Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-7601

ssh_authorized_key user parameter is not idempotent for accounts with duplicate UIDs

    Details

    • Type: Bug
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: sshkeys_core
    • Labels:

      Description

      When a UID value is shared between one or more user accounts, as can happen when the allowdupe parameter of the User resource is used, the Puppet agent will generate spurious change events when managing the ownership of Ssh_authorized_key files. This happens because ownership of thise files is determined by a filesystem stat which is then transformed into an account name via a getent lookup:

      https://github.com/puppetlabs/puppet/blob/4.9.1/lib/puppet/provider/ssh_authorized_key/parsed.rb#L45-L48

      When the resulting name is compared to the user parameter of a Ssh_authorized_key resource, Puppet incorrectly determines that the resource is out of sync.

      Reproduction Case

      1. Install the puppet-agent package

      2. Apply the following manifest, which creates two test users and associated SSH keys:

      # shared_uid_sshkey.pp
      user{'test':
        ensure => present,
        uid => 10042,
        managehome => true,
      } ->
      file {'/home/test/.ssh':
        ensure => directory,
        owner => 'test',
        mode => '0700',
      } ->
      ssh_authorized_key{'test_ssh-rsa':
        ensure => present,
        user => 'test',
        type => 'ssh-rsa',
        key => 'foo-bar-baz',
      }
       
      user{'test2':
        ensure => present,
        uid => 10042,
        managehome => true,
        allowdupe => true,
      } ->
      file {'/home/test2/.ssh':
        ensure => directory,
        owner => 'test2',
        mode => '0700',
      } ->
      ssh_authorized_key{'test2_ssh-rsa':
        ensure => present,
        user => 'test2',
        type => 'ssh-rsa',
        key => 'foo-bar-baz',
      }
      

      3. Apply the manifest again.

      Outcome

      Puppet thinks the user attribute is out of sync on Ssh_authorized_key['test2_ssh-rsa'] and issues a change event:

      # puppet apply shared_uid_sshkey.pp
      Notice: Compiled catalog for pe-201642-master.puppetdebug.vlan in environment production in 0.16 seconds
      Notice: /Stage[main]/Main/Ssh_authorized_key[test_ssh-rsa]/user: user changed 'test2' to 'test'
      Notice: Applied catalog in 0.36 seconds
      

      Expected Outcome

      Applying the resources should be an idempotent operation given that the files have the correct UID values set.


      Original Description

      I have this in my manifest:

      ssh_authorized_key

      { "test" : user => "root2", ensure => present, type => "ssh-rsa", key => "AAAA <snip> =="; }

      Whenever I run puppet it shows these notices:

      notice: /Stage[main]/Ssh/Ssh_authorized_key[test]/user: user changed 'root' to 'root2'

      Is there anyway to suppress this notice? It shouldn't really be firing on each run.
      I have this in my manifest:

      ssh_authorized_key

      { "test" : user => "root2", ensure => present, type => "ssh-rsa", key => "AAAA <snip> =="; }

      Whenever I run puppet it shows these notices:

      notice: /Stage[main]/Ssh/Ssh_authorized_key[test]/user: user changed 'root' to 'root2'

      Is there anyway to suppress this notice? It shouldn't really be firing on each run.

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                Unassigned
                Reporter:
                redmine.exporter redmine.exporter
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Zendesk Support