Issue #10850 has been updated by Stefan Schulte.
If a parsed file resource is out of sync, puppet performs the necessary changes in memory and when flush is called, it rewrites all files that actually need modification. In case of the ssh_authorized_key provider the flush method is called as an unprivileged user (the user that is mentioned with the user parameter of the resource; this is because of the CVE). This works in most cases (adding new key, changing a key etc) but it fails if the target property is out sync. In the latter case puppet needs to move one record from one target to another. When flush is called, puppet now has to rewrite two files: - rewrite the file where the key was added (owned by our user -> works) - rewrite the file where the key was removed (most likely not owned by our user -> fails) ---------------------------------------- Bug #10850: ssh_authorized_key doing the wrong thing https://projects.puppetlabs.com/issues/10850 Author: Ashley Penney Status: Accepted Priority: Urgent Assignee: Matt Robinson Category: ssh Target version: Affected Puppet version: 2.7.6 Keywords: Branch: Backstory - I cut and paste my ssh_authorized_key statement to make another user's key. I changed the title of the resource and the actual key but forgot to change the 'target =>' setting. This then tried to update apenney instead of jthompson. I tried to correct this and now puppet errors constantly and as you can see from below it's trying to write to the old target not the new target. notice: /Stage[main]/Users/User[jthompson]/ensure: created notice: /Stage[main]/Users/Ssh_authorized_key[jthompson]/user: user changed 'apenney' to 'jthompson' notice: /Stage[main]/Users/Ssh_authorized_key[jthompson]/target: target changed '/home/apenney/.ssh/authorized_keys' to '/home/jthompson/.ssh/authorized_keys' err: /Stage[main]/Users/Ssh_authorized_key[jthompson]: Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write /home/apenney/.ssh/authorized_keys: Permission denied - /home/apenney/.ssh/authorized_keys -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
