blob: beebeb21e6e07dbc30e4409b7db51ddffd997217 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
.\" A man page for ipa-smartproxy
.\" Copyright (C) 2014 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.TH "ipa-smartproxy" "1" "Jan 8 2014" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-smartproxy \- IPA Foreman Smartproxy server
.SH "SYNOPSIS"
ipa\-smartproxy [\fIOPTION\fR]...
.SH "DESCRIPTION"
A CherryPy\-based server that provides a RESTful API for a use as a Foreman smart proxy.
The RESTful interface is not authenticated so it is expected that the server is not generally accessible. By default it listens only on the localhost interface.
The server needs access to an principal that is granted permission to perform host and hostgroup operations on an IPA master.
Smartproxy server\-specific privileges and roles can be created with this:
.na
$ ipa privilege\-add 'Smartproxy host management' \-\-desc='Smartproxy host management'
$ ipa privilege\-add\-permission 'Smartproxy host management' \-\-permission='add hosts' \-\-permission='remove hosts'
$ ipa role\-add 'Smartproxy management' \-\-desc='Smartproxy management'
$ ipa role\-add\-privilege 'Smartproxy management' \-\-privilege='Smartproxy host management' \-\-privilege='Host Group Administrators'
Create a host or user whose credentials will be used by the server to make requests and add it to the role:
$ ipa user\-add \-\-first=Smartproxy \-\-last=Serversmartproxy
$ ipa role\-add\-member \-\-users=smartproxy 'Smartproxy management'
On the smartproxy server create a keytab for this user:
# kinit admin
# ipa\-getkeytab \-s ipa.example.com \-p smartproxy@EXAMPLE.COM \-k /etc/ipa/ipa\-smartproxy.keytab
# chown root:root /etc/ipa/ipa\-smartproxy.keytab
# chmod 600 /etc/ipa/ipa\-smartproxy.keytab
Configure the GSS\-Proxy to manage the credentials. Add this to the top of the gssproxy configuration file (by default /etc/gssproxy/gssproxy.conf), before any other services:
[service/smartproxy]
mechs = krb5
cred_store = client_keytab:/etc/ipa/ipa\-smartproxy.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
cred_usage = initiate
euid = 48 (where 48 is the apache user uid)
Some startup and operational errors may also be logged to the syslog.
.SH "OPTIONS"
.TP
\fB\-c\fR \fICONFIG\fR
The configuration file(s) to be loaded. This option may be passed multiple times to load more than one configuration file.
.TP
\fB\-d\fR
Run the server as a daemon.
.TP
\fB\-p\fR \fIPIDFILE\fR
The location to write the server PID file.
.TP
\fB\-h\fR
Show the help message.
.SH "EXIT STATUS"
0 if the server execution was successful
1 if an error occurred
.SH "SEE ALSO"
.BR ipa\-smartproxy.conf(5)
|
