add support for administrators_authorized_keys to UsersPlugin

savchuk1985 · savchuk1985 · commit 9b4485e5f884 · 2025-08-26T14:07:30.000+04:00
see https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement#administrative-user
diff --git a/cloudbaseinit/plugins/common/userdataplugins/cloudconfigplugins/users.py b/cloudbaseinit/plugins/common/userdataplugins/cloudconfigplugins/users.py
@@ -24,9 +24,14 @@
     base
 )
 
+
 CONF = cloudbaseinit_conf.CONF
 LOG = oslo_logging.getLogger(__name__)
 
+# The default Win32-OpenSSH config assumes that the built-in Administrators
+# group with SID S-1-5-32-544 does not have an internationalized name.
+ADMINISTRATORS = "Administrators"
+
 
 class UsersPlugin(base.BaseCloudConfigPlugin):
     """Creates users given in the cloud-config format."""
@@ -154,6 +159,7 @@ def process(self, data):
                 "Can't process the type of data %r" % type(data))
 
         osutils = osutils_factory.get_os_utils()
+        administrators_authorized_keys = []
         for item in data:
             if not isinstance(item, dict):
                 continue
@@ -172,4 +178,25 @@ def process(self, data):
                 LOG.warning("An error occurred during user '%s' creation: '%s"
                             % (user_name, ex))
 
+            if ADMINISTRATORS in self._get_groups(item):
+                admin_public_keys = item.get('ssh_authorized_keys', [])
+                administrators_authorized_keys.extend(admin_public_keys)
+
+        if osutils.group_exists(ADMINISTRATORS):
+            program_data_dir = os.getenv("PROGRAMDATA", "C:\ProgramData")
+            program_data_ssh_dir = os.path.join(program_data_dir, "ssh")
+            if not os.path.exists(program_data_ssh_dir):
+                os.makedirs(program_data_ssh_dir)
+
+            administrators_authorized_keys_path = os.path.join(
+                program_data_ssh_dir, "administrators_authorized_keys"
+            )
+
+            LOG.info("Writing SSH public keys in: %s",
+                     administrators_authorized_keys_path)
+
+            with open(administrators_authorized_keys_path, 'w') as f:
+                for authorized_key in administrators_authorized_keys:
+                    f.write(authorized_key + "\n")
+
         return False
