improve become_method: runas error handling (#23328)

Prescriptive errors for username/password issues and NTLM/Kerb auth failures, cleans up exception noise.
This commit is contained in:
Matt Davis 2017-04-06 01:34:30 -07:00 committed by GitHub
parent e66c98281e
commit 8d291f91ee
2 changed files with 34 additions and 3 deletions

View file

@ -553,6 +553,13 @@ class PlayContext(Base):
elif self.become_method == 'runas':
# become is handled inside the WinRM connection plugin
display.warning("The Windows 'runas' become method is experimental, and may change significantly in future Ansible releases.")
if not self.become_user:
raise AnsibleError(("The 'runas' become method requires a username "
"(specify with the '--become-user' CLI arg, the 'become_user' keyword, or the 'ansible_become_user' variable)"))
if not self.become_pass:
raise AnsibleError(("The 'runas' become method requires a password "
"(specify with the '-K' CLI arg or the 'ansible_become_password' variable)"))
becomecmd = cmd
elif self.become_method == 'doas':

View file

@ -316,6 +316,15 @@ Write-Output $output
} # end exec_wrapper
Function Dump-Error ($excep) {
$eo = @{failed=$true}
$eo.msg = $excep.Exception.Message
$eo.exception = $excep | Out-String
$host.SetShouldExit(1)
$eo | ConvertTo-Json -Depth 10
}
Function Run($payload) {
# NB: action popping handled inside subprocess wrapper
@ -370,14 +379,25 @@ Function Run($payload) {
$psi.Username = $username
$psi.Password = $($password | ConvertTo-SecureString -AsPlainText -Force)
Try {
[Ansible.Shell.ProcessUtil]::GrantAccessToWindowStationAndDesktop($username)
}
Catch {
$excep = $_
throw "Error granting windowstation/desktop access to '$username' (is the username valid?): $excep"
}
Try {
$proc.Start() | Out-Null # will always return $true for non shell-exec cases
}
Catch {
Write-Output $_.Exception.InnerException
return
$excep = $_
if ($excep.Exception.InnerException -and `
$excep.Exception.InnerException -is [System.ComponentModel.Win32Exception] -and `
$excep.Exception.InnerException.NativeErrorCode -eq 5) {
throw "Become method 'runas' become is not currently supported with the NTLM or Kerberos auth types"
}
throw "Error launching under identity '$username': $excep"
}
$payload_string = $payload | ConvertTo-Json -Depth 99 -Compress
@ -404,6 +424,10 @@ Function Run($payload) {
Throw "failed, rc was $rc, stderr was $stderr, stdout was $stdout"
}
}
Catch {
$excep = $_
Dump-Error $excep
}
Finally {
Remove-Item $temp -ErrorAction SilentlyContinue
}