless_principal_keytab + vars: + principal: HTTP/{{ ranger_ha_address | urlsplit("hostname") }} + keytab: '{{ ranger_ha_address | urlsplit("hostname") }}.service.keytab' + user: root + group: "{{ hadoop_group }}" + mode: "0640" + when: ranger_ha_address is defined + +- name: Ensure HA HTTP spnego's keytab is working + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: HTTP/{{ ranger_ha_address | urlsplit("hostname") }} + keytab: '{{ ranger_ha_address | urlsplit("hostname") }}.service.keytab' + user: root + group: "{{ hadoop_group }}" + mode: "0640" + when: ranger_ha_address is defined diff --git a/roles/ranger/admin/tasks/kerberos.yml b/roles/ranger/admin/tasks/kerberos.yml index 8aacb371..a2ba8c15 100644 --- a/roles/ranger/admin/tasks/kerberos.yml +++ b/roles/ranger/admin/tasks/kerberos.yml @@ -43,18 +43,6 @@ group: "{{ hadoop_group }}" mode: "0640" - - name: Ensure HTTP HA spnego user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_headless_principal_keytab - vars: - principal: HTTP/{{ ranger_ha_address | urlsplit("hostname") }} - keytab: ranger-ha.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" - when: ranger_ha_address is defined - - name: Ranger Admin keytabs check when: not krb_create_principals_keytabs block: @@ -91,15 +79,3 @@ group: "{{ hadoop_group }}" mode: "0640" when: not krb_create_principals_keytabs - - - name: Ensure HA HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ranger_ha_address | urlsplit("hostname") }} - keytab: ranger-ha.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" - when: ranger_ha_address is defined diff --git a/roles/ranger/common/templates/install.properties.j2 b/roles/ranger/common/templates/install.properties.j2 index 4f5b0e5e..6e4bde4e 100644 --- a/roles/ranger/common/templates/install.properties.j2 +++ b/roles/ranger/common/templates/install.properties.j2 @@ -195,7 +195,7 @@ xa_ldap_ad_userSearchFilter= #------------ Kerberos Config ----------------- spnego_principal=HTTP/{% if ranger_ha_address is defined %}{{ ranger_ha_address | urlsplit("hostname") }}{% else %}{{ ansible_fqdn }}{% endif %}@{{ realm }} -spnego_keytab=/etc/security/keytabs/{% if ranger_ha_address is defined %}ranger-ha.service.keytab{% else %}spnego.service.keytab{% endif %} +spnego_keytab=/etc/security/keytabs/{% if ranger_ha_address is defined %}{{ ranger_ha_address | urlsplit("hostname") }}.service.keytab{% else %}spnego.service.keytab{% endif %} token_valid=30 cookie_domain= cookie_path=/ diff --git a/topology.ini b/topology.ini index 1d5c4f56..709ee77d 100644 --- a/topology.ini +++ b/topology.ini @@ -111,6 +111,9 @@ edge [knox:children] edge +[spnego_ha:children] +ranger_admin + # Section Postgresql_client from tdp_prerequisites [postgresql_client:children] ranger_admin