Merge pull request #11767 from amenonsen/vault-new-password-file
add option to ansible-vault to read new password from file for rekey
This commit is contained in:
commit
16e8a7dd67
4 changed files with 31 additions and 6 deletions
|
@ -2,12 +2,12 @@
|
|||
.\" Title: ansible-vault
|
||||
.\" Author: [see the "AUTHOR" section]
|
||||
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
|
||||
.\" Date: 12/09/2014
|
||||
.\" Date: 07/28/2015
|
||||
.\" Manual: System administration commands
|
||||
.\" Source: Ansible 1.9
|
||||
.\" Source: Ansible 2.0.0
|
||||
.\" Language: English
|
||||
.\"
|
||||
.TH "ANSIBLE\-VAULT" "1" "12/09/2014" "Ansible 1\&.9" "System administration commands"
|
||||
.TH "ANSIBLE\-VAULT" "1" "07/28/2015" "Ansible 2\&.0\&.0" "System administration commands"
|
||||
.\" -----------------------------------------------------------------
|
||||
.\" * Define some portability stuff
|
||||
.\" -----------------------------------------------------------------
|
||||
|
@ -43,7 +43,12 @@ The following options are available to all sub\-commands:
|
|||
.PP
|
||||
\fB\-\-vault\-password\-file=\fR\fIFILE\fR
|
||||
.RS 4
|
||||
A file containing the vault password to be used during the encryption/decryption steps\&. Be sure to keep this file secured if it is used\&.
|
||||
A file containing the vault password to be used during the encryption/decryption steps\&. Be sure to keep this file secured if it is used\&. If the file is executable, it will be run and its standard output will be used as the password\&.
|
||||
.RE
|
||||
.PP
|
||||
\fB\-\-new\-vault\-password\-file=\fR\fIFILE\fR
|
||||
.RS 4
|
||||
A file containing the new vault password to be used when rekeying a file\&. Be sure to keep this file secured if it is used\&. If the file is executable, it will be run and its standard output will be used as the password\&.
|
||||
.RE
|
||||
.PP
|
||||
\fB\-h\fR, \fB\-\-help\fR
|
||||
|
|
|
@ -36,7 +36,15 @@ The following options are available to all sub-commands:
|
|||
*--vault-password-file=*'FILE'::
|
||||
|
||||
A file containing the vault password to be used during the encryption/decryption
|
||||
steps. Be sure to keep this file secured if it is used.
|
||||
steps. Be sure to keep this file secured if it is used. If the file is executable,
|
||||
it will be run and its standard output will be used as the password.
|
||||
|
||||
*--new-vault-password-file=*'FILE'::
|
||||
|
||||
A file containing the new vault password to be used when rekeying a
|
||||
file. Be sure to keep this file secured if it is used. If the file
|
||||
is executable, it will be run and its standard output will be used as
|
||||
the password.
|
||||
|
||||
*-h*, *--help*::
|
||||
|
||||
|
|
|
@ -258,6 +258,10 @@ class CLI(object):
|
|||
parser.add_option('--vault-password-file', default=C.DEFAULT_VAULT_PASSWORD_FILE,
|
||||
dest='vault_password_file', help="vault password file", action="callback",
|
||||
callback=CLI.expand_tilde, type=str)
|
||||
parser.add_option('--new-vault-password-file',
|
||||
dest='new_vault_password_file', help="new vault password file for rekey", action="callback",
|
||||
callback=CLI.expand_tilde, type=str)
|
||||
|
||||
|
||||
if subset_opts:
|
||||
parser.add_option('-t', '--tags', dest='tags', default='all',
|
||||
|
|
|
@ -77,6 +77,10 @@ class VaultCLI(CLI):
|
|||
else:
|
||||
self.vault_pass, _= self.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=False, confirm_new=False)
|
||||
|
||||
if self.options.new_vault_password_file:
|
||||
# for rekey only
|
||||
self.new_vault_pass = CLI.read_vault_password_file(self.options.new_vault_password_file)
|
||||
|
||||
if not self.vault_pass:
|
||||
raise AnsibleOptionsError("A password is required to use Ansible's Vault")
|
||||
|
||||
|
@ -125,6 +129,10 @@ class VaultCLI(CLI):
|
|||
for f in self.args:
|
||||
if not (os.path.isfile(f)):
|
||||
raise AnsibleError(f + " does not exist")
|
||||
|
||||
if self.new_vault_pass:
|
||||
new_password = self.new_vault_pass
|
||||
else:
|
||||
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
|
||||
|
||||
for f in self.args:
|
||||
|
|
Loading…
Reference in a new issue