Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User cannot be lazily evaluated #9

Open
cdown opened this issue Oct 9, 2016 · 4 comments
Open

User cannot be lazily evaluated #9

cdown opened this issue Oct 9, 2016 · 4 comments
Labels
Status: Pending Contributor Response Type: Enhancement

Comments

@cdown
Copy link

cdown commented Oct 9, 2016
edited
Loading

When trying to evaluate a user which is a delayed resource, checks fail -- this check should be skipped if the user is being lazily evaluated:

For example:

ssh_authorize_key 'Main user' do
  user lazy { node['seedbox']['user'] }
  key lazy { node['seedbox']['user_ssh_pubkey'] }
end

results in

==> default: ================================================================================
==> default: Recipe Compile Error in /var/chef/cache/cookbooks/seedbox/recipes/default.rb
==> default: ================================================================================
==> default: 
==> default: 
==> default: Chef::Exceptions::ValidationFailed
==> default: ----------------------------------
==> default: ssh_authorize_key: user parameter must be a valid system user! You passed #<Chef::DelayedEvaluator:0x00000003302908@/var/chef/cache/cookbooks/seedbox/recipes/default.rb:11>.
==> default: 
==> default: 
==> default: Cookbook Trace:
==> default: ---------------
==> default:   /var/chef/cache/cookbooks/ssh_authorized_keys/libraries/resource_helpers.rb:51:in `assert_user'
==> default: 
==> default:   /var/chef/cache/cookbooks/ssh_authorized_keys/definitions/ssh_authorize_key.rb:26:in `block in from_file'
==> default: 
==> default:   /var/chef/cache/cookbooks/seedbox/recipes/default.rb:10:in `from_file'
==> default: 
==> default: 
==> default: Relevant File Content:
==> default: ----------------------
==> default: /var/chef/cache/cookbooks/ssh_authorized_keys/libraries/resource_helpers.rb:
==> default: 
==> default: 
==> default: 
==> default:  44:      # Asserts that the user name is correct.
==> default: 
==> default:  45:      #
==> default: 
==> default:  46:      # @param user [String] user name.
==> default: 
==> default:  47:      # @raise [Chef::Exceptions::ValidationFailed] if the user name is wrong.
==> default: 
==> default:  48:      # @return void
==> default: 
==> default:  49:      def assert_user(user)
==> default: 
==> default:  50:        return if user.is_a?(String) && !user.empty?
==> default: 
==> default:  51>>       fail Chef::Exceptions::ValidationFailed,
==> default:  52:             'ssh_authorize_key: user parameter must be a valid system user! '\
==> default:  53:             "You passed #{user.inspect}."
==> default:  54:      end
==> default:  55:  
==> default:  56:      # Asserts that the SSH public key is correct.
==> default:  57:      #
==> default:  58:      # @param key [String] public key in base64.
==> default:  59:      # @raise [Chef::Exceptions::ValidationFailed] if the key is wrong.
==> default:  60:      # @return void
==> default: 
==> default: Platform:
==> default: ---------
==> default: x86_64-linux
==> default: 
==> default:
@zuazo
Copy link
Owner

zuazo commented Oct 9, 2016

ssh_authorize_key is a definition, not a resource. Calling it with a lazy property is not currently supported.

The reason is that these values are checked to be correct before creating the underlying file resource to avoid the generated authorized_keys file to be corrupted. AFAIK there is no way to check these lazy values without unlazying them.

@zuazo zuazo closed this as completed Oct 9, 2016
@zuazo zuazo added the wontfix label Oct 9, 2016
@cdown
Copy link
Author

cdown commented Oct 9, 2016
edited
Loading

So why not just skip the checks when they are lazy, and print a warning? Without lazy evaluation, this is unusable in an ecosystem where separate teams maintain separate attributes for their tiers

@zuazo
Copy link
Owner

zuazo commented Oct 9, 2016

But if we skip the checks, what's the purpose of this cookbook? I mean, creating a template file for a ssh_authorize_key is too simple and I prefer to be this the purpose of the cookbook: To try to avoid generating an invalid file that could leave your server inaccessible.

Anyway, I'm going to leave this open in case someone wants to implement it.

@zuazo zuazo reopened this Oct 9, 2016
@zuazo zuazo added enhancement and removed wontfix labels Oct 9, 2016
@wdeviers
Copy link

For what it's worth, I have a different use-case for this that would have been helpful. We use LDAP auth and so the users might not actually exist as POSIX accounts at the time this gets evaluated (like on bootstrap).

That means they'll get created on the 2nd Chef run, but it also means I can't do kitchen tests with it. In order to make it work, I have to run nss_updatdb at compile time, which means I have to then run the entire support stack for that at compile time as well - create ldap.conf, install the packages, etc.

If we had a flag that said "ignore_user_not_exist" or something it would work equally well for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Pending Contributor Response Type: Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cdown @zuazo @wdeviers