Initial support for vault in v2

TODO:
* password prompting needs to be implemented, but is being worked on
  as part of the become privilege escalation changes
This commit is contained in:
James Cammarata 2015-03-12 12:14:57 -05:00
parent eb850bf81a
commit b1d78a61fc
3 changed files with 78 additions and 43 deletions

View file

@ -224,6 +224,7 @@ class StrategyModule(StrategyBase):
def __repr__(self): def __repr__(self):
return "%s (%s): %s" % (self._filename, self._args, self._hosts) return "%s (%s): %s" % (self._filename, self._args, self._hosts)
# FIXME: this should also be moved to the base class in a method
included_files = [] included_files = []
for res in host_results: for res in host_results:
if res._task.action == 'include': if res._task.action == 'include':
@ -253,6 +254,9 @@ class StrategyModule(StrategyBase):
inc_file.add_host(res._host) inc_file.add_host(res._host)
# FIXME: should this be moved into the iterator class? Main downside would be
# that accessing the TQM's callback member would be more difficult, if
# we do want to send callbacks from here
if len(included_files) > 0: if len(included_files) > 0:
noop_task = Task() noop_task = Task()
noop_task.action = 'meta' noop_task.action = 'meta'
@ -263,7 +267,14 @@ class StrategyModule(StrategyBase):
for included_file in included_files: for included_file in included_files:
# included hosts get the task list while those excluded get an equal-length # included hosts get the task list while those excluded get an equal-length
# list of noop tasks, to make sure that they continue running in lock-step # list of noop tasks, to make sure that they continue running in lock-step
new_tasks = self._load_included_file(included_file) try:
new_tasks = self._load_included_file(included_file)
except AnsibleError, e:
for host in included_file._hosts:
iterator.mark_host_failed(host)
# FIXME: callback here?
print(e)
noop_tasks = [noop_task for t in new_tasks] noop_tasks = [noop_task for t in new_tasks]
for host in hosts_left: for host in hosts_left:
if host in included_file._hosts: if host in included_file._hosts:

56
v2/ansible/utils/vault.py Normal file
View file

@ -0,0 +1,56 @@
# (c) 2012-2014, Michael DeHaan <michael.dehaan@gmail.com>
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Make coding more python3-ish
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
import os
import subprocess
from ansible import constants as C
from ansible.errors import AnsibleError
from ansible.utils.path import is_executable
def read_vault_file(vault_password_file):
"""
Read a vault password from a file or if executable, execute the script and
retrieve password from STDOUT
"""
this_path = os.path.realpath(os.path.expanduser(vault_password_file))
if not os.path.exists(this_path):
raise AnsibleError("The vault password file %s was not found" % this_path)
if is_executable(this_path):
try:
# STDERR not captured to make it easier for users to prompt for input in their scripts
p = subprocess.Popen(this_path, stdout=subprocess.PIPE)
except OSError, e:
raise AnsibleError("Problem running vault password script %s (%s). If this is not a script, remove the executable bit from the file." % (' '.join(this_path), e))
stdout, stderr = p.communicate()
vault_pass = stdout.strip('\r\n')
else:
try:
f = open(this_path, "rb")
vault_pass=f.read().strip()
f.close()
except (OSError, IOError), e:
raise AnsibleError("Could not read vault password file %s: %s" % (this_path, e))
return vault_pass

View file

@ -15,6 +15,7 @@ from ansible.playbook.task import Task
from ansible.utils.cli import base_parser from ansible.utils.cli import base_parser
from ansible.utils.unicode import to_unicode from ansible.utils.unicode import to_unicode
from ansible.utils.vars import combine_vars from ansible.utils.vars import combine_vars
from ansible.utils.vault import read_vault_file
from ansible.vars import VariableManager from ansible.vars import VariableManager
# Implement an ansible.utils.warning() function later # Implement an ansible.utils.warning() function later
@ -34,8 +35,8 @@ def main(args):
check_opts=True, check_opts=True,
diff_opts=True diff_opts=True
) )
#parser.add_option('--vault-password', dest="vault_password", parser.add_option('--vault-password', dest="vault_password",
# help="password for vault encrypted files") help="password for vault encrypted files")
parser.add_option('-e', '--extra-vars', dest="extra_vars", action="append", parser.add_option('-e', '--extra-vars', dest="extra_vars", action="append",
help="set additional variables as key=value or YAML/JSON", default=[]) help="set additional variables as key=value or YAML/JSON", default=[])
parser.add_option('-t', '--tags', dest='tags', default='all', parser.add_option('-t', '--tags', dest='tags', default='all',
@ -61,47 +62,14 @@ def main(args):
parser.print_help(file=sys.stderr) parser.print_help(file=sys.stderr)
return 1 return 1
#--------------------------------------------------------------------------------------------------- vault_pass = None
# FIXME: su/sudo stuff needs to be generalized if options.ask_vault_pass:
# su and sudo command line arguments need to be mutually exclusive # FIXME: prompt here
#if (options.su or options.su_user or options.ask_su_pass) and \ pass
# (options.sudo or options.sudo_user or options.ask_sudo_pass): elif options.vault_password_file:
# parser.error("Sudo arguments ('--sudo', '--sudo-user', and '--ask-sudo-pass') " # read vault_pass from a file
# "and su arguments ('-su', '--su-user', and '--ask-su-pass') are " vault_pass = read_vault_file(options.vault_password_file)
# "mutually exclusive")
#
#if (options.ask_vault_pass and options.vault_password_file):
# parser.error("--ask-vault-pass and --vault-password-file are mutually exclusive")
#
#sshpass = None
#sudopass = None
#su_pass = None
#vault_pass = None
#
#options.ask_vault_pass = options.ask_vault_pass or C.DEFAULT_ASK_VAULT_PASS
#
#if options.listhosts or options.syntax or options.listtasks:
# (_, _, _, vault_pass) = utils.ask_passwords(ask_vault_pass=options.ask_vault_pass)
#else:
# options.ask_pass = options.ask_pass or C.DEFAULT_ASK_PASS
# # Never ask for an SSH password when we run with local connection
# if options.connection == "local":
# options.ask_pass = False
# options.ask_sudo_pass = options.ask_sudo_pass or C.DEFAULT_ASK_SUDO_PASS
# options.ask_su_pass = options.ask_su_pass or C.DEFAULT_ASK_SU_PASS
# (sshpass, sudopass, su_pass, vault_pass) = utils.ask_passwords(ask_pass=options.ask_pass, ask_sudo_pass=options.ask_sudo_pass, ask_su_pass=options.ask_su_pass, ask_vault_pass=options.ask_vault_pass)
# options.sudo_user = options.sudo_user or C.DEFAULT_SUDO_USER
# options.su_user = options.su_user or C.DEFAULT_SU_USER
#
## read vault_pass from a file
#if not options.ask_vault_pass and options.vault_password_file:
# vault_pass = utils.read_vault_file(options.vault_password_file)
# END FIXME
#---------------------------------------------------------------------------------------------------
# FIXME: this hard-coded value will be removed after fixing the removed block
# above, which dealt wtih asking for passwords during runtime
vault_pass = 'testing'
loader = DataLoader(vault_password=vault_pass) loader = DataLoader(vault_password=vault_pass)
extra_vars = {} extra_vars = {}