This hasn't had much testing :(

I don't understand. What is the difference between the two playbooks?

Also, will this fail on some of the message types? Do any of them have an odd group field? See https://apps.fedoraproject.org/datagrepper/raw?topic=org.fedoraproject.prod.fas.role.update&topic=org.fedoraproject.prod.fas.group.member.sponsor&topic=org.fedoraproject.prod.fas.group.member.remove&topic=org.fedoraproject.prod.fas.user.update for a query.

I don't understand. What is the difference between the two playbooks?

run_fasClient.yml runs on all our hosts but some that do not have fasClient, while run_fasClient_simple.yml only runs on some of the hosts (fedorapeople, fedorahosted, bastion, pkgs)

So this has us doing simple by default. But the more complete one when the change is with respect to a group.

This deserves an inline comment to explain. Why is it more complex when there's a group involved? What kind of change happened that deserves only a simple run when there is no group involved.

Is it that the simple runs take place only when a public SSH key changes?

What about if a sysadmin with shell access changes their SSH key? That info won't get propagated to all the nodes.

• fas.group.member.sponsor has a group
• fas.user.update has no group
• fas.group.member.remove has a group
• fas.role.update has a group

So fas.user.update is the only one giving us problem :-/

What about if a sysadmin with shell access changes their SSH key? That info won't get propagated to all the nodes.

Looking into the data for my previous reply I was thinking about this and maybe we should look into the message for fas.user.update and use the global playbook if the user updated their ssh key.

Thoughts?

Why is it more complex when there's a group involved? What kind of change happened that deserves only a simple run when there is no group involved.

It's not about having groups involved, it's about which groups are involved :)

Nice! 👍