blob: 777664e88f379ef1191d77b01e0fec16a123e3d9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
Gssproxy Client
===============
Description
-----------
The `gssproxy_client` role configures a [gssproxy](https://github.com/gssapi/gssproxy)
service. `gssproxy` is a privileged middleware daemon that keeps track of
Kerberos keytabs and credential caches on behalf of unprivileged applications.
When an application needs a keytab (either to provide Kerberized services or
act as a Kerberos client), we prefer to use `gssproxy` rather than give the
application direct access to the keytab. `gssproxy` provides an extra layer of
security by allowing applications to use the keytab for authentication without
reading its contents.
Variables
---------
This role **accepts** the following variables:
Variable | Default | Description
-------------------------|---------|------------
`gssproxy_name` | | Config file name
`gssproxy_priority` | 50 | Config file priority
`gssproxy_section` | | INI section name within config file
`gssproxy_client_keytab` | | Path to client keytab
`gssproxy_keytab` | | Path to acceptor keytab
`gssproxy_euid` | | For client processes, match the given effective UID
`gssproxy_program` | | For client processes, match the given executable
`gssproxy_cred_usage` | both | Either `accept`, `initiate`, or `both`
Usage
-----
Example task:
````yaml
- name: configure gssproxy for kerberized HTTP
include_role:
name: gssproxy_client
vars:
gssproxy_name: httpd
gssproxy_section: service/HTTP
gssproxy_keytab: /var/lib/gssproxy/clients/apache.keytab
gssproxy_cred_usage: accept
gssproxy_euid: apache
gssproxy_program: /usr/sbin/httpd
````
|