Initial support for vault in v2
TODO: * password prompting needs to be implemented, but is being worked on as part of the become privilege escalation changes
This commit is contained in:
parent
eb850bf81a
commit
b1d78a61fc
3 changed files with 78 additions and 43 deletions
|
@ -224,6 +224,7 @@ class StrategyModule(StrategyBase):
|
||||||
def __repr__(self):
|
def __repr__(self):
|
||||||
return "%s (%s): %s" % (self._filename, self._args, self._hosts)
|
return "%s (%s): %s" % (self._filename, self._args, self._hosts)
|
||||||
|
|
||||||
|
# FIXME: this should also be moved to the base class in a method
|
||||||
included_files = []
|
included_files = []
|
||||||
for res in host_results:
|
for res in host_results:
|
||||||
if res._task.action == 'include':
|
if res._task.action == 'include':
|
||||||
|
@ -253,6 +254,9 @@ class StrategyModule(StrategyBase):
|
||||||
|
|
||||||
inc_file.add_host(res._host)
|
inc_file.add_host(res._host)
|
||||||
|
|
||||||
|
# FIXME: should this be moved into the iterator class? Main downside would be
|
||||||
|
# that accessing the TQM's callback member would be more difficult, if
|
||||||
|
# we do want to send callbacks from here
|
||||||
if len(included_files) > 0:
|
if len(included_files) > 0:
|
||||||
noop_task = Task()
|
noop_task = Task()
|
||||||
noop_task.action = 'meta'
|
noop_task.action = 'meta'
|
||||||
|
@ -263,7 +267,14 @@ class StrategyModule(StrategyBase):
|
||||||
for included_file in included_files:
|
for included_file in included_files:
|
||||||
# included hosts get the task list while those excluded get an equal-length
|
# included hosts get the task list while those excluded get an equal-length
|
||||||
# list of noop tasks, to make sure that they continue running in lock-step
|
# list of noop tasks, to make sure that they continue running in lock-step
|
||||||
new_tasks = self._load_included_file(included_file)
|
try:
|
||||||
|
new_tasks = self._load_included_file(included_file)
|
||||||
|
except AnsibleError, e:
|
||||||
|
for host in included_file._hosts:
|
||||||
|
iterator.mark_host_failed(host)
|
||||||
|
# FIXME: callback here?
|
||||||
|
print(e)
|
||||||
|
|
||||||
noop_tasks = [noop_task for t in new_tasks]
|
noop_tasks = [noop_task for t in new_tasks]
|
||||||
for host in hosts_left:
|
for host in hosts_left:
|
||||||
if host in included_file._hosts:
|
if host in included_file._hosts:
|
||||||
|
|
56
v2/ansible/utils/vault.py
Normal file
56
v2/ansible/utils/vault.py
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
# (c) 2012-2014, Michael DeHaan <michael.dehaan@gmail.com>
|
||||||
|
#
|
||||||
|
# This file is part of Ansible
|
||||||
|
#
|
||||||
|
# Ansible is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# Ansible is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Make coding more python3-ish
|
||||||
|
from __future__ import (absolute_import, division, print_function)
|
||||||
|
__metaclass__ = type
|
||||||
|
|
||||||
|
import os
|
||||||
|
import subprocess
|
||||||
|
|
||||||
|
from ansible import constants as C
|
||||||
|
from ansible.errors import AnsibleError
|
||||||
|
from ansible.utils.path import is_executable
|
||||||
|
|
||||||
|
def read_vault_file(vault_password_file):
|
||||||
|
"""
|
||||||
|
Read a vault password from a file or if executable, execute the script and
|
||||||
|
retrieve password from STDOUT
|
||||||
|
"""
|
||||||
|
|
||||||
|
this_path = os.path.realpath(os.path.expanduser(vault_password_file))
|
||||||
|
if not os.path.exists(this_path):
|
||||||
|
raise AnsibleError("The vault password file %s was not found" % this_path)
|
||||||
|
|
||||||
|
if is_executable(this_path):
|
||||||
|
try:
|
||||||
|
# STDERR not captured to make it easier for users to prompt for input in their scripts
|
||||||
|
p = subprocess.Popen(this_path, stdout=subprocess.PIPE)
|
||||||
|
except OSError, e:
|
||||||
|
raise AnsibleError("Problem running vault password script %s (%s). If this is not a script, remove the executable bit from the file." % (' '.join(this_path), e))
|
||||||
|
stdout, stderr = p.communicate()
|
||||||
|
vault_pass = stdout.strip('\r\n')
|
||||||
|
else:
|
||||||
|
try:
|
||||||
|
f = open(this_path, "rb")
|
||||||
|
vault_pass=f.read().strip()
|
||||||
|
f.close()
|
||||||
|
except (OSError, IOError), e:
|
||||||
|
raise AnsibleError("Could not read vault password file %s: %s" % (this_path, e))
|
||||||
|
|
||||||
|
return vault_pass
|
||||||
|
|
|
@ -15,6 +15,7 @@ from ansible.playbook.task import Task
|
||||||
from ansible.utils.cli import base_parser
|
from ansible.utils.cli import base_parser
|
||||||
from ansible.utils.unicode import to_unicode
|
from ansible.utils.unicode import to_unicode
|
||||||
from ansible.utils.vars import combine_vars
|
from ansible.utils.vars import combine_vars
|
||||||
|
from ansible.utils.vault import read_vault_file
|
||||||
from ansible.vars import VariableManager
|
from ansible.vars import VariableManager
|
||||||
|
|
||||||
# Implement an ansible.utils.warning() function later
|
# Implement an ansible.utils.warning() function later
|
||||||
|
@ -34,8 +35,8 @@ def main(args):
|
||||||
check_opts=True,
|
check_opts=True,
|
||||||
diff_opts=True
|
diff_opts=True
|
||||||
)
|
)
|
||||||
#parser.add_option('--vault-password', dest="vault_password",
|
parser.add_option('--vault-password', dest="vault_password",
|
||||||
# help="password for vault encrypted files")
|
help="password for vault encrypted files")
|
||||||
parser.add_option('-e', '--extra-vars', dest="extra_vars", action="append",
|
parser.add_option('-e', '--extra-vars', dest="extra_vars", action="append",
|
||||||
help="set additional variables as key=value or YAML/JSON", default=[])
|
help="set additional variables as key=value or YAML/JSON", default=[])
|
||||||
parser.add_option('-t', '--tags', dest='tags', default='all',
|
parser.add_option('-t', '--tags', dest='tags', default='all',
|
||||||
|
@ -61,47 +62,14 @@ def main(args):
|
||||||
parser.print_help(file=sys.stderr)
|
parser.print_help(file=sys.stderr)
|
||||||
return 1
|
return 1
|
||||||
|
|
||||||
#---------------------------------------------------------------------------------------------------
|
vault_pass = None
|
||||||
# FIXME: su/sudo stuff needs to be generalized
|
if options.ask_vault_pass:
|
||||||
# su and sudo command line arguments need to be mutually exclusive
|
# FIXME: prompt here
|
||||||
#if (options.su or options.su_user or options.ask_su_pass) and \
|
pass
|
||||||
# (options.sudo or options.sudo_user or options.ask_sudo_pass):
|
elif options.vault_password_file:
|
||||||
# parser.error("Sudo arguments ('--sudo', '--sudo-user', and '--ask-sudo-pass') "
|
# read vault_pass from a file
|
||||||
# "and su arguments ('-su', '--su-user', and '--ask-su-pass') are "
|
vault_pass = read_vault_file(options.vault_password_file)
|
||||||
# "mutually exclusive")
|
|
||||||
#
|
|
||||||
#if (options.ask_vault_pass and options.vault_password_file):
|
|
||||||
# parser.error("--ask-vault-pass and --vault-password-file are mutually exclusive")
|
|
||||||
#
|
|
||||||
#sshpass = None
|
|
||||||
#sudopass = None
|
|
||||||
#su_pass = None
|
|
||||||
#vault_pass = None
|
|
||||||
#
|
|
||||||
#options.ask_vault_pass = options.ask_vault_pass or C.DEFAULT_ASK_VAULT_PASS
|
|
||||||
#
|
|
||||||
#if options.listhosts or options.syntax or options.listtasks:
|
|
||||||
# (_, _, _, vault_pass) = utils.ask_passwords(ask_vault_pass=options.ask_vault_pass)
|
|
||||||
#else:
|
|
||||||
# options.ask_pass = options.ask_pass or C.DEFAULT_ASK_PASS
|
|
||||||
# # Never ask for an SSH password when we run with local connection
|
|
||||||
# if options.connection == "local":
|
|
||||||
# options.ask_pass = False
|
|
||||||
# options.ask_sudo_pass = options.ask_sudo_pass or C.DEFAULT_ASK_SUDO_PASS
|
|
||||||
# options.ask_su_pass = options.ask_su_pass or C.DEFAULT_ASK_SU_PASS
|
|
||||||
# (sshpass, sudopass, su_pass, vault_pass) = utils.ask_passwords(ask_pass=options.ask_pass, ask_sudo_pass=options.ask_sudo_pass, ask_su_pass=options.ask_su_pass, ask_vault_pass=options.ask_vault_pass)
|
|
||||||
# options.sudo_user = options.sudo_user or C.DEFAULT_SUDO_USER
|
|
||||||
# options.su_user = options.su_user or C.DEFAULT_SU_USER
|
|
||||||
#
|
|
||||||
## read vault_pass from a file
|
|
||||||
#if not options.ask_vault_pass and options.vault_password_file:
|
|
||||||
# vault_pass = utils.read_vault_file(options.vault_password_file)
|
|
||||||
# END FIXME
|
|
||||||
#---------------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
# FIXME: this hard-coded value will be removed after fixing the removed block
|
|
||||||
# above, which dealt wtih asking for passwords during runtime
|
|
||||||
vault_pass = 'testing'
|
|
||||||
loader = DataLoader(vault_password=vault_pass)
|
loader = DataLoader(vault_password=vault_pass)
|
||||||
|
|
||||||
extra_vars = {}
|
extra_vars = {}
|
||||||
|
|
Loading…
Reference in a new issue