- name: Configure Kerberos for Hadoop Users
hosts: hadoop_servers
become: no
gather_facts: no
vars:
kerberos_server: hadoop1.xuexi.com
keytab_file_path: /home/hadoop/keys/hadoop.keytab
principals:
nn/
dn/
yarn/
starrock/
tasks:
- name: Ensure key directory exists
ansible.builtin.file:
path: /home/hadoop/hxy
state: directory
mode: '0755'
- name: Create Kerberos principals
ansible.builtin.command: >
kadmin.local -q 'addprinc -randkey { { item }}{ { inventory_hostname }}@XUEXI.COM'
register: addprinc_output
ignore_errors: yes
delegate_to: "{ { kerberos_server }}"
loop: "{ { principals }}"
loop_control:
extended: yes # Ensure extended loop variables are available
- name: Check principal creation status
ansible.builtin.fail:
msg: "Failed to create principal for { { item.item }}: { { item.stderr }}"
when: "'Principal already exists' not in item.stderr and item.rc != 0"
loop: "{ { addprinc_output.results }}"
loop_control:
label: "{ { item.item }}{ { inventory_hostname }}@XUEXI.COM"
- name: Generate keytab file for each principal
ansible.builtin.command: >
kadmin.local -q 'xst -k { { keytab_file_path }}.tmp -norandkey { { item }}{ { inventory_hostname }}@XUEXI.COM'
register: xst_output
delegate_to: "{ { kerberos_server }}"
loop: "{ { principals }}"
when: "'Principal already exists' in (addprinc_output.results | selectattr('item', 'equalto', item) | first).stderr or (addprinc_output.results | selectattr('item', 'equalto', item) | first).rc == 0"
Note: The above when condition is simplified and may need adjustment.
It assumes that if 'Principal already exists', it's okay to proceed.
However, a more robust solution would involve tracking success/failure per principal.
- name: Move keytab file to final location (on Kerberos server)
ansible.builtin.command: mv { { keytab_file_path }}.tmp { { keytab_file_path }}
delegate_to: "{ { kerberos_server }}"
when: xst_output is changed # This might not be perfect, as 'changed' depends on file existence, not Kerberos operation.
- name: Fetch the keytab file to the control machine
ansible.builtin.fetch:
src: "{ { keytab_file_path }}"
dest: "./hadoop.keytab"
flat: yes
delegate_to: "{ { kerberos_server }}"
run_once: yes # Ensure this task runs only once.
- name: Distribute keytab files to each target host
ansible.builtin.copy:
src: ./hadoop.keytab
dest: /data1/tmp/hadoop.keytab
loop: "{ { groups['hadoop_servers'] }}"
delegate_to: "{ { item }}"
- name: Clean up local keytab file
ansible.builtin.file:
path: ./hadoop.keytab
state: absent
run_once: yes
ansible批量生产kerberos票据,并批量分发到所有其他主机脚本
蘑菇丁2025-01-24 8:05
相关推荐
丹牛Daniel35 分钟前
Java解决HV000183: Unable to initialize ‘javax.el.ExpressionFactory‘消失的旧时光-19431 小时前
智能指针(三):实现篇 —— shared_ptr 的内部设计与引用计数机制芒克芒克1 小时前
深入浅出CopyOnWriteArrayListwuqingshun3141591 小时前
说一下java的反射机制A懿轩A1 小时前
【Java 基础编程】Java 异常处理保姆级教程:try-catch-finally、throw/throws、自定义异常极客先躯1 小时前
高级java每日一道面试题-2025年7月14日-基础篇[LangChain4j]-如何集成开源模型(如 Llama、Mistral)?需要什么基础设施?黎雁·泠崖2 小时前
Java 包装类:基本类型与引用类型的桥梁详解盖头盖2 小时前
【Java反序列化基础】极客先躯3 小时前
高级java每日一道面试题-2025年7月15日-基础篇[LangChain4j]-如何集成国产大模型(如通义千问、文心一言、智谱 AI)?追随者永远是胜利者3 小时前
(LeetCode-Hot100)226. 翻转二叉树