mark runas become method experimental (#23235)

Due to the number of "real world" caveats in the current runas become method, it was agreed that we'd warn that it's experimental on use. A potential future version based on LogonUser/CreateProcessAsUser will have very different requirements and limitations.

CHANGELOG.md

@@ -48,7 +48,7 @@ Ansible Changes By Release
 * Allow module_utils for custom modules to be placed in site-specific directories and shipped in roles
 * On platforms that support it, use more modern system polling API instead of select in the ssh connection plugin.
   This removes one limitation on how many parallel forks are feasible on these systems.
-* Windows/WinRM supports become method "runas" to run modules and scripts as a different user, and to transparently access network resources.
+* Windows/WinRM supports (experimental) become method "runas" to run modules and scripts as a different user, and to transparently access network resources.
 * The WinRM connection plugin now uses pipelining when executing modules, resulting in significantly faster execution for small tasks.
 * The WinRM connection plugin can now manage Kerberos tickets automatically when `ansible_winrm_transport=kerberos` and `ansible_user`/`ansible_password` are specified.
 * Refactored/standardized most Windows modules, adding check-mode and diff support where possible.

docs/docsite/rst/roadmap/ROADMAP_2_3.rst

@@ -39,11 +39,11 @@ Target: Mid April 2017
 - **Windows platform** (nitzmahone)
 
   - Pipelining support **(done)**
-  - Become support **(done)**
+  - Become support **(done/experimental)**
   - Integrated kerberos ticket management (via ansible_user/ansible_password) **(done)**
   - Switch PS input encoding to BOM-less UTF8 **(done)**
-  - Server 2016 support/testing (now RTM’d) **(in progress)**
+  - Server 2016 support/testing (now RTM’d) **(partial)**
-  - Modularize Windows module_utils (allow N files) **(in progress)**
+  - Modularize Windows module_utils (allow N files) **(partial)**
   - Declarative argspec for PS / .NET **(bumped to 2.4)**
   - Kerberos encryption (via notting, pywinrm/requests_kerberos/pykerberos) **(in progress, available in pywinrm post 2.3 release)**
   - Fix plugin-specific connection var lookup/delegation (either registered explicitly by plugins or ansible_(plugin)_*) **(bumped to 2.4)**

lib/ansible/playbook/play_context.py

@@ -552,6 +552,7 @@ class PlayContext(Base):
 
             elif self.become_method == 'runas':
                 # become is handled inside the WinRM connection plugin
+                display.warning("The Windows 'runas' become method is experimental, and may change significantly in future Ansible releases.")
                 becomecmd = cmd
 
             elif self.become_method == 'doas':