Merge pull request #52 from stackhpc/sasl

Add support for SASL authentication
stackhpc · Mar 21, 2022 · 55d42c2 · 55d42c2
2 parents a4f0dcc + d899c79
commit 55d42c2
Show file tree

Hide file tree

Showing 12 changed files with 158 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -121,6 +121,50 @@ option names to values. Default is an empty dict.
 `libvirt_host_qemu_conf`: Configuration for `qemu.conf`. Dict mapping option
 names to values. Default is an empty dict.
 
+`libvirt_host_enable_sasl_support`: Whether to enable SASL authentication
+support. Default is `false`.
+
+`libvirt_host_sasl_conf_enabled`: Whether to configure SASL authentication
+(`/etc/sasl2/libvirt.conf`). Default is the same as
+`libvirt_host_enable_sasl_support`.
+
+`libvirt_host_sasl_conf`: Configuration for SASL authentication
+(`/etc/sasl2/libvirt.conf`). String.
+
+`libvirt_host_sasl_mech_list`: List of enabled libvirt SASL authentication
+mechanisms. Default is `["SCRAM-SHA-256"]` when `libvirt_host_tls_listen` is
+`true`, otherwise `["DIGEST-MD5"]`.
+
+`libvirt_host_sasl_credentials`: List of SASL authentication credentials to
+create.  Each item is a dict containing `username` and `password` items.
+Default is a single item list containing `libvirt_host_sasl_authname` and
+`libvirt_host_sasl_password`.
+
+`libvirt_host_sasl_authname`: Username for SASL authentication. Default is
+`libvirt`.
+
+`libvirt_host_sasl_password`: Password for SASL authentication. Default is
+unset.
+
+`libvirt_host_sasl_auth_conf_enabled`: Whether to configure SASL authentication
+credentials (`/etc/libvirt/auth.conf`). Default is the same as
+`libvirt_host_enable_sasl_support`.
+
+`libvirt_host_sasl_auth_conf`: Configuration for SASL authentication
+credentials (`/etc/libvirt/auth.conf`). String.
+
+`libvirt_host_sasl_auth_conf_filename`: Name of file to write SASL
+authentication credentials to. Default is `"/etc/libvirt/auth.conf"`.
+
+`libvirt_host_sasl_auth_conf_owner`: Owner of file to write SASL
+authentication credentials to. Default is `"root"`.
+
+`libvirt_host_sasl_auth_conf_group`: Group of file to write SASL
+authentication credentials to. Default is `"root"`.
+
+`libvirt_host_sasl_auth_conf_mode`: Mode of file to write SASL
+authentication credentials to. Default is `"0600"`.
+
 `libvirt_host_tcp_listen`: Whether to enable the systemd TCP socket unit.
 Default is `false`.
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -90,6 +90,48 @@ libvirt_host_qemu_conf_enabled: true
 # Configuration for qemu.conf. Dict mapping option names to values.
 libvirt_host_qemu_conf: {}
 
+# Whether to enable SASL authentication support.
+libvirt_host_enable_sasl_support: false
+
+# Whether to configure SASL authentication (/etc/sasl2/libvirt.conf).
+libvirt_host_sasl_conf_enabled: "{{ libvirt_host_enable_sasl_support | bool }}"
+# Configuration for SASL authentication (/etc/sasl2/libvirt.conf). String.
+libvirt_host_sasl_conf: |
+  mech_list: {{ libvirt_host_sasl_mech_list | join(' ') }}
+  sasldb_path: /etc/libvirt/passwd.db
+# List of enabled libvirt SASL authentication mechanisms.
+libvirt_host_sasl_mech_list:
+  - "{{ 'SCRAM-SHA-256' if libvirt_host_tls_listen | bool else 'DIGEST-MD5' }}"
+
+# List of SASL authentication credentials to create. Each item is a dict
+# containing "username" and "password" items.
+libvirt_host_sasl_credentials:
+  - username: "{{ libvirt_host_sasl_authname }}"
+    password: "{{ libvirt_host_sasl_password }}"
+# Username for SASL authentication.
+libvirt_host_sasl_authname: libvirt
+# Password for SASL authentication.
+libvirt_host_sasl_password:
+
+# Whether to configure SASL authentication credentials (/etc/libvirt/auth.conf).
+libvirt_host_sasl_auth_conf_enabled: "{{ libvirt_host_enable_sasl_support | bool }}"
+# Configuration for SASL authentication credentials (/etc/libvirt/auth.conf). String.
+libvirt_host_sasl_auth_conf: |
+  [credentials-default]
+  authname={{ libvirt_host_sasl_authname }}
+  password={{ libvirt_host_sasl_password }}
+
+  [auth-libvirt-default]
+  credentials=default
+# Name of file to write SASL authentication credentials to.
+libvirt_host_sasl_auth_conf_filename: "/etc/libvirt/auth.conf"
+# Owner of file to write SASL authentication credentials to.
+libvirt_host_sasl_auth_conf_owner: "root"
+# Group of file to write SASL authentication credentials to.
+libvirt_host_sasl_auth_conf_group: "root"
+# Mode of file to write SASL authentication credentials to.
+libvirt_host_sasl_auth_conf_mode: "0600"
+
 # Whether to enable the systemd TCP socket unit.
 libvirt_host_tcp_listen: false
 # Systemd TCP socket ListenStream. See man systemd.socket for format.

diff --git a/tasks/client-config.yml b/tasks/client-config.yml
@@ -0,0 +1,20 @@
+---
+- name: Ensure client configuration files exist
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+  become: true
+  loop: "{{ _libvirt_client_config_files | selectattr('enabled') }}"
+  loop_control:
+    label: "{{ item.dest | basename }}"
+  vars:
+    _libvirt_client_config_files:
+      - src: auth.conf.j2
+        dest: "{{ libvirt_host_sasl_auth_conf_filename }}"
+        enabled: "{{ libvirt_host_sasl_auth_conf_enabled | bool }}"
+        owner: "{{ libvirt_host_sasl_auth_conf_owner }}"
+        group: "{{ libvirt_host_sasl_auth_conf_group }}"
+        mode: "{{ libvirt_host_sasl_auth_conf_mode }}"
diff --git a/tasks/config.yml b/tasks/config.yml
@@ -40,6 +40,9 @@
       - src: qemu.conf.j2
         dest: /etc/libvirt/qemu.conf
         enabled: "{{ libvirt_host_qemu_conf_enabled | bool }}"
+      - src: sasl.conf.j2
+        dest: /etc/sasl2/libvirt.conf
+        enabled: "{{ libvirt_host_sasl_conf_enabled | bool }}"
   notify:
     - restart libvirt
 
@@ -115,6 +118,19 @@
     _libvirt_loop_item: "{{ _libvirt_tls_certs[item] }}"
   notify: restart libvirt
 
+- name: Ensure libvirt SASL user exists
+  shell:
+    cmd: >
+      set -o pipefail &&
+      echo {{ item.password }} |
+      saslpasswd2 -c -p -a libvirt {{ item.username }}
+    executable: /bin/bash
+  become: true
+  no_log: true
+  changed_when: true
+  loop: "{{ libvirt_host_sasl_credentials }}"
+  when: libvirt_host_enable_sasl_support | bool
+
 - name: Flush handlers
   meta: flush_handlers
 

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -21,6 +21,9 @@
 - name: Include config.yml
   include_tasks: config.yml
   when: libvirt_host_install_daemon | bool
+- name: Include client-config.yml
+  include_tasks: client-config.yml
+  when: libvirt_host_install_client | bool
 - name: Include pools.yml
   include_tasks: pools.yml
   when: libvirt_host_pools | length > 0

diff --git a/tasks/validate.yml b/tasks/validate.yml
@@ -27,3 +27,12 @@
   when:
     - libvirt_host_require_vt | bool
     - not libvirt_host_vt_enabled
+
+- name: Fail if SASL password is not defined
+  fail:
+    msg: >
+      One or more SASL passwords in 'libvirt_host_sasl_credentials' are not
+      defined
+  when:
+    - libvirt_host_enable_sasl_support | bool
+    - libvirt_host_sasl_credentials | rejectattr('password') | length > 0
diff --git a/templates/auth.conf.j2 b/templates/auth.conf.j2
@@ -0,0 +1 @@
+{{ libvirt_host_sasl_auth_conf }}
diff --git a/templates/sasl.conf.j2 b/templates/sasl.conf.j2
@@ -0,0 +1 @@
+{{ libvirt_host_sasl_conf }}
diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml
@@ -21,5 +21,9 @@ libvirt_host_packages_rbd_volume_pool:
   - libvirt-storage-rbd
   - qemu-block-rbd
 
+# Packages for SASL authentication support.
+libvirt_host_packages_sasl:
+  - cyrus-sasl
+
 # These are passed to the lineinfile module to customize configuration files
 libvirt_host_lineinfile_extra_rules: []
diff --git a/vars/Debian.yml b/vars/Debian.yml
@@ -35,5 +35,10 @@ libvirt_host_packages_rbd_volume_pool:
   - libvirt-daemon-driver-storage-rbd
   - qemu-block-extra
 
+# Packages for SASL authentication support.
+libvirt_host_packages_sasl:
+  - libsasl2-modules-gssapi-mit
+  - sasl2-bin
+
 # These are passed to the lineinfile module to customize configuration files
 libvirt_host_lineinfile_extra_rules: []
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
@@ -32,6 +32,14 @@ libvirt_host_packages_rbd_volume_pool:
   - libvirt-daemon-driver-storage-rbd
   - qemu-kvm-block-rbd
 
+# Packages for SASL authentication support.
+libvirt_host_packages_sasl:
+  - cyrus-sasl
+  - "{{ 'cyrus-sasl-gssapi' if 'gssapi' in libvirt_host_sasl_mech_list | map('lower') | list else '' }}"
+  - "{{ 'cyrus-sasl-md5' if 'digest-md5' in libvirt_host_sasl_mech_list | map('lower') | list else '' }}"
+  - "{{ 'cyrus-sasl-plain' if 'plain' in libvirt_host_sasl_mech_list | map('lower') | list else '' }}"
+  - "{{ 'cyrus-sasl-scram' if 'scram' in libvirt_host_sasl_mech_list | map('lower') | join(' ') else '' }}"
+
 libvirt_host_custom_yum_repos_efi_by_version:
   7:
     # Add custom repository as OVMF package seems to be broken

diff --git a/vars/main.yml b/vars/main.yml
@@ -4,13 +4,16 @@ libvirt_host_libvirt_packages: >
   {{ libvirt_host_libvirt_packages_default +
      libvirt_host_extra_daemon_packages +
      libvirt_host_libvirt_packages_client +
-     (libvirt_host_packages_efi if libvirt_host_enable_efi_support else []) | unique
+     (libvirt_host_packages_efi if libvirt_host_enable_efi_support | bool else []) +
+     (libvirt_host_packages_sasl if libvirt_host_enable_sasl_support | bool else [])
   }}
 
 # List of all packages to install for client hosts.
 libvirt_host_libvirt_packages_client: >-
   {{ libvirt_host_libvirt_packages_client_default +
-     libvirt_host_extra_client_packages }}
+     libvirt_host_extra_client_packages +
+     (libvirt_host_packages_sasl if libvirt_host_enable_sasl_support | bool else [])
+  }}
 
 # List of socket services.
 _libvirt_socket_services: