Ansible - managing multiple SSH keys for multiple users & roles -
the problem
i managing number of different servers ansible. each server has multiple linux users, such readonly, admin, etc.
i have number of files inside ansible project contain ssh keys particular group of people - eg. appdeveloperspublickeys, dbapublickeys, etc.
different groups of people have different access levels on different servers. eg. on webserver, appdevelopers have admin access, , dbas might have read access. on database servers, vice versa.
to achieve above, have different ansible roles different types of server (eg. webappserver, databaseserver, etc). these roles have variables readonly_key_files , admin_key_files set against them, listing appropriate key files roles should have readonly , admin access.
the ideal solution would:
- ensure public keys exlusive - eg. if public key deleted
appdeveloperpublickeysfile in ansible, servers have key deleted too - only upload / change file on servers when has changed
- show accurate diff of files when using
--diffoption run ansible
i using ansible 2.2.0.0
solutions attempted far
none of below works like:
authorized_key with_file
- authorized_key: user=readonly exclusive=no key={{item}} with_file: {{readonly_key_files}} - this not meet requirement 1, looping on multiple files,
exclusivemust setno
authorized_key fact
solution per https://github.com/ansible/ansible-modules-core/pull/4167/files
- name: "generate developer keys multiple files" set_fact: dev_key_list="{{ lookup('file', item) }}" register: dev_keys with_items: '{{developer_key_files}}' - name: "merge developer keys single list" set_fact: dev_keys_string={{ dev_keys.results | map(attribute='ansible_facts.dev_key_list') | join('\n') }} - authorized_key: user=readonly exclusive=yes key={{dev_keys_string}} - this meets requirement 1, (at least me) not meet requirement 2 - seems order of keys generated not deterministic, running playbook multiple times results in
authorized_keysstep changing when no keys have been added / removed files. doesn't seem meet requirement 3, when run--check --diffcannot see lines ansible believes changing, highlights file changed.
authorized_key with_template
- authorized_key: user=readonly exclusive=no key={{item}} with_template: {{readonly_keys.j2}} where readonly_keys.j2 looks like:
{% key_file in readonly_key_files %} {% include '/files/' ~ key_file %} {% endfor %} - this meets requirements 1 , 2, again fails on requirement 3. when run using
--check --diffshows me whether or not ssh file changed, not lines added / removed expect to.
conclusion
is there way solve problem? seems though there may issue using --diff authorized_keys in ansible... other approach can think of not using authorized_keys @ all, , instead managing regular file / template, should show me accurate diffs (as meeting requirements 1 & 2).
ok, understand trying add 2 static users (readonly , admin) servers , have ssh keys of individuals added static user's authorized ssh keys.
why want that? going difficult audit changes. taking security , audit-able environment consideration , best way create groups (sysadmins, dev, dba etc) , add them appropriate servers through roles , add individual users name groups. use lineinfile module groups sudoers. closest best practice.
if need remove user , might need remove user completel group.
though suggestion not answer real question, might give little perspective shift on how setup things more manageable.
i have implemented generic role. posting in repo if might find useful(which still under construction)
Comments
Post a Comment