如何组合多个 ssh 公钥以与 Ansible 的authorized_key模块一起使用?
我有包含用户和键的变量文件:
ssh_users:
- name: peter
keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAA peter@key1'
- 'ssh-rsa AAAABsgsdfgyc2EAAA peter@key2'
root: yes
- name: paul
keys:
- 'ssh-rsa AAAAB3Nzaafac2EAAA paul@key1'
root: no
我想浏览一下这个列表,挑选出具有"root:yes"的用户(及其密钥),并将它们组合在一起以更新 root 用户的authorized_keys文件。
这不起作用:
- name: lookup keys
set_fact:
keylist: "{{ item.keys }}"
with_items: "{{ ssh_users }}"
when: item.root == true
register: result
- name: make a list
set_fact:
splitlist: "{{ result.results |
selectattr('ansible_facts','defined') | map(attribute='ansible_facts.keylist') | list | join('n') }}"
- name: update SSH authorized_keys
authorized_key:
user: root
key: "{{ splitlist }}"
state: present
exclusive: yes
Jinja selectattr
和map
过滤器获得所需的内容,如下所示:
---
- hosts: localhost
gather_facts: false
vars:
# Here's our data: two users with 'root' access,
# one without. We expect to see three public keys in
# the resulting authorized_keys file.
#
# Note that I've renamed the "keys" key to "pubkeys", because
# otherwise it conflicts with the "keys" method of dictionary
# objects (leading to errors when you try to access something
# like item.keys).
ssh_users:
- name: alice
pubkeys:
- 'ssh-rsa alice-key-1 alice@key1'
root: true
- name: peter
pubkeys:
- 'ssh-rsa peter-key-1 peter@key1'
- 'ssh-rsa peter-key-2 peter@key2'
root: true
- name: paul
pubkeys:
- 'ssh-rsa paul-key-1 paul@key1'
root: false
tasks:
- become: true
authorized_key:
user: root
key: "{{ 'n'.join(ssh_users|selectattr('root')|map(attribute='pubkeys')|flatten) }}"
state: present
exclusive: true
在authorized_key
任务中,我们首先使用 selectattr
筛选器提取具有root
访问权限的用户。 我们将其传递给map
过滤器以仅提取pubkeys
属性,这将为我们提供两个列表(一个包含一个键,另一个具有两个键)。 最后,我们将其传递给 flatten
筛选器以创建单个列表,然后用换行符连接生成的键以匹配authorized_key
模块所需的输入格式。 生成的.ssh/authorized_keys
文件如下所示:
ssh-rsa alice-key-1 alice@key1
ssh-rsa peter-key-1 peter@key1
ssh-rsa peter-key-2 peter@key2
这是您要查找的代码吗?
- name: update SSH authorized_keys
authorized_key:
user: root
key: "{{ item.1 }}"
loop: "{{ ssh_users | subelements('keys', skip_missing=True) }}"
when: item.0.root
您不需要独占参数和状态参数。我认为默认值排除:否和状态:存在是可以的。
键,其中根:假,可以删除
- name: remove SSH authorized_keys
authorized_key:
state: absent
user: root
key: "{{ item.1 }}"
loop: "{{ ssh_users | subelements('keys', skip_missing=True) }}"
when: not item.0.root
在一个任务中添加和删除键,可以使用三元筛选器
- name: Preen SSH authorized_keys
authorized_key:
state: "{{ item.0.root | ternary('present','absent') }}"
user: root
key: "{{ item.1 }}"
loop: "{{ ssh_users | subelements('keys', skip_missing=True) }}"