All geek questions in one place

Ansible - manage multiple SSH keys for multiple users and roles

Problem

I manage several different servers with Ansible. Each server has several Linux users, such as readonly, adminetc.

I also have several files inside my Ansible project that contains all the SSH keys for a specific group of people - for example. AppDevelopersPublicKeys, DbaPublicKeysetc.

Different groups of people have different access levels on different servers. For instance. on WebServer, AppDevelopers have administrator access, and database administrators can have read-only access. On database servers, vice versa.

(For example, in order to achieve the above, I have different roles Ansible for different types of servers WebAppServer, DatabaseServeretc.). Then the roles are variables readonly_key_filesand admin_key_files, opposed to them, listing the corresponding key files for roles that have access to read-only administrator.

The perfect solution:

  • Make sure public keys are exclusive - for example. if the public key is deleted from the file AppDeveloperPublicKeysin Ansible, the servers will also delete this key.
  • Only upload / modify files on servers when something really changes
  • Show exact file scatter when using option --diffto launch Ansible

I am using Ansible 2.2.0.0

Decisions taken so far

None of the following works exactly as we would like:

authorized_key with_file

- authorized_key: user=readonly exclusive=no key={{item}}
  with_file: {{readonly_key_files}}
  • 1, , exclusive no

authorized_key

https://github.com/ansible/ansible-modules-core/pull/4167/files

- name: "Generate developer keys from multiple files"
  set_fact: dev_key_list="{{ lookup('file', item) }}"
  register: dev_keys
  with_items: '{{developer_key_files}}'

- name: "Merge developer keys into single list"
  set_fact: dev_keys_string={{ dev_keys.results | map(attribute='ansible_facts.dev_key_list') | join('\n') }}

- authorized_key: user=readonly exclusive=yes key={{dev_keys_string}}
  • 1, ( , ) 2 - , , playbook authorized_keys, / . , , 3, --check --diff , Ansible , , , .

authorized_key with_template

- authorized_key: user=readonly exclusive=no key={{item}}
  with_template: {{readonly_keys.j2}}

readonly_keys.j2 :

{% for key_file in readonly_key_files %}
{%   include '/files/' ~ key_file %}
{% endfor %}
  • 1 2, 3. --check --diff, , SSH, /, .

? , --diff authorized_keys Ansible... , , authorized_keys /, ( 1 2).

+4

Source: https://habr.com/ru/post/1660164/

More articles:


All Articles