#10509 port auth-keys-from-fas to new account system
Closed: Fixed 2 years ago by aheath1992. Opened 2 years ago by praiskup.

Our playbooks fail to run /srv/web/infra/ansible/scripts/auth-keys-from-fas.


I see I already touched this problem:

Nov 17 22:39:40 <praiskup>>-----weird failures in copr-be playbooks... nonfatal, but still .. traceback:
Nov 17 22:39:46 <praiskup>>-----Traceback (most recent call last):
Nov 17 22:39:46 <praiskup>>-----  File "/srv/web/infra/ansible/scripts/auth-keys-from-fas", line 17, in <module>
Nov 17 22:39:46 <praiskup>>-----    from fedora.client import AccountSystem, AuthError
Nov 17 22:39:46 <praiskup>>-----ModuleNotFoundError: No module named 'fedora'
Nov 17 22:39:50 <praiskup>>-----(on batcave01
Nov 17 22:41:04 <nirik>>ah whoops._
Nov 17 22:41:09 <nirik>>you are still using fas-clients?
Nov 17 22:41:23 <nirik>>I removed it from eveywhere, but I guess we need it back there?
Nov 17 22:41:44 <praiskup>>-----we use "add root keys for sysadmin-main and other allowed users"
Nov 17 22:42:08 <praiskup>>-----it is somewhat convenient to use root@ but if we have to live with sudo, ..._
Nov 17 22:42:59 <nirik>>ah... we need to fix that. we can easily change it to use ipa

How are we supposed to list the group, just?

$ getent group sysadmin-copr | cut -d: -f4
dkirwan,mizdebsk,praiskup,msuchy,schlupov,clime,frostyx

Yeah, we should move away from fas-clientsetc.

So, yes for ssh keys for a group we could just do 'getent group name' and then for each name run 'sss_ssh_authorizedkeys name'

Should we make a script to do this? Or try and just do it in ansible?

Should we make a script to do this? Or try and just do it in ansible?

That would be awesome! I can take a look later, though for now I just disabled
those tasks (we already have the keys distributed).

Metadata Update from @zlopez:
- Issue priority set to: Waiting on Reporter (was: Needs Review)

2 years ago

This could be a nice task for a new person. Just need to get groups passed to the script, find all the users in those groups with getent and then find all those users ssh keys with sss_ssh_authorized_keys and output the list.

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Waiting on Reporter)
- Issue tagged with: easyfix, low-trouble, medium-gain, ops

2 years ago

I'd like to volunteer. Can I have this ticket assigned to me? thanks :)

sure! Thanks for looking into it...

Metadata Update from @kevin:
- Issue assigned to leo

2 years ago

@leo How is it going, do you need any help from us on this issue? Or, if you're not interested anymore, would it be OK if somebody else took it over?

@mgrabovs @kevin Ill take over this ticket. I would like to sync with someone on what the issue is and help resolve it.

Metadata Update from @aheath1992:
- Issue assigned to aheath1992 (was: leo)

2 years ago

@mgrabovs so sorry, yep you can assign it to someone else :)

Created new script and created merge request. merge has been approved, closing ticket

Metadata Update from @aheath1992:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Log in to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog