可以批量生产票据并分发目标主机
- name: Configure Kerberos for Hadoop Usershosts: hadoop_serversbecome: nogather_facts: novars:kerberos_server: hadoop01.xuexi.comkeytab_dir: /home/hadoop/hxykeytab_local_dir: ./keytabsprincipals:- hxy- starstasks:- name: Ensure key directory existsansible.builtin.file:path: "{{ keytab_dir }}"state: directorymode: '0755'- name: Create Kerberos principals and generate keytab filesblock:- name: Create a Kerberos principalansible.builtin.command: >kadmin.local -q "addprinc -randkey {{ item }}/{{ inventory_hostname }}@XUEXI.COM"register: addprinc_resultsdelegate_to: "{{ kerberos_server }}"ignore_errors: yesloop: "{{ principals }}"- name: Set facts for successfully created principalsset_fact:created_principals: "{{ created_principals | default([]) + [item.item] }}"when: item.rc == 0loop: "{{ addprinc_results.results }}"- name: Report failed principal creation attemptsansible.builtin.debug:msg: "Failed to create principal for {{ item.item }}/{{ inventory_hostname }}@XUEXI.ICOM: {{ item.stderr }}"when: "'Principal already exists' not in item.stderr and item.rc != 0"loop: "{{ addprinc_results.results }}"- name: Generate keytab file for each principalansible.builtin.command: >kadmin.local -q "xst -k {{ keytab_dir }}/{{ item }}-{{ inventory_hostname }}.keytab -norandkey {{ item }}/{{ inventory_hostname }}@XUEXI.COM"register: xst_resultsdelegate_to: "{{ kerberos_server }}"loop: "{{ created_principals }}"- name: Fetch the keytab files to the control machineansible.builtin.fetch:src: "{{ keytab_dir }}/{{ item }}-{{ inventory_hostname }}.keytab"dest: "{{ keytab_local_dir }}/{{ item }}-{{ inventory_hostname }}.keytab"flat: yesdelegate_to: "{{ kerberos_server }}"when: item is defined and (lookup('file', keytab_dir + '/' + item + '-' + inventory_hostname + '.keytab') is not none)loop: "{{ created_principals }}"- name: Distribute keytab files to each target hostansible.builtin.copy:src: "{{ keytab_local_dir }}/{{ item }}-{{ inventory_hostname }}.keytab"dest: "/data1/tmp/{{ item }}-{{ inventory_hostname }}.keytab"when: item is defined and (lookup('file', keytab_local_dir + '/' + item + '-' + inventory_hostname + '.keytab') is not none)loop: "{{ created_principals }}"delegate_to: "{{ inventory_hostname }}"- name: Clean up keytab files on Kerberos serveransible.builtin.file:path: "{{ keytab_dir }}/{{ item }}-{{ inventory_hostname }}.keytab"state: absentwhen: item is defineddelegate_to: "{{ kerberos_server }}"loop: "{{ created_principals }}"- name: Clean up local keytab files on control machineansible.builtin.file:path: "{{ keytab_local_dir }}/{{ item }}-{{ inventory_hostname }}.keytab"state: absentwhen: item is definedloop: "{{ created_principals }}"run_once: yes
