ansible批量生产kerberos票据,并批量分发到所有其他主机脚本

  • name: Configure Kerberos for Hadoop Users

hosts: hadoop_servers

become: no

gather_facts: no

vars:

kerberos_server: hadoop1.xuexi.com

keytab_file_path: /home/hadoop/keys/hadoop.keytab

principals:

  • nn/

  • dn/

  • yarn/

  • starrock/

tasks:

  • name: Ensure key directory exists

ansible.builtin.file:

path: /home/hadoop/hxy

state: directory

mode: '0755'

  • name: Create Kerberos principals

ansible.builtin.command: >

kadmin.local -q 'addprinc -randkey { { item }}{ { inventory_hostname }}@XUEXI.COM'

register: addprinc_output

ignore_errors: yes

delegate_to: "{ { kerberos_server }}"

loop: "{ { principals }}"

loop_control:

extended: yes # Ensure extended loop variables are available

  • name: Check principal creation status

ansible.builtin.fail:

msg: "Failed to create principal for { { item.item }}: { { item.stderr }}"

when: "'Principal already exists' not in item.stderr and item.rc != 0"

loop: "{ { addprinc_output.results }}"

loop_control:

label: "{ { item.item }}{ { inventory_hostname }}@XUEXI.COM"

  • name: Generate keytab file for each principal

ansible.builtin.command: >

kadmin.local -q 'xst -k { { keytab_file_path }}.tmp -norandkey { { item }}{ { inventory_hostname }}@XUEXI.COM'

register: xst_output

delegate_to: "{ { kerberos_server }}"

loop: "{ { principals }}"

when: "'Principal already exists' in (addprinc_output.results | selectattr('item', 'equalto', item) | first).stderr or (addprinc_output.results | selectattr('item', 'equalto', item) | first).rc == 0"

Note: The above when condition is simplified and may need adjustment.

It assumes that if 'Principal already exists', it's okay to proceed.

However, a more robust solution would involve tracking success/failure per principal.

  • name: Move keytab file to final location (on Kerberos server)

ansible.builtin.command: mv { { keytab_file_path }}.tmp { { keytab_file_path }}

delegate_to: "{ { kerberos_server }}"

when: xst_output is changed # This might not be perfect, as 'changed' depends on file existence, not Kerberos operation.

  • name: Fetch the keytab file to the control machine

ansible.builtin.fetch:

src: "{ { keytab_file_path }}"

dest: "./hadoop.keytab"

flat: yes

delegate_to: "{ { kerberos_server }}"

run_once: yes # Ensure this task runs only once.

  • name: Distribute keytab files to each target host

ansible.builtin.copy:

src: ./hadoop.keytab

dest: /data1/tmp/hadoop.keytab

loop: "{ { groups'hadoop_servers' }}"

delegate_to: "{ { item }}"

  • name: Clean up local keytab file

ansible.builtin.file:

path: ./hadoop.keytab

state: absent

run_once: yes

相关推荐
万法若空2 小时前
【算法-查找】查找算法
java·数据结构·算法
HZZD_HZZD4 小时前
DL/T 645-2026新国标深度解读与智能电表协议适配实战:从帧结构变化到Java采集器升级的全链路改造方案
java·开发语言
山登绝顶我为峰 3(^v^)36 小时前
C/C++ 交叉编译方法
java·c语言·c++
一叶飘零_sweeeet7 小时前
Codex 与 Claude Code 深度拆解:两代 AI 编程智能体的技术本质与 Java 实战指南
java·ai·codex·claude code
Listen·Rain7 小时前
提示词和提示词模板
java·人工智能·spring boot
wuqingshun3141597 小时前
重写equals而不重写hashCode,会出什么问题?
java·开发语言
我今晚不熬夜8 小时前
Java语言实现Modbus协议通过用串口读取数据(以RTU为例)
java·网络协议
小锋java12348 小时前
Maven 4 要来了:15 年后,Java 构建工具迎来"彻底重构"
java·maven
卓怡学长9 小时前
w269基于spring boot + vue 候鸟监测数据管理系统
java·数据库·spring boot·spring·intellij-idea