This is an invalid scenario - you cannot edit the SSH comment in the authorized_keys file because the node and broker use it to associate the key with a physical user account.

This regression happened based on the change in this commit --> 2fe1f834c10f3946b10db899317184a0cb2d4dc9 

Clayton: Any idea why the logic to remove ssh keys was altered?


The scenario that the test case aims to check is that older ssh keys created by the broker might have had a different comment and the logic for generating the comment on the broker side was changed earlier this year. To prevent older keys with older format comments from not being deleted, we had made this fix on the runtime side.

It's an intentional change.  The comment is now required to match the account key.  Multiple users can have the same key - removing the key from all accounts would leave the gear in an incorrect state.

If we need to do a migration it would be to scan all gears, find any authorized keys file with an incorrect comment, then mark that gear for key resync.  If that's the case let me know and I'll whip it up.

Multiple users should not be using the same key. If they are, removing a particular user's key would have no effect as that user would still have ssh access to the gear. 

We were aware of the potential of removing ALL key entries (with the same key content) from the authorized_keys file if one of the key was being removed.

Will discuss with the team and get back to you on how we need to proceed on this.

Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/d859a5662ac329150862049f0e5cd4fc00fa5484
Bug 1022370 - Add forcestopgear and forcestopall options to completely stop all processes owned by a gear.

Multiple users can and do share keys - that is a hard customer requirement and cannot be changed.

The design of the access control sharing mechanism is correct - reverting it to work around a legacy bug is not the correct approach.

Closing, working as intended

Please stop marking this bug as invalid and closing it.

The fix to ignore the ssh key comment was placed as a workaround to handle an issue with the ssh key comment/name format being changed on the broker side. While the current functionality is intended, we still need a fix to handle the cases where the ssh key comment/name format is older.

I have a fix (coming shortly) to oo-admin-chk and oo-admin-repair in place to take care of this. If that fix is acceptable, I would like to get that in and let QE verify this scenario. Otherwise, will go ahead and close this bug.

Fixed with --> https://github.com/openshift/origin-server/pull/4001

oo-admin-chk will now report mismatches with key comments in addition to the key content and oo-admin-repair will fix the mismatches.

Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/946bd858e6c93af91902e99f65318de450b1107a
Fix for bug 1022370, 1023207

Verified on devenv_3953

Step:
1.Create an application
2.Create ssh key
ssh-keygen -t rsa -N '' -f testkey
3.Add new sshkey
rhc sshkey add testkey testkey.pub
4.Edit /var/lib/openshift/UUID/.ssh/authorized_keys , change the comment
5. Remove the sshkey
6.Run `oo-admin-chk -l 1`
7.Run `oo-admin-repair --ssh-keys`
8.Run `oo-admin-chk -l 1`
9.Check $appuuid/.ssh/authorized_keys

Result:
6.[root@ip-10-239-2-225 app2-wsundev3953]# oo-admin-chk -l 1
Started at: 2013-10-27 23:34:47 -0400
Time to fetch mongo data: 0.036s
Total gears found in mongo: 2
Time to get all gears from nodes: 20.705s
Total gears found on the nodes: 2
Total nodes that responded : 1
Time to get all sshkeys for all gears from nodes: 20.059s
Total gears found on the nodes: 2
Total nodes that responded : 1
Check failed.
Gear '526dd7b25ebecfd459000001' has key with hash '501ef287206d00df12641eb443ac1843' and comment 'OPENSHIFT-526dd7b25ebecfd459000001-526dd7635ebecfe69a000004-yektset' on the node but not in mongo.
Please refer to the oo-admin-repair tool to resolve some of these inconsistencies.
Total time: 40.836s
Finished at: 2013-10-27 23:35:28 -0400

7.[root@ip-10-239-2-225 app2-wsundev3953]# oo-admin-repair --ssh-keys
Started at: 2013-10-27 23:36:19 -0400
Time to fetch mongo data: 0.018s
Total gears found in mongo: 2
Time to get all sshkeys for all gears from nodes: 20.565s
Total gears found on the nodes: 2
Total nodes that responded : 1
Check failed.
Gear '526dd7b25ebecfd459000001' has key with hash '501ef287206d00df12641eb443ac1843' and comment 'OPENSHIFT-526dd7b25ebecfd459000001-526dd7635ebecfe69a000004-yektset' on the node but not in mongo.


Fixing ssh key inconsistencies for all affected applications:

Fixed ssh key mismatches for 1 applications.

Total time: 21.368s
Finished at: 2013-10-27 23:36:41 -0400

8.[root@ip-10-239-2-225 app2-wsundev3953]# oo-admin-chk -l 1
Started at: 2013-10-27 23:37:17 -0400
Time to fetch mongo data: 0.037s
Total gears found in mongo: 2
Time to get all gears from nodes: 20.81s
Total gears found on the nodes: 3
Total nodes that responded : 1
Time to get all sshkeys for all gears from nodes: 20.066s
Total gears found on the nodes: 3
Total nodes that responded : 1
Success
Total time: 40.959s
Finished at: 2013-10-27 23:37:58 -0400

9.The sshkey is removed from authorized_keys file