From 8c2dccad6652a535a6c549a2c4133afd9eb251ed Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Mon, 13 Feb 2023 20:05:25 -0500
Subject: add docs

---
 roles/gssproxy_client/README.md | 50 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 roles/gssproxy_client/README.md

(limited to 'roles/gssproxy_client')

diff --git a/roles/gssproxy_client/README.md b/roles/gssproxy_client/README.md
new file mode 100644
index 0000000..777664e
--- /dev/null
+++ b/roles/gssproxy_client/README.md
@@ -0,0 +1,50 @@
+Gssproxy Client
+===============
+
+Description
+-----------
+
+The `gssproxy_client` role configures a [gssproxy](https://github.com/gssapi/gssproxy)
+service. `gssproxy` is a privileged middleware daemon that keeps track of
+Kerberos keytabs and credential caches on behalf of unprivileged applications.
+
+When an application needs a keytab (either to provide Kerberized services or
+act as a Kerberos client), we prefer to use `gssproxy` rather than give the
+application direct access to the keytab. `gssproxy` provides an extra layer of
+security by allowing applications to use the keytab for authentication without
+reading its contents.
+
+Variables
+---------
+
+This role **accepts** the following variables:
+
+Variable                 | Default | Description
+-------------------------|---------|------------
+`gssproxy_name`          | &nbsp;  | Config file name
+`gssproxy_priority`      | 50      | Config file priority
+`gssproxy_section`       | &nbsp;  | INI section name within config file
+`gssproxy_client_keytab` | &nbsp;  | Path to client keytab
+`gssproxy_keytab`        | &nbsp;  | Path to acceptor keytab
+`gssproxy_euid`          | &nbsp;  | For client processes, match the given effective UID
+`gssproxy_program`       | &nbsp;  | For client processes, match the given executable
+`gssproxy_cred_usage`    | both    | Either `accept`, `initiate`, or `both`
+
+
+Usage
+-----
+
+Example task:
+
+````yaml
+- name: configure gssproxy for kerberized HTTP
+  include_role:
+    name: gssproxy_client
+  vars:
+    gssproxy_name: httpd
+    gssproxy_section: service/HTTP
+    gssproxy_keytab: /var/lib/gssproxy/clients/apache.keytab
+    gssproxy_cred_usage: accept
+    gssproxy_euid: apache
+    gssproxy_program: /usr/sbin/httpd
+````
-- 
cgit