ansible批量生产kerberos票据,并批量分发到所有其他主机脚本

蘑菇丁2025-01-24 8:05
  • name: Configure Kerberos for Hadoop Users

hosts: hadoop_servers

become: no

gather_facts: no

vars:

kerberos_server: hadoop1.xuexi.com

keytab_file_path: /home/hadoop/keys/hadoop.keytab

principals:

  • nn/

  • dn/

  • yarn/

  • starrock/

tasks:

  • name: Ensure key directory exists

ansible.builtin.file:

path: /home/hadoop/hxy

state: directory

mode: '0755'

  • name: Create Kerberos principals

ansible.builtin.command: >

kadmin.local -q 'addprinc -randkey { { item }}{ { inventory_hostname }}@XUEXI.COM'

register: addprinc_output

ignore_errors: yes

delegate_to: "{ { kerberos_server }}"

loop: "{ { principals }}"

loop_control:

extended: yes # Ensure extended loop variables are available

  • name: Check principal creation status

ansible.builtin.fail:

msg: "Failed to create principal for { { item.item }}: { { item.stderr }}"

when: "'Principal already exists' not in item.stderr and item.rc != 0"

loop: "{ { addprinc_output.results }}"

loop_control:

label: "{ { item.item }}{ { inventory_hostname }}@XUEXI.COM"

  • name: Generate keytab file for each principal

ansible.builtin.command: >

kadmin.local -q 'xst -k { { keytab_file_path }}.tmp -norandkey { { item }}{ { inventory_hostname }}@XUEXI.COM'

register: xst_output

delegate_to: "{ { kerberos_server }}"

loop: "{ { principals }}"

when: "'Principal already exists' in (addprinc_output.results | selectattr('item', 'equalto', item) | first).stderr or (addprinc_output.results | selectattr('item', 'equalto', item) | first).rc == 0"

Note: The above when condition is simplified and may need adjustment.

It assumes that if 'Principal already exists', it's okay to proceed.

However, a more robust solution would involve tracking success/failure per principal.

  • name: Move keytab file to final location (on Kerberos server)

ansible.builtin.command: mv { { keytab_file_path }}.tmp { { keytab_file_path }}

delegate_to: "{ { kerberos_server }}"

when: xst_output is changed # This might not be perfect, as 'changed' depends on file existence, not Kerberos operation.

  • name: Fetch the keytab file to the control machine

ansible.builtin.fetch:

src: "{ { keytab_file_path }}"

dest: "./hadoop.keytab"

flat: yes

delegate_to: "{ { kerberos_server }}"

run_once: yes # Ensure this task runs only once.

  • name: Distribute keytab files to each target host

ansible.builtin.copy:

src: ./hadoop.keytab

dest: /data1/tmp/hadoop.keytab

loop: "{ { groups['hadoop_servers'] }}"

delegate_to: "{ { item }}"

  • name: Clean up local keytab file

ansible.builtin.file:

path: ./hadoop.keytab

state: absent

run_once: yes

相关推荐
无敌最俊朗@4 小时前
STL-vector面试剖析(面试复习4)
java·面试·职场和发展
PPPPickup4 小时前
easychat项目复盘---获取联系人列表,联系人详细,删除拉黑联系人
java·前端·javascript
LiamTuc4 小时前
Java构造函数
java·开发语言
长安er4 小时前
LeetCode 206/92/25 链表翻转问题-“盒子-标签-纸条模型”
java·数据结构·算法·leetcode·链表·链表翻转
菜鸟plus+4 小时前
N+1查询
java·服务器·数据库
我要添砖java5 小时前
《JAVAEE》网络编程-什么是网络?
java·网络·java-ee
CoderYanger5 小时前
动态规划算法-01背包问题:50.分割等和子集
java·算法·leetcode·动态规划·1024程序员节
菜鸟233号6 小时前
力扣513 找树左下角的值 java实现
java·数据结构·算法·leetcode
Neoest7 小时前
【EasyExcel 填坑日记】“Syntax error on token )“: 一次编译错误在逃 Runtime 的灵异事件
java·eclipse·编辑器
自在极意功。7 小时前
Web开发中的分层解耦
java·microsoft·web开发·解耦
热门推荐
01GitHub 镜像站点02【超详细教程】手把手教你从微软官网免费下载Windows 10官方原版ISO镜像(2025最新版)03【AutoGLM部署】本地私有化部署AI手机Agent04UV安装并设置国内源05安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)06Linux下V2Ray安装配置指南07Open-AutoGLM Windows 安装部署教程08BongoCat - 跨平台键盘猫动画工具09React CVE-2025-55182漏洞排查与修复指南10在VSCode配置Java开发环境的保姆级教程(适配各类AI编程IDE)