Re: [Puppet Users] how to add same ssh_key to two diff accounts

[Stefan Schulte]

On Wed, May 11, 2011 at 05:36:26PM +0200, Arnau Bria wrote:
> I think I've already asked here... but I have an example where that
> feature is really interesting: we have some user pool, aout 1000
> users, and I'd like to distrbute one key to all those users. Why the
> trivial workaround, I could do it, but with 1000 lines :-)
> 
> so, I'll open a ticket and pray for developers finding it interesting
> too. 
> 

One key for more than one user (e.g. an array for users) is really hard
to implement the right way:

When puppet parses the keyfiles of different users, puppet just creates
one pool of keys.  Puppet identifies a key by its name (=comment) NOT by
the target.  So one key has be unique across all your keyfiles.  That
means puppet can also move one entry from one file to another:

Simple test with the host type:

    puppet apply -v --noop -e 'host {localhost: target => "/tmp/test" }'
    info: Applying configuration version '1305216426'
    notice: /Stage[main]//Host[localhost]/target: is /etc/hosts, should be
    /tmp/test (noop)

Because one key has to have a unique name, one could argue that puppet
should allow an array as a value for target (or user). But that just
raises other issues: Imagine you have the following:

    ssh_authorized_key { 'testkey':
      ensure => present,
      key    => 'A',
      user   => ['userA', 'userB' ]
    }

What should puppet report when in userA's keyfile the keyproperty is out
of sync (let's say key => 'X')  while the key in userB's keyfile is
correct?

maybe something like
  Ssh_authorized_key[testkey]/key: is 'X', should be 'A' but only for
  'userA' because for 'userB' key is correctly set to 'A'

So in my opinion the biggest problem with managing a resource for a
whole bunch of users at the same time is the problem that you now have
more than one is-value.

-Stefan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.