improve become_method: runas error handling (#23328)

Prescriptive errors for username/password issues and NTLM/Kerb auth failures, cleans up exception noise.
This commit is contained in:
Matt Davis 2017-04-06 01:34:30 -07:00 committed by GitHub
parent e66c98281e
commit 8d291f91ee
2 changed files with 34 additions and 3 deletions

View file

@ -553,6 +553,13 @@ class PlayContext(Base):
elif self.become_method == 'runas': elif self.become_method == 'runas':
# become is handled inside the WinRM connection plugin # become is handled inside the WinRM connection plugin
display.warning("The Windows 'runas' become method is experimental, and may change significantly in future Ansible releases.") display.warning("The Windows 'runas' become method is experimental, and may change significantly in future Ansible releases.")
if not self.become_user:
raise AnsibleError(("The 'runas' become method requires a username "
"(specify with the '--become-user' CLI arg, the 'become_user' keyword, or the 'ansible_become_user' variable)"))
if not self.become_pass:
raise AnsibleError(("The 'runas' become method requires a password "
"(specify with the '-K' CLI arg or the 'ansible_become_password' variable)"))
becomecmd = cmd becomecmd = cmd
elif self.become_method == 'doas': elif self.become_method == 'doas':

View file

@ -316,6 +316,15 @@ Write-Output $output
} # end exec_wrapper } # end exec_wrapper
Function Dump-Error ($excep) {
$eo = @{failed=$true}
$eo.msg = $excep.Exception.Message
$eo.exception = $excep | Out-String
$host.SetShouldExit(1)
$eo | ConvertTo-Json -Depth 10
}
Function Run($payload) { Function Run($payload) {
# NB: action popping handled inside subprocess wrapper # NB: action popping handled inside subprocess wrapper
@ -370,14 +379,25 @@ Function Run($payload) {
$psi.Username = $username $psi.Username = $username
$psi.Password = $($password | ConvertTo-SecureString -AsPlainText -Force) $psi.Password = $($password | ConvertTo-SecureString -AsPlainText -Force)
[Ansible.Shell.ProcessUtil]::GrantAccessToWindowStationAndDesktop($username) Try {
[Ansible.Shell.ProcessUtil]::GrantAccessToWindowStationAndDesktop($username)
}
Catch {
$excep = $_
throw "Error granting windowstation/desktop access to '$username' (is the username valid?): $excep"
}
Try { Try {
$proc.Start() | Out-Null # will always return $true for non shell-exec cases $proc.Start() | Out-Null # will always return $true for non shell-exec cases
} }
Catch { Catch {
Write-Output $_.Exception.InnerException $excep = $_
return if ($excep.Exception.InnerException -and `
$excep.Exception.InnerException -is [System.ComponentModel.Win32Exception] -and `
$excep.Exception.InnerException.NativeErrorCode -eq 5) {
throw "Become method 'runas' become is not currently supported with the NTLM or Kerberos auth types"
}
throw "Error launching under identity '$username': $excep"
} }
$payload_string = $payload | ConvertTo-Json -Depth 99 -Compress $payload_string = $payload | ConvertTo-Json -Depth 99 -Compress
@ -404,6 +424,10 @@ Function Run($payload) {
Throw "failed, rc was $rc, stderr was $stderr, stdout was $stdout" Throw "failed, rc was $rc, stderr was $stderr, stdout was $stdout"
} }
} }
Catch {
$excep = $_
Dump-Error $excep
}
Finally { Finally {
Remove-Item $temp -ErrorAction SilentlyContinue Remove-Item $temp -ErrorAction SilentlyContinue
} }