ansible批量生产kerberos票据,并批量分发到所有其他主机脚本

  • name: Configure Kerberos for Hadoop Users

hosts: hadoop_servers

become: no

gather_facts: no

vars:

kerberos_server: hadoop1.xuexi.com

keytab_file_path: /home/hadoop/keys/hadoop.keytab

principals:

  • nn/

  • dn/

  • yarn/

  • starrock/

tasks:

  • name: Ensure key directory exists

ansible.builtin.file:

path: /home/hadoop/hxy

state: directory

mode: '0755'

  • name: Create Kerberos principals

ansible.builtin.command: >

kadmin.local -q 'addprinc -randkey { { item }}{ { inventory_hostname }}@XUEXI.COM'

register: addprinc_output

ignore_errors: yes

delegate_to: "{ { kerberos_server }}"

loop: "{ { principals }}"

loop_control:

extended: yes # Ensure extended loop variables are available

  • name: Check principal creation status

ansible.builtin.fail:

msg: "Failed to create principal for { { item.item }}: { { item.stderr }}"

when: "'Principal already exists' not in item.stderr and item.rc != 0"

loop: "{ { addprinc_output.results }}"

loop_control:

label: "{ { item.item }}{ { inventory_hostname }}@XUEXI.COM"

  • name: Generate keytab file for each principal

ansible.builtin.command: >

kadmin.local -q 'xst -k { { keytab_file_path }}.tmp -norandkey { { item }}{ { inventory_hostname }}@XUEXI.COM'

register: xst_output

delegate_to: "{ { kerberos_server }}"

loop: "{ { principals }}"

when: "'Principal already exists' in (addprinc_output.results | selectattr('item', 'equalto', item) | first).stderr or (addprinc_output.results | selectattr('item', 'equalto', item) | first).rc == 0"

Note: The above when condition is simplified and may need adjustment.

It assumes that if 'Principal already exists', it's okay to proceed.

However, a more robust solution would involve tracking success/failure per principal.

  • name: Move keytab file to final location (on Kerberos server)

ansible.builtin.command: mv { { keytab_file_path }}.tmp { { keytab_file_path }}

delegate_to: "{ { kerberos_server }}"

when: xst_output is changed # This might not be perfect, as 'changed' depends on file existence, not Kerberos operation.

  • name: Fetch the keytab file to the control machine

ansible.builtin.fetch:

src: "{ { keytab_file_path }}"

dest: "./hadoop.keytab"

flat: yes

delegate_to: "{ { kerberos_server }}"

run_once: yes # Ensure this task runs only once.

  • name: Distribute keytab files to each target host

ansible.builtin.copy:

src: ./hadoop.keytab

dest: /data1/tmp/hadoop.keytab

loop: "{ { groups['hadoop_servers'] }}"

delegate_to: "{ { item }}"

  • name: Clean up local keytab file

ansible.builtin.file:

path: ./hadoop.keytab

state: absent

run_once: yes

相关推荐
kangkang-38 分钟前
PC端基于SpringBoot架构控制无人机(三):系统架构设计
java·架构·无人机
界面开发小八哥2 小时前
「Java EE开发指南」如何用MyEclipse创建一个WEB项目?(三)
java·ide·java-ee·myeclipse
花花鱼3 小时前
android studio 设置让开发更加的方便,比如可以查看变量的类型,参数的名称等等
android·ide·android studio
idolyXyz3 小时前
[java: Cleaner]-一文述之
java
一碗谦谦粉3 小时前
Maven 依赖调解的两大原则
java·maven
netyeaxi3 小时前
Java:使用spring-boot + mybatis如何打印SQL日志?
java·spring·mybatis
收破烂的小熊猫~4 小时前
《Java修仙传:从凡胎到码帝》第四章:设计模式破万法
java·开发语言·设计模式
猴哥源码4 小时前
基于Java+SpringBoot的动物领养平台
java·spring boot
老任与码4 小时前
Spring AI Alibaba(1)——基本使用
java·人工智能·后端·springaialibaba
小兵张健4 小时前
武汉拿下 23k offer 经历
java·面试·ai编程