Ansible - 为多个用户管理多个 SSH 密钥 &角色
我正在使用 Ansible 管理许多不同的服务器.每个服务器有多个Linux用户,例如readonly、admin等
I am managing a number of different servers with Ansible. Each server has multiple Linux users, such as readonly, admin, etc.
我的 Ansible 项目中还有许多文件,其中包含特定人群的所有 SSH 密钥 - 例如.AppDevelopersPublicKeys、DbaPublicKeys 等
I also have a number of files inside my Ansible project which contain all SSH keys for a particular group of people - eg. AppDevelopersPublicKeys, DbaPublicKeys, etc.
不同的人群在不同的服务器上有不同的访问级别.例如.在 WebServer 上,AppDevelopers 具有管理员访问权限,而 DBA 可能只有读取访问权限.在数据库服务器上,反之亦然.
Different groups of people have different access levels on different servers. Eg. on a WebServer, AppDevelopers have admin access, and DBAs might only have read access. On Database servers, vice versa.
为了实现上述目标,我为不同类型的服务器(例如 WebAppServer、DatabaseServer 等)设置了不同的 Ansible 角色.然后这些角色有变量 readonly_key_files 和 admin_key_files 设置它们,列出应该具有只读和管理员访问权限的角色的适当密钥文件.
To achieve the above, I have different Ansible roles for different types of server (eg. WebAppServer, DatabaseServer, etc). These roles then have variables readonly_key_files and admin_key_files set up against them, listing appropriate key files for the roles which should have readonly and admin access.
理想的解决方案是:
- 确保公钥是独占的 - 例如.如果从 Ansible 中的
AppDeveloperPublicKeys文件中删除公钥,服务器也会删除此密钥 - 只有在实际发生变化时才上传/更改服务器上的文件
- 在使用
--diff选项运行 Ansible 时显示文件的准确差异
- Ensure public keys are exlusive - eg. if a public key is deleted from
AppDeveloperPublicKeysfile in Ansible, servers will have this key deleted too - Only upload / change the file on the servers when something has actually changed
- Show an accurate diff of the files when using
--diffoption to run Ansible
我使用的是 Ansible 2.2.0.0
I am using Ansible 2.2.0.0
以下都不是我想要的:
authorized_key with_file
- authorized_key: user=readonly exclusive=no key={{item}}
with_file: {{readonly_key_files}}
- 这不符合要求 1,因为它在多个文件上循环,所以
exclusive必须设置为no - This does not meet requirement 1, as it is looping over multiple files, so
exclusivemust be set tono
authorized_key with fact
根据 https://github.com/ansible/ansible 的解决方案-modules-core/pull/4167/files
- name: "Generate developer keys from multiple files"
set_fact: dev_key_list="{{ lookup('file', item) }}"
register: dev_keys
with_items: '{{developer_key_files}}'
- name: "Merge developer keys into single list"
set_fact: dev_keys_string={{ dev_keys.results | map(attribute='ansible_facts.dev_key_list') | join('
') }}
- authorized_key: user=readonly exclusive=yes key={{dev_keys_string}}
- 这符合要求 1,但(至少对我而言)不符合要求 2 - 生成的密钥的顺序似乎不确定,因此多次运行剧本会导致
authorized_keys即使没有从文件中添加/删除密钥,也会发生变化.它似乎也不符合要求 3,因为当我使用--check --diff运行时,我无法确切看到 Ansible 认为哪些行正在更改,它只是突出显示文件将被更改. - This meets requirement 1, but (at least for me) does not meet requirement 2 - it seems the order of the keys generated is not deterministic, so running the playbook multiple times results in the
authorized_keysstep changing even when no keys have been added / removed from files. It also doesn't seem to meet requirement 3, as when I run with--check --diffI cannot see exactly which lines Ansible believes are changing, it just highlights that the file will be changed.
authorized_key with_template
- authorized_key: user=readonly exclusive=no key={{item}}
with_template: {{readonly_keys.j2}}
其中 readonly_keys.j2 看起来像:
{% for key_file in readonly_key_files %}
{% include '/files/' ~ key_file %}
{% endfor %}
- 这符合要求 1 和 2,但在要求 3 上再次失败.当我使用
--check --diff运行时,它只显示 SSH 文件是否会被更改,而不完全是将按照我的预期添加/删除哪些行. - This meets requirements 1 and 2, but again fails on requirement 3. When I run using
--check --diffit only shows me whether or not the SSH file will be changed, not exactly which lines will be added / removed as I would expect it to.
有没有其他方法可以解决这个问题?似乎在 Ansible 中使用 --diff 和 authorized_keys 可能存在问题......我能想到的唯一其他方法是不使用 authorized_keys,而是将其作为常规文件/模板进行管理,它应该向我显示准确的差异(以及满足要求 1 和 2).
Is there another way to solve this problem? It seems as though there may be an issue with using --diff with authorized_keys in Ansible... The only other approach I can think of is not using authorized_keys at all, and instead managing this as a regular file / template, which should show me accurate diffs (as well as meeting requirements 1 & 2).
我解决这个问题的方法是将一个变量中的文件名数组传递给我的 user-account 角色.然后角色获取这些文件中的每一个的内容,将它们一起附加到一个以换行符分隔的字符串中,最后将该值设置为新用户的 ssh-key.
The way I solved this was to pass an array of filenames in a variable to my user-account role. The role then gets the contents of each of these files, appends them together into a newline-separated string, then finally sets this value to be the ssh-key for the new user.
.
剧本文件:
- hosts: aws-node1
roles:
- { role: user-account, username: 'developer1', ssh_public_keyfiles: ['peter-sshkey.pub', 'paul-sshkey.pub'] }
.
user-account 的角色定义:
- name: add user
user:
name: "{{username}}"
- name: lookup ssh pubkeys from keyfiles and create ssh_pubkeys_list
set_fact:
ssh_pubkeys_list: "{{ lookup('file', item) }}"
with_items:
"{{ssh_public_keyfiles}}"
register: ssh_pubkeys_results_list
- name: iterate over ssh_pubkeys_list and join into a string
set_fact:
ssh_pubkeys_string: "{{ ssh_pubkeys_results_list.results | map(attribute='ansible_facts.ssh_pubkeys_list') | list | join('
') }}"
- name: update SSH authorized_keys for user {{ username }} with contents of ssh_pubkeys_string
authorized_key:
user: "{{ username }}"
key: "{{ ssh_pubkeys_string }}"
state: present
exclusive: yes