ansible批量生产kerberos票据,并批量分发到所有其他主机脚本

  • name: Configure Kerberos for Hadoop Users

hosts: hadoop_servers

become: no

gather_facts: no

vars:

kerberos_server: hadoop1.xuexi.com

keytab_file_path: /home/hadoop/keys/hadoop.keytab

principals:

  • nn/

  • dn/

  • yarn/

  • starrock/

tasks:

  • name: Ensure key directory exists

ansible.builtin.file:

path: /home/hadoop/hxy

state: directory

mode: '0755'

  • name: Create Kerberos principals

ansible.builtin.command: >

kadmin.local -q 'addprinc -randkey { { item }}{ { inventory_hostname }}@XUEXI.COM'

register: addprinc_output

ignore_errors: yes

delegate_to: "{ { kerberos_server }}"

loop: "{ { principals }}"

loop_control:

extended: yes # Ensure extended loop variables are available

  • name: Check principal creation status

ansible.builtin.fail:

msg: "Failed to create principal for { { item.item }}: { { item.stderr }}"

when: "'Principal already exists' not in item.stderr and item.rc != 0"

loop: "{ { addprinc_output.results }}"

loop_control:

label: "{ { item.item }}{ { inventory_hostname }}@XUEXI.COM"

  • name: Generate keytab file for each principal

ansible.builtin.command: >

kadmin.local -q 'xst -k { { keytab_file_path }}.tmp -norandkey { { item }}{ { inventory_hostname }}@XUEXI.COM'

register: xst_output

delegate_to: "{ { kerberos_server }}"

loop: "{ { principals }}"

when: "'Principal already exists' in (addprinc_output.results | selectattr('item', 'equalto', item) | first).stderr or (addprinc_output.results | selectattr('item', 'equalto', item) | first).rc == 0"

Note: The above when condition is simplified and may need adjustment.

It assumes that if 'Principal already exists', it's okay to proceed.

However, a more robust solution would involve tracking success/failure per principal.

  • name: Move keytab file to final location (on Kerberos server)

ansible.builtin.command: mv { { keytab_file_path }}.tmp { { keytab_file_path }}

delegate_to: "{ { kerberos_server }}"

when: xst_output is changed # This might not be perfect, as 'changed' depends on file existence, not Kerberos operation.

  • name: Fetch the keytab file to the control machine

ansible.builtin.fetch:

src: "{ { keytab_file_path }}"

dest: "./hadoop.keytab"

flat: yes

delegate_to: "{ { kerberos_server }}"

run_once: yes # Ensure this task runs only once.

  • name: Distribute keytab files to each target host

ansible.builtin.copy:

src: ./hadoop.keytab

dest: /data1/tmp/hadoop.keytab

loop: "{ { groups['hadoop_servers'] }}"

delegate_to: "{ { item }}"

  • name: Clean up local keytab file

ansible.builtin.file:

path: ./hadoop.keytab

state: absent

run_once: yes

相关推荐
ytadpole4 小时前
揭秘设计模式:命令模式-告别混乱,打造优雅可扩展的代码
java·设计模式
用户3721574261354 小时前
Java 教程:轻松实现 Excel 与 CSV 互转 (含批量转换)
java
叫我阿柒啊4 小时前
Java全栈开发实战:从基础到微服务的深度解析
java·微服务·kafka·vue3·springboot·jwt·前端开发
凯尔萨厮4 小时前
Java学习笔记三(封装)
java·笔记·学习
霸道流氓气质4 小时前
Java开发中常用CollectionUtils方式,以及Spring中CollectionUtils常用方法示例
java·spring
失散134 小时前
分布式专题——5 大厂Redis高并发缓存架构实战与性能优化
java·redis·分布式·缓存·架构
通达的K4 小时前
Java实战项目演示代码及流的使用
java·开发语言·windows
David爱编程5 小时前
深入 Java synchronized 底层:字节码解析与 MonitorEnter 原理全揭秘
java·后端
索迪迈科技5 小时前
Protobuf 新版“调试表示为什么有链接?为什么会打码?我该怎么改代码?
java·log4j·apache
a_blue_ice5 小时前
JAVA 面试 MySQL
java·mysql·面试