On Wed, May 11, 2011 at 05:36:26PM +0200, Arnau Bria wrote:
> I think I've already asked here... but I have an example where that
> feature is really interesting: we have some user pool, aout 1000
> users, and I'd like to distrbute one key to all those users. Why the
> trivial workaround, I could do it, but with 1000 lines :-)
>
> so, I'll open a ticket and pray for developers finding it interesting
> too.
>
One key for more than one user (e.g. an array for users) is really hard
to implement the right way:
When puppet parses the keyfiles of different users, puppet just creates
one pool of keys. Puppet identifies a key by its name (=comment) NOT by
the target. So one key has be unique across all your keyfiles. That
means puppet can also move one entry from one file to another:
Simple test with the host type:
puppet apply -v --noop -e 'host {localhost: target => "/tmp/test" }'
info: Applying configuration version '1305216426'
notice: /Stage[main]//Host[localhost]/target: is /etc/hosts, should be
/tmp/test (noop)
Because one key has to have a unique name, one could argue that puppet
should allow an array as a value for target (or user). But that just
raises other issues: Imagine you have the following:
ssh_authorized_key { 'testkey':
ensure => present,
key => 'A',
user => ['userA', 'userB' ]
}
What should puppet report when in userA's keyfile the keyproperty is out
of sync (let's say key => 'X') while the key in userB's keyfile is
correct?
maybe something like
Ssh_authorized_key[testkey]/key: is 'X', should be 'A' but only for
'userA' because for 'userB' key is correctly set to 'A'
So in my opinion the biggest problem with managing a resource for a
whole bunch of users at the same time is the problem that you now have
more than one is-value.
-Stefan
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
