Initial support for vault in v2

TODO:
* password prompting needs to be implemented, but is being worked on
  as part of the become privilege escalation changes
This commit is contained in:
James Cammarata 2015-03-12 12:14:57 -05:00
commit b1d78a61fc
3 changed files with 78 additions and 43 deletions

View file

@ -224,6 +224,7 @@ class StrategyModule(StrategyBase):
def __repr__(self):
return "%s (%s): %s" % (self._filename, self._args, self._hosts)
# FIXME: this should also be moved to the base class in a method
included_files = []
for res in host_results:
if res._task.action == 'include':
@ -253,6 +254,9 @@ class StrategyModule(StrategyBase):
inc_file.add_host(res._host)
# FIXME: should this be moved into the iterator class? Main downside would be
# that accessing the TQM's callback member would be more difficult, if
# we do want to send callbacks from here
if len(included_files) > 0:
noop_task = Task()
noop_task.action = 'meta'
@ -263,7 +267,14 @@ class StrategyModule(StrategyBase):
for included_file in included_files:
# included hosts get the task list while those excluded get an equal-length
# list of noop tasks, to make sure that they continue running in lock-step
new_tasks = self._load_included_file(included_file)
try:
new_tasks = self._load_included_file(included_file)
except AnsibleError, e:
for host in included_file._hosts:
iterator.mark_host_failed(host)
# FIXME: callback here?
print(e)
noop_tasks = [noop_task for t in new_tasks]
for host in hosts_left:
if host in included_file._hosts:

56
v2/ansible/utils/vault.py Normal file
View file

@ -0,0 +1,56 @@
# (c) 2012-2014, Michael DeHaan <michael.dehaan@gmail.com>
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Make coding more python3-ish
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
import os
import subprocess
from ansible import constants as C
from ansible.errors import AnsibleError
from ansible.utils.path import is_executable
def read_vault_file(vault_password_file):
"""
Read a vault password from a file or if executable, execute the script and
retrieve password from STDOUT
"""
this_path = os.path.realpath(os.path.expanduser(vault_password_file))
if not os.path.exists(this_path):
raise AnsibleError("The vault password file %s was not found" % this_path)
if is_executable(this_path):
try:
# STDERR not captured to make it easier for users to prompt for input in their scripts
p = subprocess.Popen(this_path, stdout=subprocess.PIPE)
except OSError, e:
raise AnsibleError("Problem running vault password script %s (%s). If this is not a script, remove the executable bit from the file." % (' '.join(this_path), e))
stdout, stderr = p.communicate()
vault_pass = stdout.strip('\r\n')
else:
try:
f = open(this_path, "rb")
vault_pass=f.read().strip()
f.close()
except (OSError, IOError), e:
raise AnsibleError("Could not read vault password file %s: %s" % (this_path, e))
return vault_pass