diff options
| author | Toshio Kuratomi <a.badger@gmail.com> | 2015-02-09 17:34:05 -0800 |
|---|---|---|
| committer | Toshio Kuratomi <a.badger@gmail.com> | 2015-02-09 17:34:05 -0800 |
| commit | 688a268df6e17644b0fedf67385c648f01b84fe7 (patch) | |
| tree | 1153ec3072d1a62eb9b36a71e32ff9e6fc1264c8 | |
| parent | 095f8681dbdfd2e9247446822e953287c9bca66c (diff) | |
| parent | e0c5b4340ddd9698c4321dca3edaf1a55bf3e3f2 (diff) | |
| download | ansible-modules-core-688a268df6e17644b0fedf67385c648f01b84fe7.tar.gz | |
Merge pull request #762 from j2sol/authorized-key-exclusive
Add exclusive option to authorized_keys
| -rw-r--r-- | system/authorized_key.py | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/system/authorized_key.py b/system/authorized_key.py index e1ac18a7..06d16da5 100644 --- a/system/authorized_key.py +++ b/system/authorized_key.py @@ -70,6 +70,15 @@ options: required: false default: null version_added: "1.4" + exclusive: + description: + - Whether to remove all other non-specified keys from the + authorized_keys file. Multiple keys can be specified in a single + key= string value by separating them by newlines. + required: false + choices: [ yes", "no" ] + default: "no" + version_added: "1.9" description: - "Adds or removes authorized keys for particular user accounts" author: Brad Olson @@ -101,6 +110,9 @@ EXAMPLES = ''' key="{{ lookup('file', '/home/charlie/.ssh/id_rsa.pub') }}" key_options='no-port-forwarding,host="10.0.1.1"' +# Set up authorized_keys exclusively with one key +- authorized_keys: user=root key=public_keys/doe-jane state=present + exclusive=yes ''' # Makes sure the public key line is present or absent in the user's .ssh/authorized_keys. @@ -336,6 +348,7 @@ def enforce_state(module, params): manage_dir = params.get("manage_dir", True) state = params.get("state", "present") key_options = params.get("key_options", None) + exclusive = params.get("exclusive", False) error_msg = "Error getting key from: %s" # if the key is a url, request it and use it as key source @@ -357,6 +370,10 @@ def enforce_state(module, params): params["keyfile"] = keyfile(module, user, do_write, path, manage_dir) existing_keys = readkeys(module, params["keyfile"]) + # Add a place holder for keys that should exist in the state=present and + # exclusive=true case + keys_to_exist = [] + # Check our new keys, if any of them exist we'll continue. for new_key in key: parsed_new_key = parsekey(module, new_key) @@ -386,6 +403,7 @@ def enforce_state(module, params): # handle idempotent state=present if state=="present": + keys_to_exist.append(parsed_new_key[0]) if len(non_matching_keys) > 0: for non_matching_key in non_matching_keys: if non_matching_key[0] in existing_keys: @@ -402,6 +420,13 @@ def enforce_state(module, params): del existing_keys[parsed_new_key[0]] do_write = True + # remove all other keys to honor exclusive + if state == "present" and exclusive: + to_remove = frozenset(existing_keys).difference(keys_to_exist) + for key in to_remove: + del existing_keys[key] + do_write = True + if do_write: if module.check_mode: module.exit_json(changed=True) @@ -424,6 +449,7 @@ def main(): state = dict(default='present', choices=['absent','present']), key_options = dict(required=False, type='str'), unique = dict(default=False, type='bool'), + exclusive = dict(default=False, type='bool'), ), supports_check_mode=True ) |