From 7ad69b6bb0130f0573db8eaccc6490f6dbd7fc01 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?=
 <felix-antoine.fortin@calculquebec.ca>
Date: Fri, 18 Oct 2024 16:05:06 -0400
Subject: [PATCH] Set mode of keytab

---
 data/common.yaml                     |  3 ++
 data/site.yaml                       |  1 +
 site/profile/manifests/jupyterhub.pp | 44 ++++++++++++++++++----------
 3 files changed, 33 insertions(+), 15 deletions(-)

diff --git a/data/common.yaml b/data/common.yaml
index 912bee6e3..40b51c708 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -77,6 +77,9 @@ jupyterhub::jupyterhub_config_hash:
       choices: ['notebook', 'lab', 'terminal', 'code-server', 'desktop']
       def: 'lab'
 
+  LocalFreeIPAAuthenticator:
+    principal: "jupyterhub/jupyterhub"
+
 selinux::mode: 'permissive'
 # selinux::type: 'targeted'
 
diff --git a/data/site.yaml b/data/site.yaml
index fab925d18..94abeca49 100644
--- a/data/site.yaml
+++ b/data/site.yaml
@@ -56,6 +56,7 @@ magic_castle::site::tags:
     - profile::cvmfs::alien_cache
   proxy:
     - profile::jupyterhub::hub
+    - profile::jupyterhub::hub::keytab
     - profile::reverse_proxy
   efa:
     - profile::efa
diff --git a/site/profile/manifests/jupyterhub.pp b/site/profile/manifests/jupyterhub.pp
index 9ad324744..89ea311bd 100644
--- a/site/profile/manifests/jupyterhub.pp
+++ b/site/profile/manifests/jupyterhub.pp
@@ -31,18 +31,30 @@
     source => 'puppet:///modules/profile/freeipa/kinit_wrapper',
     mode   => '0755',
   }
+}
+
+class profile::jupyterhub::node {
+  if lookup('jupyterhub::node::prefix', String, undef, '') !~ /^\/cvmfs.*/ {
+    include jupyterhub::node
+    if lookup('jupyterhub::kernel::setup') == 'venv' and lookup('jupyterhub::kernel::venv::python') =~ /^\/cvmfs.*/ {
+      Class['profile::software_stack'] -> Class['jupyterhub::kernel::venv']
+    }
+  }
+}
 
+class profile::jupyterhub::hub::keytab {
   $domain_name = lookup('profile::freeipa::base::domain_name')
   $int_domain_name = "int.${domain_name}"
   $fqdn = "${facts['networking']['hostname']}.${int_domain_name}"
   $service_name = "jupyterhub/${fqdn}"
   $service_register_script = @("EOF")
     api.Command.batch(
-      { 'method': 'service_add',        'params': [['${service_name}'], {}]},
-      { 'method': 'role_add',           'params': [['JupyterHub'], {'description' : 'JupyterHub User management'}]},
-      { 'method': 'role_add_privilege', 'params': [['JupyterHub'], {'privilege'   : 'Group Administrator'}]},
-      { 'method': 'role_add_privilege', 'params': [['JupyterHub'], {'privilege'   : 'User Administrators'}]},
-      { 'method': 'role_add_member',    'params': [['JupyterHub'], {'service'     : '${service_name}'}]},
+      { 'method': 'service_add',           'params': [['${service_name}'], {}]},
+      { 'method': 'service_add_principal', 'params': [['${service_name}', 'jupyterhub/jupyterhub'], {}]},
+      { 'method': 'role_add',              'params': [['JupyterHub'], {'description' : 'JupyterHub User management'}]},
+      { 'method': 'role_add_privilege',    'params': [['JupyterHub'], {'privilege'   : 'Group Administrator'}]},
+      { 'method': 'role_add_privilege',    'params': [['JupyterHub'], {'privilege'   : 'User Administrators'}]},
+      { 'method': 'role_add_member',       'params': [['JupyterHub'], {'service'     : '${service_name}'}]},
     )
     |EOF
 
@@ -56,31 +68,33 @@
     command     => "kinit_wrapper ipa console ${jupyterhub::prefix}/bin/ipa_register_service.py",
     refreshonly => true,
     require     => [
+      Exec['jupyterhub_venv'],
+      File["${jupyterhub::prefix}/bin/kinit_wrapper"],
       Exec['ipa-install'],
     ],
     subscribe   => File["${jupyterhub::prefix}/bin/ipa_register_service.py"],
     environment => ["IPA_ADMIN_PASSWD=${ipa_passwd}"],
-    path        => ['/bin', '/usr/bin', '/sbin','/usr/sbin', " ${jupyterhub::prefix}/bin"],
+    path        => ['/bin', '/usr/bin', '/sbin','/usr/sbin', "${jupyterhub::prefix}/bin"],
   }
 
   exec { 'jupyterhub_keytab':
-    command     => "kinit_wrapper ipa-getkeytab -p ${service_name} -k /etc/jupyterhub/jupyterhub.keytab",
+    command     => 'kinit_wrapper ipa-getkeytab -p jupyterhub/jupyterhub -k /etc/jupyterhub/jupyterhub.keytab',
     creates     => '/etc/jupyterhub/jupyterhub.keytab',
     require     => [
+      Exec['jupyterhub_venv'],
       File["${jupyterhub::prefix}/bin/kinit_wrapper"],
       Exec['jupyterhub_ipa_service_register'],
       Exec['ipa-install'],
     ],
     environment => ["IPA_ADMIN_PASSWD=${ipa_passwd}"],
-    path        => ['/bin', '/usr/bin', '/sbin','/usr/sbin', " ${jupyterhub::prefix}/bin"],
+    path        => ['/bin', '/usr/bin', '/sbin','/usr/sbin', "${jupyterhub::prefix}/bin"],
   }
-}
 
-class profile::jupyterhub::node {
-  if lookup('jupyterhub::node::prefix', String, undef, '') !~ /^\/cvmfs.*/ {
-    include jupyterhub::node
-    if lookup('jupyterhub::kernel::setup') == 'venv' and lookup('jupyterhub::kernel::venv::python') =~ /^\/cvmfs.*/ {
-      Class['profile::software_stack'] -> Class['jupyterhub::kernel::venv']
-    }
+  file { '/etc/jupyterhub/jupyterhub.keytab':
+    owner     => 'root',
+    group     => 'jupyterhub',
+    mode      => '0640',
+    subscribe => Exec['jupyterhub_keytab'],
+    require   => Group['jupyterhub'],
   }
 }