LCFG::Component::Plugin::Kinit - Kerberos environment for LCFG component methods
This documentation refers to LCFG::Component::Plugin::Kinit version 1.18.3
use LCFG::Component::Plugin::Kinit;
my $plugin = LCFG::Component::Plugin::Kinit->new(
component => $comp,
params => { keytab => "/etc/krb5.example.keytab",
principal => "example",
aklog => 1 },
);
$plugin->run();This is an LCFG component environment initialization module. It is a sub-class of LCFG::Component::Plugin which can be used to obtain Kerberos tickets and AFS tokens before an LCFG component method is called.
The base class has the following attributes:
This is a reference to the LCFG::Component object from which this plugin was loaded. This is useful for logging and gaining access to the various variables which control the logging levels (e.g. debug, verbose).
This is a list of names of parameters which were specified in the ngeneric resources.
If you call this method in a list context it returns a list otherwise it returns a reference to a list.
This is a reference to a hash of the names and values of the parameters which were specified in the ngeneric resources.
This is a boolean which indicates whether or not the caller wants verbose logging.
This creates a new plugin object, it takes the following attributes: component, params_list and params. See the list above for details. See the LCFG RESOURCES section below for details on how the ngeneric resources for a component are mapped into the params list.
The parameters are a list of names and values for environment variables which must be set prior to calling an LCFG component method.
This is a convenience method which returns the value of the named parameter from the params hash.
This will obtain and cache Kerberos tickets.
The following parameters are supported:
The keytab used can be specified via the ng_plugin_param_kinit_keytab resource for the component, if none is specified then the default will be used (this is normally /etc/krb5.keytab).
The principal for which you wish to obtain tickets can be specified via the ng_plugin_param_kinit_principal resource, if this is not specified then the current username will be used.
You can also specify the ticket cache via the ng_plugin_param_kinit_ccache resource. This is not normally necessary, the default is FILE:/tmp/krb5cc_lcfg${comp_name}_XXXXXX. If you specify a cache name without a type then it is assumed that it should be a FILE cache. If you specify a template file or directory (has trailing X characters) then the File::Temp module will be used (note you need a minimum of XXXX). If the template name does not include any parent directories then it will be stored in whatever the File::Temp module thinks is the correct directory for temporary files. For any other cache type, trailing X characters are replaced with random characters selected from the set [A-Za-z0-9_] in a similar way to how the File::Temp module generates safe paths.
When using a templated path, if the credentials cache is stored on disk it will be automatically deleted when the process finishes running. When you use an explicit path for the credentials cache you need to specify the ng_plugin_param_kinit_cleanup resource if you want the cache removed at the end of the process.
If you specify the ng_plugin_param_kinit_aklog resource then this module will also use the aklog command to get AFS tokens. This is done in a new AFS PAG so that it will not affect the calling environment. Note that this command will NOT fail if AFS is unavailable.
If the ng_plugin_param_kinit_force_init resource is set to true then the credentials cache will always be initialised. The default for this is false.
If the credentials cache already exists then the credentials will be checked to see if the end time is within the minimum lifetime. The cache file will only be initialised if it does not exist, if the force_init parameter is true or the cached credentials are going to expire soon. The default lifetime is 1800 seconds (30 minutes). Use the ng_plugin_param_kinit_min_life resource to alter this lifetime.
This module is a sub-class of LCFG::Component::Plugin.
The Authen::Krb5 module is required, if you want to also acquire AFS tokens you will need the AFS::PAG module.
This is the list of platforms on which we have tested this software. We expect this software to work on any Unix-like platform which is supported by Perl.
ScientificLinux6, EnterpriseLinux7, MacOSX
Please report any bugs or problems (or praise!) to bugs@lcfg.org, feedback and patches are also always very welcome.
Paul Anderson <dcspaul@inf.ed.ac.uk>Copyright (C) 2014-2018 University of Edinburgh. All rights reserved.This library is free software; you can redistribute it and/or modify it under the terms of the GPL, version 2 or later.