multi-user vault processes

[Kesten Broughton]

Hi, 

Thanks for getting vault into trunk!

I have a few questions.

1.  If we have multiple users that need to edit an encrypted vars file, is there any way to avoid distributing a shared key amongst all them?

Is there any kind of LDAP plugin envisioned for the future that would allow --ask-vault-pass to have acls without a separate key distribution  solution?

2.  Is there a way to separate out the ability to edit a sensitive file vs run a playbook that depends on it?

Let me give a specific use-case example of what we might like to accomplish assuming we have to distribute keys:

a.  A team leader creates a vars file with sensitive info. Only she can edit the file.  

b.  Other team members are given the vault key to add to a secure keys directory or add to the commandline to enable them to run the playbook using the vaulted file.  They cannot use the key to open/edit the sensitive vars file.

3.  Is there/will-there-be any way to handle nested security levels? 

Suppose you had an openstack deployment and wanted a whole team to be able to access that cloud with an openstack_creds.yml file.  But only the sysadmin should be able to run a playbook agains a host vm in that cloud.  The restriction of only one key per ansible-playbook command would seem to prevent this:

ansible-playbook - i hosts site.yml --ask-vault-pass key-to-play-in-cloud

ansible-playbook -i hosts site.yml --ask-vault-pass key-to-administer-vm

--

Kesten Broughton
512 701 4209