Ask Your Question
0

access matrix via authorized_keys

asked 2014-10-30 13:25:53 -0500

gin gravatar image

Hi,

I have a number of servers that can be accessed only by ssh keys, defined in authorized_keys. User accessibility varies across the cluster, therefore I have an access matrix. E.g. user1 can access only server2 and user2 can access only server1.

user1                 x
user2        x
           server1 server2

I was wondering, is it possible to achieve such access strategy with Puppet? More specifically, I could not find a way to explicitly specify servers accessible to a user.

If this is doable with Puppet, do you have any suggestions on the right solution?

Thanks! Gin

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2014-10-30 17:01:54 -0500

cbarbour gravatar image

It is possible. My general approach is to use virtual resources and tags.

@ssh_authrozied_key { 'user1':
  tag => ['dev','dba'],
}

@ssh_authrozied_key { 'user2':
  tag => 'dev',
}

@ssh_authrozied_key { 'user3':
  tag => 'dba',
}

node 'server1' {
   @ssh_authorized_key <| tag == 'dev' |>
}

node 'server2' {
   @ssh_authorized_key <| tag == 'dba' |>
}

With this approach:

  • user1 and user2 have access to server1.
  • user1 and user3 have access to server2.

You can of course use much more complex tagging and resource realization strategies for a lot more flexibility.

Here are some references to help you out:

edit flag offensive delete link more

Comments

This is a perfect solution for my needs, and the provided resources answered the rest of the questions that I had. Thanks, cbarbour!

gin gravatar imagegin ( 2014-10-30 17:50:27 -0500 )edit

Glad to hear it. As an asside, this is a good place to use create_resources. I usually define and tag my users in hiera, then realize them in site.pp or a global profile of some sort.

cbarbour gravatar imagecbarbour ( 2014-10-30 18:32:52 -0500 )edit

Thanks, a very good idea. Will investigate Hiera, since I am new to Puppet and relating projects.

gin gravatar imagegin ( 2014-10-30 19:05:46 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2014-10-30 13:25:53 -0500

Seen: 87 times

Last updated: Oct 30 '14