ansible批量生产kerberos票据,并批量分发到所有其他主机脚本

蘑菇丁2025-01-24 8:05
  • name: Configure Kerberos for Hadoop Users

hosts: hadoop_servers

become: no

gather_facts: no

vars:

kerberos_server: hadoop1.xuexi.com

keytab_file_path: /home/hadoop/keys/hadoop.keytab

principals:

  • nn/

  • dn/

  • yarn/

  • starrock/

tasks:

  • name: Ensure key directory exists

ansible.builtin.file:

path: /home/hadoop/hxy

state: directory

mode: '0755'

  • name: Create Kerberos principals

ansible.builtin.command: >

kadmin.local -q 'addprinc -randkey { { item }}{ { inventory_hostname }}@XUEXI.COM'

register: addprinc_output

ignore_errors: yes

delegate_to: "{ { kerberos_server }}"

loop: "{ { principals }}"

loop_control:

extended: yes # Ensure extended loop variables are available

  • name: Check principal creation status

ansible.builtin.fail:

msg: "Failed to create principal for { { item.item }}: { { item.stderr }}"

when: "'Principal already exists' not in item.stderr and item.rc != 0"

loop: "{ { addprinc_output.results }}"

loop_control:

label: "{ { item.item }}{ { inventory_hostname }}@XUEXI.COM"

  • name: Generate keytab file for each principal

ansible.builtin.command: >

kadmin.local -q 'xst -k { { keytab_file_path }}.tmp -norandkey { { item }}{ { inventory_hostname }}@XUEXI.COM'

register: xst_output

delegate_to: "{ { kerberos_server }}"

loop: "{ { principals }}"

when: "'Principal already exists' in (addprinc_output.results | selectattr('item', 'equalto', item) | first).stderr or (addprinc_output.results | selectattr('item', 'equalto', item) | first).rc == 0"

Note: The above when condition is simplified and may need adjustment.

It assumes that if 'Principal already exists', it's okay to proceed.

However, a more robust solution would involve tracking success/failure per principal.

  • name: Move keytab file to final location (on Kerberos server)

ansible.builtin.command: mv { { keytab_file_path }}.tmp { { keytab_file_path }}

delegate_to: "{ { kerberos_server }}"

when: xst_output is changed # This might not be perfect, as 'changed' depends on file existence, not Kerberos operation.

  • name: Fetch the keytab file to the control machine

ansible.builtin.fetch:

src: "{ { keytab_file_path }}"

dest: "./hadoop.keytab"

flat: yes

delegate_to: "{ { kerberos_server }}"

run_once: yes # Ensure this task runs only once.

  • name: Distribute keytab files to each target host

ansible.builtin.copy:

src: ./hadoop.keytab

dest: /data1/tmp/hadoop.keytab

loop: "{ { groups['hadoop_servers'] }}"

delegate_to: "{ { item }}"

  • name: Clean up local keytab file

ansible.builtin.file:

path: ./hadoop.keytab

state: absent

run_once: yes

相关推荐
程序员侠客行26 分钟前
Tomcat 从陌生到熟悉
java·tomcat·web
wertyuytrewm27 分钟前
Java 异常|Java Exceptions
java·开发语言
ProgramHelpOa29 分钟前
Amazon SDE Intern OA 2026 最新复盘|70分钟两题 Medium-Hard
java·前端·javascript
雪碧聊技术36 分钟前
深入理解 Java GC:从“房间清洁工”到解决系统卡顿实战
java·开发语言
大鹏说大话42 分钟前
Java并发编程核心:线程安全、synchronized与volatile的深度剖析
java·开发语言
迷藏49444 分钟前
# 发散创新:低代码开发新范式——用可视化逻辑构建企业级业务系统 在当今快速迭代的软件工程实践
java·python·低代码
JAVA+C语言1 小时前
Java IO 流
java·开发语言
山川行1 小时前
Python快速闯关8:内置函数
java·开发语言·前端·笔记·python·学习·visual studio
Java基基1 小时前
sdkman 一键切换 JDK 版本管理工具
java·开发语言·sdkman
美好的事情能不能发生在我身上1 小时前
Jmeter压测遇到的问题
java·分布式·jmeter
热门推荐
012026年3月AI领域大事件:DeepSeek引领开源风暴02GitHub 镜像站点03围棋-html版本04纯 HTML/CSS/JS 实现的高颜值登录页,还会眨眼睛!少女心爆棚!05班级宠物园部署指南06小黑课堂计算机二级WPSoffice题库软件下载安装教程(2026年3月最新版)07“wsl --install -d Ubuntu-22.04”下载慢,中国地区离线安装 Ubuntu 22.04 WSL方法(亲测2025年5月6日)08中国象棋-html版本09UV安装并设置国内源10OpenClaw 使用和管理 MCP 完全指南