ansible.posix icon indicating copy to clipboard operation
ansible.posix copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

authorized_key: Add option to pass if user doesn't exists

Open klodoma opened this issue 4 years ago • 6 comments

SUMMARY

Would be nice to have an option to skip users that don't exists and avoid errors like:

msg": "Failed to lookup user user2: \"getpwnam(): name not found: 'user2'\""}

Add a skip parameter or something similar.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

ansible.posix.authorized_key

ADDITIONAL INFORMATION
  tasks:
    - name: Set authorized key taken from file
      ansible.posix.authorized_key:
        user: '{{ item }}'
        skip: true //if user doesn't exists, no error will be displayed
        state: present
        key: "{{ lookup('file', '/root/.ssh/key.pub') }}"
      with_items:
        - user1
        - user2
        - user3

klodoma avatar Apr 09 '21 14:04 klodoma

I think you should create all the users first and then add authorized_keys. From the viewpoint of idempotence, it is not good to change the behavior according to the state of the target system, I guess.

satken2 avatar May 03 '21 13:05 satken2

@klodoma I agree with @satken2.

Akasurde avatar May 24 '21 12:05 Akasurde

needs_info

Akasurde avatar May 31 '21 12:05 Akasurde

I think you should create all the users first and then add authorized_keys.

In my use-case I don't know if the user account exists on the target host or not and it should not matter. I have a "list" of system user accounts and the hosts can be configured differently(some accounts created, some not). If the account exists on the host, I would like to set the ssh keys, that's all.

Maybe the flag can be something more obvious like:

skip-no-user: true // or 
ignore-no-user: true

klodoma avatar May 31 '21 13:05 klodoma

This module adds a ssh public key in user's authorized_keys file. It doesn't make sense for me to not fail if the user account doesn't exist. In other words: on one hand, user parameter is mandatory, on the other hand, you want to skip it.

In my use-case I don't know if the user account exists on the target host or not and it should not matter.

It matters, as expected by Ansible state engine. I understand that you don't want to know initial state before running a playbook. Ansible is not to bother about the initial state, it is to control/ensure the final state, and if this final state is not reachable, the module MUST fail. Otherwise target hosts would become Schrödinger boxes, with unknown final states. And this is exactly what we don't want.

As far as I understand, your use case is not really about the module. It is about a task calling the module in a loop. So take a look into task attributes. You may either:

  • set failed_when attribute to discard errors based on msg content.
  • run user module first, in check mode, against the same list of users, and then either reduce the list to valid users, either call authorized_key with a when attribute to discard non-existing users.

For example, using the failed_when method:

- name: Set authorized key taken from file
  ansible.posix.authorized_key:
    key: "{{ lookup('file', '/root/.ssh/key.pub') }}"
    user: '{{ item }}'
    state: present
  loop:
    - user1
    - user2
    - user3
  register: authorized_key_result
  failed_when:
    - authorized_key_result.msg is defined
    - authorized_key_result.msg is not match('Failed to lookup user')

Anyway, you should ask your team why user accounts creation and user access settings are not well integrated altogether :)

quidame avatar Jul 26 '21 05:07 quidame

authorized_key must be able to remove the key of a non-existent user. Changing failed_when condition is no option because it leads to false-positive results; task reports ok even when the key is still there.

anttiah avatar Jan 18 '24 15:01 anttiah