Added kerberos step
This commit is contained in:
+54
-3
@@ -7,7 +7,6 @@ use airflow user to perform configuration
|
||||
sudo -iu airflow
|
||||
pwd
|
||||
you should be located in home directory of the airflow user
|
||||
image.png
|
||||
|
||||
we now need to create keytab file which will be used to authenticate our service account
|
||||
|
||||
@@ -19,7 +18,6 @@ have your service account ready as above commands will ask to enter service acco
|
||||
|
||||
check that file was created and you can see content of keytab file which holds Pricipal
|
||||
klist -ekt airflow.keytab
|
||||
image.png
|
||||
|
||||
initiate ticket for airflow user
|
||||
|
||||
@@ -308,4 +306,57 @@ systemctl restart "$APP_SERVICE_NAME" \
|
||||
|| { log_error "Failed to restart ${APP_SERVICE_NAME}"; return 1; }
|
||||
|
||||
systemctl --no-pager status "$APP_SERVICE_NAME"
|
||||
```
|
||||
```
|
||||
|
||||
Files created
|
||||
steps/05a-kerberos.sh — new deploy step (style matches 01-user-setup.sh and 06-app-service.sh).
|
||||
scripts/mssql_probe.py — SQLAlchemy integrated-auth probe.
|
||||
Wire it into deploy.sh
|
||||
Insert between the network-mounts and app-service lines:
|
||||
|
||||
|
||||
if [[ "${KRB_ENABLED:-false}" == "true" ]]; then
|
||||
run_step "5a. Kerberos" "${DEPLOY_DIR}/steps/05a-kerberos.sh"
|
||||
else
|
||||
log_info "Skipping Kerberos setup (KRB_ENABLED=false)"
|
||||
fi
|
||||
Put it before 6. App Service so the ticket exists when the app starts.
|
||||
|
||||
New deploy.conf variables
|
||||
Var Purpose Example
|
||||
KRB_ENABLED Gates the whole step true
|
||||
KRB_PRINCIPAL Service principal zReconRangerDEV@PROD.ASBGROUP.CO.NZ
|
||||
KRB_KEYTAB_SRC Path on the deployer where the keytab has been pre-staged (e.g. from a secret store) /root/secrets/recon-ranger.keytab
|
||||
KRB_KEYTAB_PATH Where the step installs it (owned by APP_USER, mode 0600) /opt/recon-ranger/recon-ranger.keytab
|
||||
KRB_CCACHE_PATH Ticket cache on disk, shared with the app service /var/lib/recon-ranger/krb5_ccache
|
||||
KRB_RENEW_INTERVAL Systemd timer OnUnitActiveSec (optional, default 30min) 30min
|
||||
Generate the keytab once (on a trusted host) with ktutil — same pattern as the airflow doc — then copy it to $KRB_KEYTAB_SRC before running deploy.
|
||||
|
||||
Runtime env vars for the app (.env, loaded by the app service)
|
||||
|
||||
KRB5CCNAME=FILE:/var/lib/recon-ranger/krb5_ccache
|
||||
MSSQL_HOST=sql01.prod.example
|
||||
MSSQL_PORT=1433
|
||||
MSSQL_DB=ReconRanger
|
||||
MSSQL_ODBC_DRIVER=ODBC Driver 18 for SQL Server
|
||||
The existing 06-app-service.sh already does EnvironmentFile=${APP_ENV_DIR}/.env, so SQLAlchemy/pyodbc will pick up KRB5CCNAME automatically — no changes to that unit needed.
|
||||
|
||||
Python deps for the probe + app
|
||||
Add to your app's pyproject.toml:
|
||||
|
||||
|
||||
sqlalchemy
|
||||
pyodbc
|
||||
And on the RHEL host you'll need the MS ODBC driver (msodbcsql18) + unixODBC-devel before pyodbc can build/install. Those belong in your 03-app-install.sh or a new prereqs step.
|
||||
|
||||
How the renewal works
|
||||
The step installs two units: a .service (Type=oneshot, runs kinit -k -t … -c FILE:…) and a .timer that fires it every KRB_RENEW_INTERVAL. This is cleaner than airflow's Type=simple loop — systemd tracks each kinit invocation individually, so failures show up clearly in journalctl -u <service>-kerberos-renewal.service.
|
||||
|
||||
Verify after deploy:
|
||||
|
||||
|
||||
systemctl list-timers | grep kerberos
|
||||
sudo -u recon-ranger klist -c FILE:/var/lib/recon-ranger/krb5_ccache
|
||||
sudo -u recon-ranger KRB5CCNAME=FILE:/var/lib/recon-ranger/krb5_ccache \
|
||||
/opt/recon-ranger/.venv/bin/python /opt/recon-ranger/scripts/mssql_probe.py
|
||||
|
||||
Reference in New Issue
Block a user