Hi all,
I want to use puppet to distribute keys to multiple users. I wanted
to do something like we have already:
- define a key per real person
- define groups containing several keys, people can be in multiple
groups
- deploy these groups of keys to specific users
however it looks like the ssh_authorized_key resource ties a key and a
user together so it looks like I fall at the first hurdle:
@ssh_authorized_key { "joe.bloggs":
ensure => "present",
key =>"AAAAB....=",
type => "ssh-rsa",
user => "root" <<<<< I
don''t want this
}
I was hoping to realize a groups of these keys and somehow tie them to
users. Any ideas?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=.
You could do something with a define. But I''m not really sure what your use case is. Can you give an example? seph sysboy <sysboy@gmail.com> writes:> Hi all, > > I want to use puppet to distribute keys to multiple users. I wanted > to do something like we have already: > > - define a key per real person > - define groups containing several keys, people can be in multiple > groups > - deploy these groups of keys to specific users > > however it looks like the ssh_authorized_key resource ties a key and a > user together so it looks like I fall at the first hurdle: > > @ssh_authorized_key { "joe.bloggs": > ensure => "present", > key =>"AAAAB....=", > type => "ssh-rsa", > user => "root" <<<<< I don''t want this > } > > I was hoping to realize a groups of these keys and somehow tie them to > users. Any ideas? > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.
I currently have something set up for users like this:
virt_users.pp
class virt_my_users {
@user { "user1":
ensure => "present",
uid => "1001",
gid => "users",
comment => "user1",
home => "/home/user1",
shell => "/bin/bash"
}
@user { "user2":
ensure => "present",
uid => "1002",
gid => "users",
comment => "user2",
home => "/home/user2",
shell => "/bin/bash"
}
}
users.pp
class prod_users {
include virt_my_users
realize(
Group["users"],
User["user1"],
User["user2"],
)
}
site.pp
node host1 inherits default {
include prod_users
}
And I wanted to do something similar with the keys, defining the keys
for everyone in one place and then using it for several users on
multiple nodes. For instance the postgres user on some nodes might
have keys from developers and dba''s but only a limited number of
people in the production environment.
All this is currently managed with some sh/awk scripts. We basically
have a file with a key. These keyfiles are grouped up into something
legible such as ''sysadmins'' or ''dbas''. Then
we have a node definition
containing the users on that node and the groups of keys to be
deployed to the users.
Ideally I would like something where I could have
node host1 inherits default {
include prod_users
}
class prod_users {
realize User[''user1'']
realize Sshkeys[''user1''] # this bit would expand the
groups of
keys and deploy them to user1
}
Hope that makes some sense to people :) I always have the option of
leaving the sh/awk solution as is so it''s not top on my list but it
would be nice to manage everything from one place.
On Nov 23, 2:06 pm, seph <s...@directionless.org>
wrote:> You could do something with a define. But I''m not really sure what
your
> use case is. Can you give an example?
>
> seph
>
>
>
> sysboy <sys...@gmail.com> writes:
> > Hi all,
>
> > I want to use puppet to distribute keys to multiple users. I wanted
> > to do something like we have already:
>
> > - define a key per real person
> > - define groups containing several keys, people can be in multiple
> > groups
> > - deploy these groups of keys to specific users
>
> > however it looks like the ssh_authorized_key resource ties a key and a
> > user together so it looks like I fall at the first hurdle:
>
> > @ssh_authorized_key { "joe.bloggs":
> > ensure => "present",
> > key =>"AAAAB....=",
> > type => "ssh-rsa",
> > user => "root" <<<<< I
don''t want this
> > }
>
> > I was hoping to realize a groups of these keys and somehow tie them to
> > users. Any ideas?
>
> > --
>
> > You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=.
sysboy <sysboy@gmail.com> writes:> Ideally I would like something where I could have > > class prod_users { > realize User[''user1''] > realize Sshkeys[''user1''] # this bit would expand the groups of > keys and deploy them to user1 > }I''m still a bit confused, but what I can help you. I define a bunch of users in user::virtual, along side said users I define their keys. Some users have more than 1 key. (seph-2008-laptop, seph-2009-desktop, for example) Then I have things like this: class user::unixadmins inherits user::virtual { User <| title == seph |> Ssh_authorized_key <| user == seph |> } It works well enough, but it''s not perfect. I haven''t really figured out how to cleanly say "let seph use his keys to login as user deploy" so I''m punting that part for now. seph -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.