Authorized_key for multiple keys (contribution proposal)
531 views
Skip to first unread message
Fabrice Bernhard
Nov 27, 2014, 8:53:49 AM11/27/14
to ansibl...@googlegroups.com
Dear all,
I am new to this list, so sorry in advance for any mistakes.
I have been using the Ansible Python API to develop a simple tool that manages server access for our infrastructure. I am using the authorized_key module for that. One improvement I would like to make is to manage list of keys per user instead of managing on a key per key basis. That would also allow to add a security option to enforce all the keys and ONLY those to be present on the server.
When digging into the code I realise that the module somehow handles list of keys but in a strange way, since its primary purpose is to manage a single key.
Two questions for you, honourable ansible-devel member:
- should I try a pull request on the authorized_key module for this need or should i start a new module authorized_keys ?
- how would you name the "all the keys must be present and ONLY those keys" state? The current states are "present" or "absent". Possible choices could be:
- "replace"?
- "exclusive"?
- "only"?
Thank you for your feedback!
Fabrice
Fabrice Bernhard
Nov 30, 2014, 5:04:35 PM11/30/14
to ansibl...@googlegroups.com
To answer a message that has been sent to me in private (thanks for the feedback): "Why not directly manage the authorized_keys file instead of going through the authorized_key module if you want to manage all keys at once?". It is a good question... I guess for one project it is not worth doing more than just pushing the authorized_keys file. In my case where I am managing different servers for different ssh users and different keys, I think I will find it useful to benefit from the power of the authorized_key module with useful functions like "keyfile" and "parse_options".
As for the option name to replace all keys, after some thought I was thinking about calling it "replace_all" which seems self-explanatory to me.
What do you think?
Fabrice
Michael DeHaan
Dec 1, 2014, 3:54:45 PM12/1/14
to Fabrice Bernhard, ansibl...@googlegroups.com
"One improvement I would like to make is to manage list of keys per user instead of managing on a key per key basis."
This is commonly done by having a user datastructure and a list of keys.
Example:
users:
- name: user1
keys:
- user1.pub
groups:
- admins
- webmasters
- name: authorized_keys
authorized_key: >
user={{ item.0.name }}
key="{{ lookup('file', '../../../keys/ssh/' + item.0.name + '.pub') }}"
manage_dir=yes
with_subelements:
- users
- keys
- name: user1
keys:
- user1.pub
groups:
- admins
- webmasters
- name: authorized_keys
authorized_key: >
user={{ item.0.name }}
key="{{ lookup('file', '../../../keys/ssh/' + item.0.name + '.pub') }}"
manage_dir=yes
with_subelements:
- users
- keys
In the above, what additional capabilities would you be looking for?
--
You received this message because you are subscribed to the Google Groups "Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-deve...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Fabrice Bernhard
Dec 1, 2014, 4:18:56 PM12/1/14
to Michael DeHaan, ansibl...@googlegroups.com
Hi Michael,
thanks for the feedback. To answer your question I could do something like this already today:
users:
- name: www-data
keys:
- ssh-rsa AAAABXXX..XXXIRSffY5+++j
- ssh-rsa BAAABXXX..XXXIRSffY5+++j
- ssh-rsa CAAABXXX..XXXIRSffY5+++j
thanks for the feedback. To answer your question I could do something like this already today:
users:
- name: www-data
keys:
- ssh-rsa AAAABXXX..XXXIRSffY5+++j
- ssh-rsa BAAABXXX..XXXIRSffY5+++j
- ssh-rsa CAAABXXX..XXXIRSffY5+++j
groups:
- admins
- webmasters
- name: authorized_keys
authorized_key: >
user={{ item.name }}
key="{{ item.keys | join("\n") }}" # this already works in the code but is not documented
state = "replace_all" # this is an option I want to implement
with_items:
- users
(Sorry if I have made a mistake, I use more the Ansible Python API at the moment)
key="{{ item.keys | join("\n") }}" # this already works in the code but is not documented
state = "replace_all" # this is an option I want to implement
with_items:
- users
(Sorry if I have made a mistake, I use more the Ansible Python API at the moment)
I wanted to do something like this and then realised it already worked in the code even though it was not documented! But I also had a hard time reading the current code, certainly because the code grew organically and the list was hacked on top at some point. It needed some refactoring and this is the object of my current pull request: assume that key can be a list and make the code much more readable around that as a first step.
And then in a second step add features like the state "replace_all" for example
What do you think ?
Best wishes,
Fabrice
Theodo48, boulevard des Batignolles | Fabrice BernhardFondateur et Directeur Technique |
Jesse Keating
Dec 1, 2014, 4:23:54 PM12/1/14
to ansibl...@googlegroups.com
Without changing how authorized_keys processes loops, the replace_all wouldn’t do what you want. Here it would replace all except for the last item in the loop, so you’d be left with a file with only one key in it.
-jlk
-jlk
Fabrice Bernhard
Dec 1, 2014, 4:35:17 PM12/1/14
to Jesse Keating, ansibl...@googlegroups.com
Hi Jesse,
the feature "replace_all" does not exist yet.
The way I want to implement it is simple, it would write the authorized_keys file with the new keys without reusing the former existing keys. It fits in less than five additional lines of code (if my refactoring pull requests gets accepted).
Fabrice
Theodo48, boulevard des Batignolles | Fabrice BernhardFondateur et Directeur Technique |
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Development" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-devel/9p99IQ8aPqs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-deve...@googlegroups.com.
Jesse Keating
Dec 1, 2014, 4:39:06 PM12/1/14
to Fabrice Bernhard, ansibl...@googlegroups.com
So you’re changing how the task authorized_keys deals with with_items, to make it more like apt and yum modules, where the entire list is bundled up and transferred over for one module execution? this is different than other modules where every item in the list results in a new invocation of the module, with just that one item passed along as an argument.
-jlk
-jlk
Brian Coca
Dec 1, 2014, 4:39:58 PM12/1/14
to Fabrice Bernhard, Jesse Keating, ansibl...@googlegroups.com
this is in the queue and seems to do what you ask.
https://github.com/ansible/ansible-modules-core/pull/42Brian Coca
Jonathan Mainguy
Dec 1, 2014, 4:40:22 PM12/1/14
to Jesse Keating, Fabrice Bernhard, ansibl...@googlegroups.com
in regards to yum: it makes it faster, but it is highly anoying that it is different then other modules in this sense
--
You received this message because you are subscribed to the Google Groups "Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-deve...@googlegroups.com.
Fabrice Bernhard
Dec 1, 2014, 7:37:08 PM12/1/14
to Jesse Keating, ansibl...@googlegroups.com
Hi Jesse and Jonathan,
my example is confusing because I was answering to Michael who was himself responding to my more complicated than average usecase. But to answer your question: no it is not about refactoring a list like for yum or apt. To illustrate this, here is a simple usecase which is already supported but not documented:
keys:
- ssh-rsa AAAABXXX..XXXIRSffY5+++j
- ssh-rsa BAAABXXX..XXXIRSffY5+++j
- ssh-rsa CAAABXXX..XXXIRSffY5+++j
- ssh-rsa AAAABXXX..XXXIRSffY5+++j
- ssh-rsa BAAABXXX..XXXIRSffY5+++j
- ssh-rsa CAAABXXX..XXXIRSffY5+++j
- name: authorized_keys
authorized_key: >
user="www-data"
key="{{ keys | join("\n") }}" # this already works in the code but is not documented
This is possible because the key option is already split into a list if multiline. As you can see there is no "with_items" involved in the basic use case.
Fabrice
Theodo48, boulevard des Batignolles | Fabrice BernhardFondateur et Directeur Technique |
Fabrice Bernhard
Dec 1, 2014, 7:41:52 PM12/1/14
to Brian Coca, Jesse Keating, ansibl...@googlegroups.com
Hi Brian,
thanks for the pull request, I had not seen that somebody had already tried to implement the feature.
I added a comment on this pull request because it currently breaks with keys containing commas, which can happen inside the options or comments.
I myself took quite some time to master the current code, this is why I was quite enthusiastic about the way I had managed to make it much more explicit. But I guess this is not a priority unless I make the pull request obvious...
Fabrice
Theodo48, boulevard des Batignolles | Fabrice BernhardFondateur et Directeur Technique |
Michael DeHaan
Dec 3, 2014, 11:27:01 AM12/3/14
to Fabrice Bernhard, Brian Coca, Jesse Keating, ansibl...@googlegroups.com
The clear_keys things seems a bit tricky, as if you don't call it on the first parameter, you end up with clearing all your access away too easily.
It seems to be easier to template the authorized key file for more advanced needs, IMHO, or even just have a copy of that file and use the copy module.
Maybe I'm wrong about this, but it seems safer and easier.
--
You received this message because you are subscribed to the Google Groups "Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-deve...@googlegroups.com.
Fabrice Bernhard
Dec 28, 2014, 1:01:08 PM12/28/14
to Michael DeHaan, Brian Coca, Jesse Keating, ansibl...@googlegroups.com
Hi all,
I have worked on improving the pull request I had written: https://github.com/ansible/ansible-modules-core/pull/409
I have a question for the reviewers: how do I contribute my tests? I have written a few more tests but they are inside the ansible repository and not ansible-modules-core... what is the recommended way?
Fabrice
Reply all
Reply to author
Forward
0 new messages