Puppet users - May 2011 - how to add same ssh_key to two diff accounts

Hi all,

I''m trying to add same ssh key to two diff accounts and I''m
getting
an error.

My code:
			''key_1''
                                name    =>
''arnau@my_pc.domain'',
                                user    => ''user1'',
                                key     => "rsa_key";

                        ''key_2'':
                                name    =>
''arnau@my_pc.domain'',
                                user    => ''user2'',
                                key     => "rsa_key";

On the client the error is:


err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Puppet::Parser::AST::Resource failed with error ArgumentError: Cannot alias
Ssh_authorized_key[key_1] to ["arnau@my_pc.domain"]; resource
["Ssh_authorized_key", ["arnau@my_pc.domain"]] already
exists at
/etc/puppet/manifests/services/common/modules/common_si/manifests/init.pp:165 on
node XXXXX.pic.es

Is there something wrong in my code?
Am I trying to do something not supported? 
Anyone faced this before? how did you solve it?

TIA,
Arnau

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

On 05/10/2011 12:21 PM, Arnau Bria wrote:
> Hi all,
> 
> I''m trying to add same ssh key to two diff accounts and
I''m getting
> an error.
> 
> My code:
> 			''key_1''
>                                 name    =>
''arnau@my_pc.domain'',
>                                 user    => ''user1'',
>                                 key     => "rsa_key";
> 
>                         ''key_2'':
>                                 name    =>
''arnau@my_pc.domain'',
>                                 user    => ''user2'',
>                                 key     => "rsa_key";
> 
> On the client the error is:
> 
> 
> err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Puppet::Parser::AST::Resource failed with error ArgumentError: Cannot alias
Ssh_authorized_key[key_1] to ["arnau@my_pc.domain"]; resource
["Ssh_authorized_key", ["arnau@my_pc.domain"]] already
exists at
/etc/puppet/manifests/services/common/modules/common_si/manifests/init.pp:165 on
node XXXXX.pic.es
> 
> Is there something wrong in my code?
yes, you''re declaring the same resource twice.
> Am I trying to do something not supported?
Yes.
> Anyone faced this before? how did you solve it?
I helped someone with a similar issue here before.

Just rename on of the keys. The "name" of a public key is really quite
arbitrary and SSH doesn''t use it for anything important (that I am
aware
of).

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, 10 May 2011 12:26:06 +0200
Felix Frank wrote:
> Hi,
Hi Felix,
 
> > Am I trying to do something not supported?
> 
> Yes.
Do you know if this is going to be supportted in future?
 
> Just rename on of the keys. The "name" of a public key is really
quite
> arbitrary and SSH doesn''t use it for anything important (that I am
> aware of).
thanks, that worked perfectly!
 
> Cheers,
> Felix
Cheers,
Arnau

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 05/10/2011 12:38 PM, Arnau Bria wrote:
> On Tue, 10 May 2011 12:26:06 +0200
> Felix Frank wrote:
> 
>> Hi,
> Hi Felix,
>  
>>> Am I trying to do something not supported?
>>
>> Yes.
> Do you know if this is going to be supportted in future?
Redeclaration of the same resource is not going to work ;-)

As for the distribution of one authorized_key to multiple user
accounts...I''m not sure that it''s as useful as it sounds,
given the
trivial workaround.

If you''re keen to get it anyway, you may want to open a ticket.

Regards,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

you could also define the key as virtual resource and realize it on
different occasions (hosts).


2011/5/10 Felix Frank <felix.frank@alumni.tu-berlin.de>
> On 05/10/2011 12:38 PM, Arnau Bria wrote:
> > On Tue, 10 May 2011 12:26:06 +0200
> > Felix Frank wrote:
> >
> >> Hi,
> > Hi Felix,
> >
> >>> Am I trying to do something not supported?
> >>
> >> Yes.
> > Do you know if this is going to be supportted in future?
>
> Redeclaration of the same resource is not going to work ;-)
>
> As for the distribution of one authorized_key to multiple user
> accounts...I''m not sure that it''s as useful as it sounds,
given the
> trivial workaround.
>
> If you''re keen to get it anyway, you may want to open a ticket.
>
> Regards,
> Felix
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, 10 May 2011 12:48:21 +0200
Felix Frank wrote:
> > Do you know if this is going to be supportted in future?
> 
> Redeclaration of the same resource is not going to work ;-)
:-)
 
> As for the distribution of one authorized_key to multiple user
> accounts...I''m not sure that it''s as useful as it sounds,
given the
> trivial workaround.
> 
> If you''re keen to get it anyway, you may want to open a ticket.
I think I''ve already asked here... but I have an example where that
feature is really interesting: we have some user pool, aout 1000
users, and I''d like to distrbute one key to all those users. Why the
trivial workaround, I could do it, but with 1000 lines :-)

so, I''ll open a ticket and pray for developers finding it interesting
too. 
> Regards,
> Felix
Many thanks for your reply,
Cheers,
Arnau

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 05/11/2011 05:36 PM, Arnau Bria wrote:
>> If you''re keen to get it anyway, you may want to open a
ticket.
> I think I''ve already asked here... but I have an example where
that
> feature is really interesting: we have some user pool, aout 1000
> users, and I''d like to distrbute one key to all those users. Why
the
> trivial workaround, I could do it, but with 1000 lines :-)
That''s just not true.

You surely have some defined type for your users, no? Such as

my_user($fullname) {
  user { "$name": fullname => $fullname, ... }
  ...
}

You just add the key to that

my_user($fullname) {
  user { "$name": fullname => $fullname, ... }
  ssh_authorized_key { "key-for-$name":
    user => $name,
    key => "AAznbwet...",
    ...
  }
}

That''s what I meant - the workaround is really *that* trivial.

I''m quite sure you''ll have a hard time finding a use case that
really
requires the authorized key resource to be effective for multiple target
users.

Regards,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, 12 May 2011 09:59:21 +0200
Felix Frank wrote:
> On 05/11/2011 05:36 PM, Arnau Bria wrote:
> >> If you''re keen to get it anyway, you may want to open a
ticket.
> > I think I''ve already asked here... but I have an example
where that
> > feature is really interesting: we have some user pool, aout 1000
> > users, and I''d like to distrbute one key to all those users.
Why the
> > trivial workaround, I could do it, but with 1000 lines :-)
> 
> That''s just not true.
> 
> You surely have some defined type for your users, no? Such as
Nop, we use an other software for creating those users.
So, I must redefine each key for each user, and then my problem
appears. 

[...]
> my_user($fullname) {
>   user { "$name": fullname => $fullname, ... }
>   ssh_authorized_key { "key-for-$name":
>     user => $name,
>     key => "AAznbwet...",
>     ...
>   }
> }
> That''s what I meant - the workaround is really *that* trivial.
> 
> I''m quite sure you''ll have a hard time finding a use case
that really
> requires the authorized key resource to be effective for multiple
> target users.
From your example I think I can play with a false define for something
else trivial and add my key there.... 

> Regards,
> Felix
Cheers,
Arnau

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Wed, May 11, 2011 at 05:36:26PM +0200, Arnau Bria
wrote:
> I think I''ve already asked here... but I have an example where
that
> feature is really interesting: we have some user pool, aout 1000
> users, and I''d like to distrbute one key to all those users. Why
the
> trivial workaround, I could do it, but with 1000 lines :-)
> 
> so, I''ll open a ticket and pray for developers finding it
interesting
> too. 
> 
One key for more than one user (e.g. an array for users) is really hard
to implement the right way:

When puppet parses the keyfiles of different users, puppet just creates
one pool of keys.  Puppet identifies a key by its name (=comment) NOT by
the target.  So one key has be unique across all your keyfiles.  That
means puppet can also move one entry from one file to another:

Simple test with the host type:

    puppet apply -v --noop -e ''host {localhost: target =>
"/tmp/test" }''
    info: Applying configuration version ''1305216426''
    notice: /Stage[main]//Host[localhost]/target: is /etc/hosts, should be
    /tmp/test (noop)

Because one key has to have a unique name, one could argue that puppet
should allow an array as a value for target (or user). But that just
raises other issues: Imagine you have the following:

    ssh_authorized_key { ''testkey'':
      ensure => present,
      key    => ''A'',
      user   => [''userA'', ''userB'' ]
    }

What should puppet report when in userA''s keyfile the keyproperty is
out
of sync (let''s say key => ''X'')  while the key in
userB''s keyfile is
correct?

maybe something like
  Ssh_authorized_key[testkey]/key: is ''X'', should be
''A'' but only for
  ''userA'' because for ''userB'' key is
correctly set to ''A''

So in my opinion the biggest problem with managing a resource for a
whole bunch of users at the same time is the problem that you now have
more than one is-value.

-Stefan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.