On 05/07/2014 09:32 PM, Bruce Pennypacker wrote:
> Ah, thanks! All the documentation for the authorized_key module
> implies that it works on just one key at a time, not a file/string
> that contains multiple keys. That documentation should really be
> updated...
>
> -Bruce
>
> On Wednesday, May 7, 2014 2:13:42 PM UTC-4, Matt Martz wrote:
>
> I'd recommend storing you keys in files, and using lookup('file',
> ...)
>
> The. You can store multiple keys in a single file.
>
> Additionally you could just store multiple keys as a string with
> new lines in your current data structure and not try using a list.
>
> On Wednesday, May 7, 2014, Bruce Pennypacker
> <[email protected] <javascript:>> wrote:
>
> We have a role that defines user accounts as follows:
>
> users:
> - username: user1
> comment: User 1
> uid: 3001
> ssh_key: "xxx"
>
> - username: user2
> comment: User 2
> uid: 3002
> ssh_key: "yyy"
>
> Users are then grouped by name into other lists:
>
> regular_users:
> - user1
> - user2
> ...
>
> ops_users:
> - user3
> - user4
> ...
>
> Our hosts then have a fact called user_roles that's a list of
> each group of users and individual usernames to create
> accounts for. We then have tasks defined like this:
>
> - name: add users
> user: name={{ item.username }}
> comment="{{ item.comment }}"
> uid={{ item.uid }}
> when: item.username in lookup('flattened',user_roles)
> with_items: users
>
> - name: add SSH keys
> authorized_key: user={{ item.username }}
> key="{{ item.ssh_key }}"
> when: item.username in lookup('flattened',user_roles) and
> item.ssh_key is defined
> with_items: users
>
> All of this is working great. We're managing about 50
> different user accounts over 80 servers in varying groups
> without any difficulty. But now I'd like to be able to extend
> this to support multiple SSH keys for each user. So I'd like
> to be able to define a user along these lines:
>
> - username: userFoo
> comment: User Foo
> uid: 4321
> ssh_keys: [ 'xxx', 'yyy', 'zzz']
>
> But if I do this then I'm at a complete loss of how to rewrite
> the authorized_key task to handle it properly. At first
> glance I would expect that I'd need to use with_nested but I'm
> not entirely sure how to go about doing it. I tried
> variations of this, but haven't gotten anything to work:
>
> - name: add multiple SSH keys
> authorized_key: user={{ item[0].username }}
> key="{{ item.[1] }}"
> when: item[0].username in lookup('flattened',user_roles) and
> item[0].ssh_keys is defined
> with_nested:
> - users
> - item[0].ssh_keys
>
> Is there a better way of managing a dynamic list of ssh keys?
> Or am I just trying something that's too complex for Ansible
> to handle cleanly?
>
> -Bruce
>
>
> --
> You received this message because you are subscribed to the
> Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to [email protected].
> To post to this group, send email to
> [email protected].
> To view this discussion on the web visit
>
> https://groups.google.com/d/msgid/ansible-project/ed9760ef-ae4d-4403-b145-2e8d0ec84d34%40googlegroups.com
>
> <https://groups.google.com/d/msgid/ansible-project/ed9760ef-ae4d-4403-b145-2e8d0ec84d34%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
>
>
> --
> Matt Martz
> [email protected] <javascript:>
> http://sivel.net/
>
> --
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected]
> <mailto:[email protected]>.
> To post to this group, send email to [email protected]
> <mailto:[email protected]>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/567aee32-6cf7-4ef2-8caf-f398087f4940%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/567aee32-6cf7-4ef2-8caf-f398087f4940%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
You can store multiple keys in a single file, but that means that you
would have to manually create a separate file for each key combination
you want to deploy.
Instead, take a look at my pull request for with_nested
(https://github.com/ansible/ansible/pull/7278) and the example I have
given in my previous post at the "Nested looping with hash/dict so I can
override values" thread. It would allow you to do what you want more
cleanly.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/536E2DC8.3030902%40yahoo.gr.
For more options, visit https://groups.google.com/d/optout.
