Actions
User story #4439
closedTechnique 'ssh keys distribution': Have several keys per users
Pull Request:
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:
Description
I've been trying to implement an ssh key distribution policy using the stock technique and run into some limitations.
To make the long story short, I ended up modifying the technique considerably, hence there is no patch, just a new set of files. With these files I hope the following has been addressed:
To make the long story short, I ended up modifying the technique considerably, hence there is no patch, just a new set of files. With these files I hope the following has been addressed:
- The key definitions in the old technique were used verbatim, which made it impossible to update say, key comment, which would result into two key definitions for essentially the same key hash;
- classes used to record the outcome would be defined globally, but the names are not specific enough (i.e. line_1_*) which may have created confusion if several rules are in effect on the same host (think of line_1_ok);
- multiple keys for the same user within the same directive were not possible - I had to introduce a new component variable to work around that;
- a special case for SuSE, which differs only in the gid for file ownership has been folded in using an array built conditionally depending on the OS;
- a class name denoting existence for a user was renamed from index_*_exist to user_*_exist for clarity;
- reports have been replaced with methods, which, I hope, makes it simpler to read;
- classes to denote outcomes were also rewritten to use rudder_common_classes;
- an additional edit has been introduced to ensure uniqueness of the defs in the files - this is done with a bundle remove_duplicate_lines (attached) which I have in my site library. If nobody thinks it is useful - just drop the third files promise, otherwise please feel free to include it either into the library or along with the technique (but probably in the latter case it should be given a more specific name, i.e. sshkey_remove_duplicate_lines.
Also note that I have changed the agent version to 3.5.3 - the only reason for that is the use of some cfengine functions (specifically ifelse, regextract and escape) which were not used in the original version, and I am not sure which cfengine version they have been introduced.
Please let me know if this looks useful or you have any questions or concerns.
Files
Actions