Vh7zddlmZmZmZeZdZdZddlm Z m Z ddl m Z m Z GddeZdZed k(rey y ) )absolute_importdivisionprint_functiona module: krb_ticket short_description: Kerberos utils for managing tickets version_added: 10.0.0 description: - Manage Kerberos tickets with C(kinit), C(klist) and C(kdestroy) base utilities. - See U(https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/index.html) for reference. author: "Alexander Bakanovskii (@abakanovskii)" attributes: check_mode: support: full diff_mode: support: none options: password: description: - Principal password. - It is required to specify O(password) or O(keytab_path). type: str principal: description: - The principal name. - If not set, the user running this module will be used. type: str state: description: - The state of the Kerberos ticket. - V(present) is equivalent of C(kinit) command. - V(absent) is equivalent of C(kdestroy) command. type: str default: present choices: ["present", "absent"] kdestroy_all: description: - When O(state=absent) destroys all credential caches in collection. - Equivalent of running C(kdestroy -A). type: bool cache_name: description: - Use O(cache_name) as the ticket cache name and location. - If this option is not used, the default cache name and location are used. - The default credentials cache may vary between systems. - If not set the the value of E(KRB5CCNAME) environment variable will be used instead, its value is used to name the default ticket cache. type: str lifetime: description: - Requests a ticket with the lifetime, if the O(lifetime) is not specified, the default ticket lifetime is used. - Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime. - 'The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days.' - You cannot mix units; a value of V(3h30m) will result in an error. - See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference. type: str start_time: description: - Requests a postdated ticket. - Postdated tickets are issued with the invalid flag set, and need to be resubmitted to the KDC for validation before use. - O(start_time) specifies the duration of the delay before the ticket can become valid. - You can use absolute time formats, for example V(July 27, 2012 at 20:30) you would neet to set O(start_time=20120727203000). - You can also use time duration format similar to O(lifetime) or O(renewable). - See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference. type: str renewable: description: - Requests renewable tickets, with a total lifetime equal to O(renewable). - 'The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days.' - You cannot mix units; a value of V(3h30m) will result in an error. - See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference. type: str forwardable: description: - Request forwardable or non-forwardable tickets. type: bool proxiable: description: - Request proxiable or non-proxiable tickets. type: bool address_restricted: description: - Request tickets restricted to the host's local address or non-restricted. type: bool anonymous: description: - Requests anonymous processing. type: bool canonicalization: description: - Requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested. type: bool enterprise: description: - Treats the principal name as an enterprise name (implies the O(canonicalization) option). type: bool renewal: description: - Requests renewal of the ticket-granting ticket. - Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. type: bool validate: description: - Requests that the ticket-granting ticket in the cache (with the invalid flag set) be passed to the KDC for validation. - If the ticket is within its requested time range, the cache is replaced with the validated ticket. type: bool keytab: description: - Requests a ticket, obtained from a key in the local host's keytab. - If O(keytab_path) is not specified will try to use default client keytab path (C(-i) option). type: bool keytab_path: description: - Use when O(keytab=true) to specify path to a keytab file. - It is required to specify O(password) or O(keytab_path). type: path requirements: - krb5-user and krb5-config packages extends_documentation_fragment: - community.general.attributes a - name: Get Kerberos ticket using default principal community.general.krb_ticket: password: some_password - name: Get Kerberos ticket using keytab community.general.krb_ticket: keytab: true keytab_path: /etc/ipa/file.keytab - name: Get Kerberos ticket with a lifetime of 7 days community.general.krb_ticket: password: some_password lifetime: 7d - name: Get Kerberos ticket with a starting time of July 2, 2024, 1:35:30 p.m. community.general.krb_ticket: password: some_password start_time: "240702133530" - name: Get Kerberos ticket using principal name community.general.krb_ticket: password: some_password principal: admin - name: Get Kerberos ticket using principal with realm community.general.krb_ticket: password: some_password principal: admin@IPA.TEST - name: Check for existence by ticket cache community.general.krb_ticket: cache_name: KEYRING:persistent:0:0 - name: Make sure default ticket is destroyed community.general.krb_ticket: state: absent - name: Make sure specific ticket destroyed by principal community.general.krb_ticket: state: absent principal: admin@IPA.TEST - name: Make sure specific ticket destroyed by cache_name community.general.krb_ticket: state: absent cache_name: KEYRING:persistent:0:0 - name: Make sure all tickets are destroyed community.general.krb_ticket: state: absent kdestroy_all: true ) AnsibleModule env_fallback) CmdRunnercmd_runner_fmtc*eZdZdZdZdZdZdZy) IPAKeytabc ||_|d|_|d|_|d|_|d|_|d|_|d|_|d|_|d|_|d |_ |d |_ |d |_ |d |_ |d |_ |d|_|d|_|d|_t#|dt%t'j(dt'j(dt'j(dt'j*dddt'j*dddt'j*dddt'j*dt'j*dt'j*dt'j*d t'j*d!t'j*d"t'j,d#t'j(d$t'j.%&|_t#|d't%t'j*dt'j(d$t'j(d(&|_t#|d)t%t'j*d*&|_y)+Npassword principalstate kdestroy_all cache_name start_time renewable forwardable proxiableaddress_restrictedcanonicalization enterpriserenewalvalidatekeytab keytab_pathkinitz-lz-sz-rz-fz-FT) ignore_nonez-pz-Pz-az-Az-nz-Cz-Ez-Rz-vz-kc|rd|gSdgS)Nz-tz-i)vs p/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/general/plugins/modules/krb_ticket.pyz$IPAKeytab.__init__..s!dAYRVQWz-c)lifetimerrrrr anonymousrrrrrrrr)command arg_formatskdestroy)rrrklist show_list)moduler rrrrrrrrrrrrrrrrdictr as_opt_valas_boolas_funcas_listrr)r*)selfr-kwargss r"__init__zIPAKeytab.__init__s7 z*  ,G_ ">2 . . ,!-0 ,"()="> &'9 : .i( z* X& !-0 '2248)44T:(33D9*2244P(00tN#1#9#9$RV#W(006!/!7!7!=)11$7&..t4'//5%--d3*223WX)44T:(002  ," +33D9)44T:(33D9   (006  r$ct|jj}|jdd|j5}|j di|\}}}ddd|S#1swYSxYw)Nzlifetime start_time renewable forwardable proxiable address_restricted anonymous canonicalization enterprise renewal validate keytab keytab_path cache_name principalT)check_rcdatar )r.r-paramsrr runr3r9ctxrcouterrs r" exec_kinitzIPAKeytab.exec_kinitssdkk(() ZZ c   - "377,V,LBS  -  - s AA)ct|jj}|jdd5}|jdi|\}}}ddd|S#1swYSxYw)Nz!kdestroy_all cache_name principalTr7r )r.r-r9r)r:r;s r" exec_kdestroyzIPAKeytab.exec_kdestroysidkk(() ]] /  -"377,V,LBS  -   -  s AAct|}|jdd5}|jdi|\}}}dddfS#1swYxYw)Nr+r,FrBr )r.r*r:)r3r,r9r<r=r>r?s r" exec_klistzIPAKeytab.exec_klistsf * ZZ   -"377,V,LBS  - 3|  - -s AA c<d}d}|js*|js|j|\}}}|dk7rd}|Sd}|j|\}}}|jr|jt|vrd}|jr|jt|vrd}|S)NTFr)rrrEstr)r3ticket_presentr,r=r>r?s r"check_ticket_presentzIPAKeytab.check_ticket_presents ~~doo??95LBSQw!&I??95LBS~~$..C"@!&4??#c(#B!&r$N)__name__ __module__ __qualname__r5r@rCrErIr r$r"r r s9 v  r$r c td$idtddtdddtddd g d td d tdtdgfdtddtddtddtd dtd dtd dtd dtd dtd dtd dtd dtd dtd}t|dddidg}|jd}|jd }t |fid|d |d|jdd|jdd |jd d|jdd|jdd|jdd|jdd|jdd|jdd|jdd|jdd|jdd|jdd|jdd|jdd|jd}|jd#|jddur|j d !d"}|dk(r.|j sd}|js|j|d k(rO|rd}|js?|jn.|j rd}|js|j|j|#y)%NrrG)typer T)rNno_logrpresentabsent)defaultchoicesrboolr KRB5CCNAME)rNfallbackr%rrrrrr&rrrrrrpath)rrP)r rT) argument_specsupports_check_mode required_by required_ifz>If keytab_path is specified then keytab parameter must be True)msgF)changedr ) r.rrr9r fail_jsonrI check_moder@rC exit_json)arg_specr-rrrr]s r"mainrb/s~E"5.9y(.CDv&  Ul\N-KL  5! U#E"f%F# V,F#6*V$&! 6"!" #$f%%H( 8  D F MM' "E==0L v"$0"({!;!' j 9  #)-- "=  !' j 9 #)-- "="({!;$*==#?"({!;+1--8L*M"({!;)/ 6H(I#)-- "= &}}Y7 !' j 9!"%mmH5#$$*==#?%F*}}]#/FMM(4KSW4W]^G **,G$$!!#  G$$$$&  ( ( *G$$$$& W%r$__main__N) __future__rrrrN __metaclass__ DOCUMENTATIONEXAMPLESansible.module_utils.basicrrEansible_collections.community.general.plugins.module_utils.cmd_runnerrr objectr rbrJr r$r"rksWA@ z x4 lCkkk\L&^ zFr$