wallet.pp

#
# Download objects via the wallet.  It assumes that proper settings have been
# put in /etc/krb5.conf and the ACLs on the objects are set up appropriately.
#
# Examples:
#
#     # Create primary keytab file (default is primary)
#     base::wallet { 'service/adroit-gerbil':
#         path    => '/etc/adroit/gerbil.keytab',
#         owner   => 'leroy',
#         primary => true,
#         ensure  => present,
#     }
#
#     # Add another keytab to the above primary keytab
#     base::wallet { 'service/adroit-gerbil-another':
#         path    => '/etc/adroit/gerbil.keytab',
#         primary => false,
#         require => Base::Wallet['service/adroit-gerbil'],
#         ensure  => present,
#     }
#
#     # Remove the keytab file
#     base::wallet { 'service/funky-chicken':
#         path   => '/etc/funky/chicken.keytab',
#         ensure => absent,
#     }
#
#     # Download a password file.
#     base::wallet { 'unix-foobar-db-baz':
#         path => '/etc/foobar/password',
#         type => 'file',
#     }
#
# It is important to note that, by default, this code will use the host's
# keytab (located at /etc/krb5.keytab), so you will need to have that in
# place before your Puppet code runs.  Or, you can pass a keytab file path
# using the $auth_keytab variable.
#
# Also, if base::wallet detects that it is being run under Packer, then
# it will not do anything.  If you want it to run under Packer, then set
# $build_ok to true, and also set $auth_keytab appropriately.

# These helper routines are broken out separately to reduce indentation, but
# shouldn't be called separately.  They're purely an implementation detail.

define base::wallet(
  $ensure         = 'present',
  $auth_keytab    = '/etc/krb5.keytab',
  $auth_principal = 'NA',
  $owner          = 'root',
  $group          = 'root',
  $mode           = '0600',
  $primary        = 'true',
  $type           = 'keytab',
  $onlyif         = 'NONE',
  $heimdal        = false,
  $build_ok       = false,
  $path
) {
  case $auth_principal {
    'NA': {
      $kstart_cmd = "k5start -Uqf '$auth_keytab' --"
    }
    default: {
      $kstart_cmd = "k5start -qf '$auth_keytab' '$auth_principal' --"
    }
  }

  case $ensure {
    'absent': {
        file { $path: ensure => absent }
    }
    'present': {
      if ($build_ok or (!defined('$::packer_build_name'))) {
        case $type {
          'keytab': {
            base::wallet::keytab { $name:
              kstart_cmd => $kstart_cmd,
              path       => $path,
              primary    => $primary,
              mode       => $mode,
              owner      => $owner,
              group      => $group,
              heimdal    => $heimdal,
            }
          }
          default: {
            base::wallet::other { $name:
              kstart_cmd => $kstart_cmd,
              path       => $path,
              type       => $type,
              mode       => $mode,
              owner      => $owner,
              group      => $group,
              onlyif     => $onlyif,
            }
          }
        }
      }
    }
  }
}