Page MenuHomePhabricator

Purge any Kerberos keytab files that are not managed by puppet
Closed, ResolvedPublic

Description

We noticed during a recent decommissioning of a Kerberos enabled service (T266641: Test Alluxio as cache layer for Presto) that unmanaged keytab files are not purged from hosts.

This leads to a potential security issue whereby stray keytab files can be inadvertently left in place on servers, resulting in undesired levels of access.

It would be better if the entire /etc/security/keytabs/folder were recursively managed by puppet and any unmanaged files found there were removed.

From a comment by @MoritzMuehlenhoff on the linked task:

Given that /etc/security/keytabs is a directory we create in Puppet it seems safe to assume that only our keytabs end up there (and none shipped by debs or so).

So this sounds like a good idea. We can make sure that unmanaged keytabs are yanked by Puppet by adding "recurse => true" and "purge => true" to the file definition for /etc/security/keytabs declared in profile::kerberos::client.

Event Timeline

BTullis triaged this task as Medium priority.
BTullis moved this task from Next Up to In Progress on the Analytics-Kanban board.

Change 734612 had a related patch set uploaded (by Btullis; author: Btullis):

[operations/puppet@production] Purge any unmanaged files from /etc/security/keytabs

https://gerrit.wikimedia.org/r/734612

Change 734612 merged by Btullis:

[operations/puppet@production] Purge any unmanaged files from /etc/security/keytabs

https://gerrit.wikimedia.org/r/734612