Opportunity to use signed playbook.
31 views
Skip to first unread message
Elkmar
Jun 7, 2021, 5:48:39 AM6/7/21
to Ansible Project
Hi all.
I need to check a playbook authenticity before execution. Is it possible? If yes how can I sign a playbook and check it in ansible before execution (and also prohibit any execution of non signed playbooks)?
Sorry, if this question has been already discussed, but I have not found information.
Best regards.
Vladimir Botka
Jun 7, 2021, 6:44:44 AM6/7/21
to Elkmar, ansible...@googlegroups.com
On Mon, 7 Jun 2021 02:48:39 -0700 (PDT)
Elkmar <elkmar.dr...@gmail.com> wrote:
> ... check a playbook authenticity before execution
For example
shell> cat test-003.yml
- hosts: all
gather_facts: false
vars:
my_filename: test-003.yml
my_path: "{{ playbook_dir }}/{{ my_filename }}"
my_hash_path: "{{ my_path }}.sha1"
my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
tasks:
- name: Test integrity of the playbook
block:
- stat:
path: "{{ my_path }}"
checksum_algorithm: sha1
register: result
- assert:
that: result.stat.checksum == my_hash
delegate_to: localhost
run_once: true
shell> sha1sum test-003.yml > test-003.yml.sha1
shell> cat test-003.yml.sha1
9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml
shell> ansible-playbook test-003.yml
PLAY [all]
*********************************************************
TASK [stat]
*********************************************************
ok: [test_11]
TASK [assert]
*********************************************************
ok: [test_11] => changed=false msg: All assertions passed
If the hash differs the playbook will fail
TASK [assert]
*********************************************************
fatal: [test_11]: FAILED! => changed=false assertion:
result.stat.checksum == my_hash evaluated_to: false
msg: Assertion failed
--
Vladimir Botka
Elkmar <elkmar.dr...@gmail.com> wrote:
> ... check a playbook authenticity before execution
For example
shell> cat test-003.yml
- hosts: all
gather_facts: false
vars:
my_filename: test-003.yml
my_path: "{{ playbook_dir }}/{{ my_filename }}"
my_hash_path: "{{ my_path }}.sha1"
my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
tasks:
- name: Test integrity of the playbook
block:
- stat:
path: "{{ my_path }}"
checksum_algorithm: sha1
register: result
- assert:
that: result.stat.checksum == my_hash
delegate_to: localhost
run_once: true
shell> sha1sum test-003.yml > test-003.yml.sha1
shell> cat test-003.yml.sha1
9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml
shell> ansible-playbook test-003.yml
PLAY [all]
*********************************************************
TASK [stat]
*********************************************************
ok: [test_11]
TASK [assert]
*********************************************************
ok: [test_11] => changed=false msg: All assertions passed
If the hash differs the playbook will fail
TASK [assert]
*********************************************************
fatal: [test_11]: FAILED! => changed=false assertion:
result.stat.checksum == my_hash evaluated_to: false
msg: Assertion failed
--
Vladimir Botka
Antony Stone
Jun 7, 2021, 6:49:28 AM6/7/21
to ansible...@googlegroups.com
On Monday 07 June 2021 at 12:44:23, Vladimir Botka wrote:
> shell> cat test-003.yml
> - hosts: all
> gather_facts: false
> vars:
> my_filename: test-003.yml
> my_path: "{{ playbook_dir }}/{{ my_filename }}"
> my_hash_path: "{{ my_path }}.sha1"
> my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
> tasks:
> - name: Test integrity of the playbook
> block:
> - stat:
> path: "{{ my_path }}"
> checksum_algorithm: sha1
> register: result
> - assert:
> that: result.stat.checksum == my_hash
> delegate_to: localhost
> run_once: true
That's a good enough way of checking that the hash of the playbook in question
> shell> cat test-003.yml
> - hosts: all
> gather_facts: false
> vars:
> my_filename: test-003.yml
> my_path: "{{ playbook_dir }}/{{ my_filename }}"
> my_hash_path: "{{ my_path }}.sha1"
> my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
> tasks:
> - name: Test integrity of the playbook
> block:
> - stat:
> path: "{{ my_path }}"
> checksum_algorithm: sha1
> register: result
> - assert:
> that: result.stat.checksum == my_hash
> delegate_to: localhost
> run_once: true
does match the stored hash, but...
> shell> sha1sum test-003.yml > test-003.yml.sha1
> shell> cat test-003.yml.sha1
> 9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml
create a new hash file.
I interpret "signed" in the original question to mean something that cannot be
falsified by someone who is running the ansible commands.
Antony.
--
The more 'success' you get, the easier it is to be disappointed by not getting
things.
The only difference is that now no-one feels sorry for you.
- Matt Haig
Please reply to the list;
please *don't* CC me.
Elkmar
Jun 7, 2021, 7:32:45 AM6/7/21
to Ansible Project
Yep, Antony right.
The idea is as follows: we have fileA and fileB. FileA is "signed" by me (for example has digital signature) and we can start it with ansible-playbook command. FileB doesn't have signature so it can't do any changes on remote hosts. Is it possible?
понедельник, 7 июня 2021 г. в 13:49:28 UTC+3, Antony Stone:
Vladimir Botka
Jun 7, 2021, 7:37:50 AM6/7/21
to Antony Stone, ansible...@googlegroups.com
On Mon, 7 Jun 2021 12:48:57 +0200
Antony Stone <Antony...@ansible.open.source.it> wrote:
> I interpret "signed" in the original question to mean something that cannot be
> falsified by someone who is running the ansible commands.
Locally, you might want to set the ownership and the permissions as
Antony Stone <Antony...@ansible.open.source.it> wrote:
> I interpret "signed" in the original question to mean something that cannot be
> falsified by someone who is running the ansible commands.
appropriate. Use get_url if the signatures are stored remotely
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html
--
Vladimir Botka
Stefan Hornburg (Racke)
Jun 7, 2021, 7:42:31 AM6/7/21
to ansible...@googlegroups.com
On 07/06/2021 13:32, Elkmar wrote:
> Yep, Antony right.
> The idea is as follows: we have fileA and fileB. FileA is "signed" by me (for example has digital signature) and we can start it with ansible-playbook command. FileB doesn't have signature so it can't do any changes on remote hosts. Is it possible?
I doubt that verifying the signature is a solution for preventing tampering ... the user simply can ssh to the machine for example.
> Yep, Antony right.
> The idea is as follows: we have fileA and fileB. FileA is "signed" by me (for example has digital signature) and we can start it with ansible-playbook command. FileB doesn't have signature so it can't do any changes on remote hosts. Is it possible?
Regards
Racke
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com <mailto:ansible-proje...@googlegroups.com>.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8c93e9ff-5675-4847-b493-dabe145bac32n%40googlegroups.com <https://groups.google.com/d/msgid/ansible-project/8c93e9ff-5675-4847-b493-dabe145bac32n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration.
Reply all
Reply to author
Forward
0 new messages