On 02/17/2011 12:13 PM, Felix Frank wrote:
[...]
>> When using the realize statement I don't know which naming attribute to
>> use? The "key =>" contains a template or even the PEM encoded key of
>> user "jim" but except it's resource name "jim@uniqe.email_for_$name"
>> there is no naming attribute for this resource.
>>
>> So of course puppet throws an error when using the following definition
>> because virtual resource "jim" cannot be found.
>
> Sorry if I caused confusion. I didn't mean to suggest you insert a
> key-placeholder in your define. From what I inferred, you were creating
> multiple accounts all sharing the same key. I now think I was mistaken
> there.
I'm sorry for such confusion I've been causing right from the start. So
I think that you've been right with your first thoughts because what I'm
trying to achieve is exactly what you've mentioned earlier:
-> A one-to-many model which makes it possible to copy a users ssh
pubkey (defined by ssh_authorized_key resource) to multiple local system
accounts on the same node in order to be able to login. E.g. user "jim"
shall be able to login to node1 by using system users "foo" and "bar"
and his respective private key.
I think that it shall be pretty simple to handle with puppet. I just
want to define pubkey resources and put them into classes something like
this:
-----------------------------------------------------------------------
define ssh::pubkeys::group1($systemAccount) {
ssh_authorized_key {
'worker1':
ensure => present,
user => "$systemAccount",
name => "unique@string.domain",
type => ssh-rsa,
key => "$key";
'worker2':
ensure => present,
user => "$systemAccount",
name => "worker1@uniquestring",
type => ssh-rsa,
key => "$key";
}
}
define ssh::pubkeys::group2($systemAccount) {
ssh_authorized_key {
[...]
}
-----------------------------------------------------------------------
Maybe I should start tagging such pubkey resources with there respective
"worker-groups" instead of grouping them by classes/definitions so this
way I would only have to define them in one definition - is this
possible? I'm not familiar with the tagging support of puppet and just
read a few thread topics on the list.
Maybe it could work like this (note the "tag =>" parameters):
-----------------------------------------------------------------------
define ssh::pubkeys($systemAccount) {
ssh_authorized_key {
'worker1':
ensure => present,
tag => workergroup1
user => "$systemAccount",
name => "unique@string.domain",
type => ssh-rsa,
key => "$key";
'worker2':
ensure => present,
tag => workergroup2h
user => "$systemAccount",
name => "worker1@uniquestring",
type => ssh-rsa,
key => "$key";
}
}
-----------------------------------------------------------------------
Maybe it's possible to assign tagged objects with a class or definition
later on? Anyway, as the last step I would like to attach a ssh-pubkey
resource to a node while being able to specify to which user a pubkey
shall be attached:
-----------------------------------------------------------------------
node node1 {
ssh::pubkeys { "jim": systemAccount => ["bar","foo"] }
[...or...]
ssh::pubkeys { "jim": systemAccount => ["bar"] }
ssh::pubkeys { "jim": systemAccount => ["foo"] }
}
-----------------------------------------------------------------------
Hope that helps.
> Anyhow, still building on the given example, it would make most sense
> for you to make the key a parameter:
>
> define pooled_user($realname="anonymous",$key) {
> user { "$name": description => $realname, ... }
> # insert code here to make sure ~/.ssh/ exists etc.
> ssh_authorized_key { "pubkey_for_$name":
> key => $key, ...
> }
> }
>
> Then simply use it as
> pooled_user {
> "jim": key => "AAAAB3N...";
> "joe": key => "AAAAB3N...";
> "jack":key => "AAAABsX...";
> }
However, this pieve of code isn't going to work because as my definition
would look like the following...
----------------------------------------------------------------------
node node1 {
pooled_user {
"jim": key => "AAAAB3N...", systemuser => "foo";
"jim": key => "AAAAB3N...", systemuser => "bar";
}
}
----------------------------------------------------------------------
... making puppet throwing "duplicate definition" errors again because
the resource name has been declared twice.
Many thanks for your support! :)
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
