Using Pathword Authentication to run a Playbook
58 views
Skip to first unread message
JS
Jul 21, 2017, 12:21:35 PM7/21/17
to Ansible Project
Hello!
It goes out to different environments, either dev, uat, or prod (based on the --extra-vars input by the user deploying the playbook).
i.e. ansible-playbook -i hosts deploy.yml --extra-vars "env=uat"
Is there anyway I can set the ansible-playbook to require a password if a user selects the prod environment?
They should be allowed to deploy to dev and uat without any authentication or passwords.
Thanks
JS
Kai Stian Olstad
Jul 22, 2017, 11:17:58 AM7/22/17
to ansible...@googlegroups.com
users don't accidentally run against production?
If so, you can do something like this:
- pre_tasks:
- pause:
prompt: "You are running against production. What is the magic
word?"
register: result
when: env == 'prod'
- fail:
msg: "Aborting, wrong magic."
when: result.user_input | default('') != 'answerable' and env ==
'prod'
If not you could use password against production and keys on the other
environments.
--
Kai Stian Olstad
Dick Davies
Jul 22, 2017, 11:55:39 AM7/22/17
to ansible list
What about not putting the users keys onto the production servers?
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/ee982bf7-dc4d-4555-9f1a-e46af6e2afdb%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/ee982bf7-dc4d-4555-9f1a-e46af6e2afdb%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
JS
Jul 24, 2017, 4:49:43 AM7/24/17
to Ansible Project
Hi Kai
Fantastic, many thanks for your reply!
I'll give your play shot (I prefer having the keys setup as I have also made the playbooks available via Jenkins for automation!) and if that doesn't work I'll use the password authentication for Prod and Keys for the other environments!
Regards
JS
JS
Jul 24, 2017, 4:51:13 AM7/24/17
to Ansible Project, di...@hellooperator.net
Hi Dick
Fantastic, many thanks for your reply!
I'll give Kai's play above a shot (I prefer having the keys setup as I have also made the playbooks available via Jenkins for automation!) and if that doesn't work I'll use the password authentication for Prod and Keys for the other environments!
Regards
JS
Timothy Brush
Jul 24, 2017, 6:25:05 PM7/24/17
to Ansible Project
Just starting to use Ansible but wouldn't this be better solved using a separate ssh key for prod systems that requires a password that only authorized personnel have access to and loading that key into ssh agent before running plays? Depending on you naming scheme, you may even be able to specify production hosts via wildcard in ~/.ssh/config file. This not only limits the ability to push to production but adds additional security.
Note: Ansible's user module can be used to push out new ssh authorized keys.
Apologies if this solution is off the mark but my background is in information security.
JS
Jul 25, 2017, 7:29:46 AM7/25/17
to Ansible Project, ansible-pr...@olstad.com
Hi Kai
Thanks for that - it worked like a charm on the CLI!
- pre_tasks:- pause:prompt: "You are running against production. What is the magic word?"register: resultwhen: env == 'prod'- fail:msg: "Aborting, wrong magic."when: result.user_input | default('') != 'answerable' and env == 'prod'
I've integrated the playbook with Jenkins - so it doesn't work on there. I get the following error: [WARNING]: Not waiting from prompt as stdin is not interactive
But I suppose that's not a problem as we can run DEV/UAT via Jenkins (GUI) and the PROD environment via CLI.
Adrian Likins
Jul 26, 2017, 5:58:05 PM7/26/17
to ansible...@googlegroups.com
ansible-playbook isnt really the right tool for writing interactive tooling. There is some very limited support for it
but it is not a good approach.Some of the previous mentioned suggestions (password protected prod only ssh keys and ssh-agent...) will be
more useful in the long run. Or using a wrapper script to handle the interactivity if required.
But avoid trying to use ansible as an interactive tool.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8bfcbdfc-a669-4f62-af4a-2b57fa05b30c%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages