Ansible-为多个用户管理多个SSH密钥&角色 [英] Ansible - managing multiple SSH keys for multiple users & roles
问题描述
我正在使用Ansible管理许多不同的服务器.每个服务器都有多个Linux用户,例如readonly
,admin
等.
I am managing a number of different servers with Ansible. Each server has multiple Linux users, such as readonly
, admin
, etc.
我的Ansible项目中也有许多文件,其中包含特定人群的所有SSH密钥-例如. AppDevelopersPublicKeys
,DbaPublicKeys
等
I also have a number of files inside my Ansible project which contain all SSH keys for a particular group of people - eg. AppDevelopersPublicKeys
, DbaPublicKeys
, etc.
不同的人群在不同的服务器上具有不同的访问级别.例如.在WebServer上,AppDevelopers具有管理员访问权限,而DBA可能仅具有读取访问权限.在数据库服务器上,反之亦然.
Different groups of people have different access levels on different servers. Eg. on a WebServer, AppDevelopers have admin access, and DBAs might only have read access. On Database servers, vice versa.
要达到上述目的,我对不同类型的服务器(例如WebAppServer
,DatabaseServer
等)具有不同的Ansible角色.然后,这些角色具有针对它们设置的变量readonly_key_files
和admin_key_files
,列出了应该具有只读和管理员访问权限的角色的相应密钥文件.
To achieve the above, I have different Ansible roles for different types of server (eg. WebAppServer
, DatabaseServer
, etc). These roles then have variables readonly_key_files
and admin_key_files
set up against them, listing appropriate key files for the roles which should have readonly and admin access.
理想的解决方案是:
- 确保公钥具有排他性-例如如果从Ansible中的
AppDeveloperPublicKeys
文件中删除了公钥,则服务器也将删除此公钥 - 仅在实际更改后在服务器上上传/更改文件
- 使用
--diff
选项运行Ansible时,显示文件的准确差异
- Ensure public keys are exlusive - eg. if a public key is deleted from
AppDeveloperPublicKeys
file in Ansible, servers will have this key deleted too - Only upload / change the file on the servers when something has actually changed
- Show an accurate diff of the files when using
--diff
option to run Ansible
我正在使用Ansible 2.2.0.0
I am using Ansible 2.2.0.0
以下任何一项都不完全符合我的要求:
None of the below works exactly as I would like:
带有文件的授权密钥
authorized_key with_file
- authorized_key: user=readonly exclusive=no key={{item}}
with_file: {{readonly_key_files}}
- 这不符合要求1,因为它正在循环多个文件,因此必须将
exclusive
设置为no
- This does not meet requirement 1, as it is looping over multiple files, so
exclusive
must be set tono
具有事实的授权密钥
authorized_key with fact
根据 https://github.com/ansible/ansible的解决方案-modules-core/pull/4167/files
- name: "Generate developer keys from multiple files"
set_fact: dev_key_list="{{ lookup('file', item) }}"
register: dev_keys
with_items: '{{developer_key_files}}'
- name: "Merge developer keys into single list"
set_fact: dev_keys_string={{ dev_keys.results | map(attribute='ansible_facts.dev_key_list') | join('\n') }}
- authorized_key: user=readonly exclusive=yes key={{dev_keys_string}}
- 这符合要求1,但(至少对我来说)不符合要求2-似乎生成的键的顺序不确定,因此多次运行该Playbook会导致
authorized_keys
步骤更改,即使没有密钥已添加/从文件中删除.它似乎也不符合要求3,因为当我使用--check --diff
运行时,我无法确切看到Ansible认为正在更改的行,它只是突出显示了文件将被更改. - This meets requirement 1, but (at least for me) does not meet requirement 2 - it seems the order of the keys generated is not deterministic, so running the playbook multiple times results in the
authorized_keys
step changing even when no keys have been added / removed from files. It also doesn't seem to meet requirement 3, as when I run with--check --diff
I cannot see exactly which lines Ansible believes are changing, it just highlights that the file will be changed.
具有模板的授权密钥
authorized_key with_template
- authorized_key: user=readonly exclusive=no key={{item}}
with_template: {{readonly_keys.j2}}
readonly_keys.j2
的位置:
{% for key_file in readonly_key_files %}
{% include '/files/' ~ key_file %}
{% endfor %}
- 这符合要求1和2,但再次未能满足要求3.当我使用
--check --diff
运行时,它仅显示是否更改SSH文件,而不是像我将要添加/删除的确切行一样.期待它. - This meets requirements 1 and 2, but again fails on requirement 3. When I run using
--check --diff
it only shows me whether or not the SSH file will be changed, not exactly which lines will be added / removed as I would expect it to.
还有另一种解决此问题的方法吗?似乎在Ansible中将--diff
与authorized_keys
一起使用可能存在问题...我能想到的唯一其他方法是根本不使用authorized_keys
,而是将其作为常规文件/模板进行管理,它应该显示准确的差异(以及满足要求1和2).
Is there another way to solve this problem? It seems as though there may be an issue with using --diff
with authorized_keys
in Ansible... The only other approach I can think of is not using authorized_keys
at all, and instead managing this as a regular file / template, which should show me accurate diffs (as well as meeting requirements 1 & 2).
推荐答案
我解决此问题的方法是将变量中的文件名数组传递给我的user-account
角色.然后,角色将获取每个文件的内容,并将它们一起添加到以换行符分隔的字符串中,然后最终将该值设置为新用户的ssh键.
The way I solved this was to pass an array of filenames in a variable to my user-account
role. The role then gets the contents of each of these files, appends them together into a newline-separated string, then finally sets this value to be the ssh-key for the new user.
.
剧本文件:
- hosts: aws-node1
roles:
- { role: user-account, username: 'developer1', ssh_public_keyfiles: ['peter-sshkey.pub', 'paul-sshkey.pub'] }
.
user-account
的角色定义:
- name: add user
user:
name: "{{username}}"
- name: lookup ssh pubkeys from keyfiles and create ssh_pubkeys_list
set_fact:
ssh_pubkeys_list: "{{ lookup('file', item) }}"
with_items:
"{{ssh_public_keyfiles}}"
register: ssh_pubkeys_results_list
- name: iterate over ssh_pubkeys_list and join into a string
set_fact:
ssh_pubkeys_string: "{{ ssh_pubkeys_results_list.results | map(attribute='ansible_facts.ssh_pubkeys_list') | list | join('\n') }}"
- name: update SSH authorized_keys for user {{ username }} with contents of ssh_pubkeys_string
authorized_key:
user: "{{ username }}"
key: "{{ ssh_pubkeys_string }}"
state: present
exclusive: yes
这篇关于Ansible-为多个用户管理多个SSH密钥&角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!