Adds handling for Pre-signed TLS Certs, signed outside framework

Allows for scenario where user is supplying their own CA Signed x509 certs and priv keys and we are not generating those in the framework. Expecting that each host has a directory, defined in variable "tls_presigned_certs": e.g. /etc/pki/certs, which contains: PEM format x509 signed cert, named <host-fqdn>.pem RSA style private key that is encrypted, named <host-fqdn>.key Passphrase for key is supplied by variable "tls_key_password" The Public CA certs of Issuer, root (and any intermediates) are expected to be on the controller host, defined by variable "tls_ca_certs" which has a list of CA certs. example: tls_ca_certs: - alias: <alias name, like: root-ca> path: <absolute-path>/root_ca.pem - alias: <alias name, like: inter-ca> path: <absolute-path>/intermediate_ca.pem Signed-off-by: Chuck Levesque <[email protected]>
cloudera-labs · Dec 4, 2023 · 6158918 · 6158918
1 parent acc6b1d
commit 6158918
Show file tree

Hide file tree

Showing 5 changed files with 506 additions and 0 deletions.
diff --git a/roles/security/tls_presigned_certs/defaults/main.yml b/roles/security/tls_presigned_certs/defaults/main.yml
@@ -0,0 +1,18 @@
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+keytool_path: /usr/bin/keytool
+openssl_path: /usr/bin/openssl
diff --git a/roles/security/tls_presigned_certs/meta/main.yml b/roles/security/tls_presigned_certs/meta/main.yml
@@ -0,0 +1,18 @@
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies:
+  - role: cloudera.cluster.infrastructure.ca_common
+  - role: cloudera.cluster.prereqs.local_accounts_common
diff --git a/roles/security/tls_presigned_certs/tasks/acls-ecs.yml b/roles/security/tls_presigned_certs/tasks/acls-ecs.yml
@@ -0,0 +1,158 @@
+# Copyright 2023 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+- name: Install acls package
+  ansible.builtin.package:
+    lock_timeout: "{{ (ansible_os_family == 'RedHat') | ternary(60, omit) }}"
+    name: acl
+    state: present
+
+- name: Change permissions on keystore
+  file:
+    state: file
+    path: "{{ tls_keystore_path }}"
+    mode: 0640
+    owner: root
+    group: hadoop
+
+- name: Add ACLs to keystore
+  acl:
+    path: "{{ tls_keystore_path }}"
+    entity: "{{ account.user }}"
+    etype: group
+    permissions: r
+    state: present
+  loop: "{{ ecs_accounts | json_query('[[email protected]_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
+
+- name: Change permissions on keystore hard link
+  file:
+    state: file
+    path: "{{ tls_keystore_path_generic }}"
+    mode: 0640
+    owner: root
+    group: hadoop
+
+- name: Add ACLs to keystore hard link
+  acl:
+    path: "{{ tls_keystore_path_generic }}"
+    entity: "{{ account.user }}"
+    etype: group
+    permissions: r
+    state: present
+  loop: "{{ ecs_accounts | json_query('[[email protected]_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
+
+- name: Change permissions on private key
+  file:
+    state: file
+    path: "{{ item }}"
+    mode: 0440
+    owner: root
+    group: root
+  loop:
+    - "{{ tls_key_path }}"
+    - "{{ tls_key_path_generic }}"
+
+- name: Add ACLs to private key
+  acl:
+    path: "{{ tls_key_path }}"
+    entity: "{{ account.user }}"
+    etype: group
+    permissions: r
+    state: present
+  loop: "{{ ecs_accounts | json_query('[[email protected]_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
+
+- name: Add ACLs to private key hard link
+  acl:
+    path: "{{ tls_key_path_generic }}"
+    entity: "{{ account.user }}"
+    etype: group
+    permissions: r
+    state: present
+  loop: "{{ ecs_accounts | json_query('[[email protected]_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
+
+- name: Change permissions on key password file
+  file:
+    state: file
+    path: "{{ tls_key_password_file }}"
+    mode: 0440
+    owner: root
+    group: root
+
+- name: Add ACLs to key password file
+  acl:
+    path: "{{ tls_key_password_file }}"
+    entity: "{{ account.user }}"
+    etype: user
+    permissions: r
+    state: present
+  loop: "{{ ecs_accounts | json_query('[[email protected]_password_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
+
+- name: Change permissions on unencrypted key
+  file:
+    state: file
+    path: "{{ item }}"
+    mode: 0440
+    owner: root
+    group: root
+  loop:
+    - "{{ tls_key_path_plaintext }}"
+    - "{{ tls_key_path_plaintext_generic }}"
+
+- name: Add ACLs to unencrypted key
+  acl:
+    path: "{{ tls_key_path_plaintext }}"
+    entity: "{{ account.user }}"
+    etype: group
+    permissions: r
+    state: present
+  loop: "{{ local_accounts | json_query('[[email protected]_key_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
+
+- name: Add ACLs to unencrypted key hard link
+  acl:
+    path: "{{ tls_key_path_plaintext_generic }}"
+    entity: "{{ account.user }}"
+    etype: group
+    permissions: r
+    state: present
+  loop: "{{ ecs_accounts | json_query('[[email protected]_key_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
diff --git a/roles/security/tls_presigned_certs/tasks/acls.yml b/roles/security/tls_presigned_certs/tasks/acls.yml
@@ -0,0 +1,158 @@
+# Copyright 2023 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+- name: Install acls package
+  ansible.builtin.package:
+    lock_timeout: "{{ (ansible_os_family == 'RedHat') | ternary(60, omit) }}"
+    name: acl
+    state: present
+
+- name: Change permissions on keystore
+  file:
+    state: file
+    path: "{{ tls_keystore_path }}"
+    mode: 0640
+    owner: root
+    group: hadoop
+
+- name: Add ACLs to keystore
+  acl:
+    path: "{{ tls_keystore_path }}"
+    entity: "{{ account.user }}"
+    etype: group
+    permissions: r
+    state: present
+  loop: "{{ local_accounts | json_query('[[email protected]_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
+
+- name: Change permissions on keystore hard link
+  file:
+    state: file
+    path: "{{ tls_keystore_path_generic }}"
+    mode: 0640
+    owner: root
+    group: hadoop
+
+- name: Add ACLs to keystore hard link
+  acl:
+    path: "{{ tls_keystore_path_generic }}"
+    entity: "{{ account.user }}"
+    etype: group
+    permissions: r
+    state: present
+  loop: "{{ local_accounts | json_query('[[email protected]_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
+
+- name: Change permissions on private key
+  file:
+    state: file
+    path: "{{ item }}"
+    mode: 0440
+    owner: root
+    group: root
+  loop:
+    - "{{ tls_key_path }}"
+    - "{{ tls_key_path_generic }}"
+
+- name: Add ACLs to private key
+  acl:
+    path: "{{ tls_key_path }}"
+    entity: "{{ account.user }}"
+    etype: group
+    permissions: r
+    state: present
+  loop: "{{ local_accounts | json_query('[[email protected]_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
+
+- name: Add ACLs to private key hard link
+  acl:
+    path: "{{ tls_key_path_generic }}"
+    entity: "{{ account.user }}"
+    etype: group
+    permissions: r
+    state: present
+  loop: "{{ local_accounts | json_query('[[email protected]_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
+
+- name: Change permissions on key password file
+  file:
+    state: file
+    path: "{{ tls_key_password_file }}"
+    mode: 0440
+    owner: root
+    group: root
+
+- name: Add ACLs to key password file
+  acl:
+    path: "{{ tls_key_password_file }}"
+    entity: "{{ account.user }}"
+    etype: user
+    permissions: r
+    state: present
+  loop: "{{ local_accounts | json_query('[[email protected]_password_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
+
+- name: Change permissions on unencrypted key
+  file:
+    state: file
+    path: "{{ item }}"
+    mode: 0440
+    owner: root
+    group: root
+  loop:
+    - "{{ tls_key_path_plaintext }}"
+    - "{{ tls_key_path_plaintext_generic }}"
+
+- name: Add ACLs to unencrypted key
+  acl:
+    path: "{{ tls_key_path_plaintext }}"
+    entity: "{{ account.user }}"
+    etype: group
+    permissions: r
+    state: present
+  loop: "{{ local_accounts | json_query('[[email protected]_key_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)
+
+- name: Add ACLs to unencrypted key hard link
+  acl:
+    path: "{{ tls_key_path_plaintext_generic }}"
+    entity: "{{ account.user }}"
+    etype: group
+    permissions: r
+    state: present
+  loop: "{{ local_accounts | json_query('[[email protected]_key_acl]') }}"
+  loop_control:
+    loop_var: account
+    label: "{{ account.user }}"
+  when: account.when | default(True)