summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAbhijeet Kasurde <akasurde@redhat.com>2019-02-02 17:02:53 +0530
committerRené Moser <mail@renemoser.net>2019-02-02 12:32:53 +0100
commit18ed84b877e48a33fbb9745b34b47f321dd26061 (patch)
tree06bbe7aba8dd3541d408bf9f73f5aa797f598722
parente81287593b856d126e3ea1a0c7dcfed62cdeeac1 (diff)
downloadansible-18ed84b877e48a33fbb9745b34b47f321dd26061.tar.gz
hashi_vault: add support for userpass authentication (#51538)
Added support for username and password authentication in hashi_vault lookup plugin. Fixes: #38878 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
-rw-r--r--changelogs/fragments/38878-hashi_vault-support_userpass.yaml2
-rw-r--r--lib/ansible/plugins/lookup/hashi_vault.py54
2 files changed, 41 insertions, 15 deletions
diff --git a/changelogs/fragments/38878-hashi_vault-support_userpass.yaml b/changelogs/fragments/38878-hashi_vault-support_userpass.yaml
new file mode 100644
index 0000000000..22ec28092e
--- /dev/null
+++ b/changelogs/fragments/38878-hashi_vault-support_userpass.yaml
@@ -0,0 +1,2 @@
+minor_changes:
+- hashi_vault lookup plugin now supports username and password method for the authentication (https://github.com/ansible/ansible/issues/38878).
diff --git a/lib/ansible/plugins/lookup/hashi_vault.py b/lib/ansible/plugins/lookup/hashi_vault.py
index 015fd627f8..b58280cc46 100644
--- a/lib/ansible/plugins/lookup/hashi_vault.py
+++ b/lib/ansible/plugins/lookup/hashi_vault.py
@@ -18,45 +18,51 @@ DOCUMENTATION = """
- Due to a current limitation in the HVAC library there won't necessarily be an error if a bad endpoint is specified.
options:
secret:
- description: query you are making
+ description: query you are making.
required: True
token:
- description: vault token
+ description: vault token.
env:
- name: VAULT_TOKEN
url:
- description: url to vault service
+ description: URL to vault service.
env:
- name: VAULT_ADDR
default: 'http://127.0.0.1:8200'
username:
- description: authentication user name
+ description: Authentication user name.
password:
- description: authentication password
+ description: Authentication password.
role_id:
- description: Role id for a vault AppRole auth
+ description: Role id for a vault AppRole auth.
env:
- name: VAULT_ROLE_ID
secret_id:
- description: Secret id for a vault AppRole auth
+ description: Secret id for a vault AppRole auth.
env:
- name: VAULT_SECRET_ID
auth_method:
- description: authentication method used
+ description:
+ - Authentication method to be used.
+ - C(userpass) is added in version 2.8.
env:
- name: VAULT_AUTH_METHOD
+ choices:
+ - userpass
+ - ldap
+ - approle
mount_point:
- description: vault mount point, only required if you have a custom mount point
+ description: vault mount point, only required if you have a custom mount point.
default: ldap
cacert:
- description: path to certificate to use for authentication
+ description: path to certificate to use for authentication.
validate_certs:
description: controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
type: boolean
default: True
namespace:
version_added: "2.8"
- description: namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+
+ description: namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+.
default: None
"""
@@ -72,6 +78,10 @@ EXAMPLES = """
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}"
+- name: Vault that requires authentication via username and password
+ debug:
+ msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=userpass username=myuser password=mypas url=http://myvault:8200')}}"
+
- name: Using an ssl vault
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}"
@@ -120,6 +130,7 @@ class HashiVault:
self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR)
self.namespace = kwargs.get('namespace', None)
+ self.avail_auth_method = ['approle', 'userpass', 'ldap']
# split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value'
s = kwargs.get('secret')
@@ -152,7 +163,8 @@ class HashiVault:
# prefixing with auth_ to limit which methods can be accessed
getattr(self, 'auth_' + self.auth_method)(**kwargs)
except AttributeError:
- raise AnsibleError("Authentication method '%s' not supported" % self.auth_method)
+ raise AnsibleError("Authentication method '%s' not supported."
+ " Available options are %r" % (self.auth_method, self.avail_auth_method))
else:
self.token = kwargs.get('token', os.environ.get('VAULT_TOKEN', None))
if self.token is None and os.environ.get('HOME'):
@@ -189,16 +201,28 @@ class HashiVault:
return data['data'][self.secret_field]
- def auth_ldap(self, **kwargs):
+ def check_params(self, **kwargs):
username = kwargs.get('username')
if username is None:
- raise AnsibleError("Authentication method ldap requires a username")
+ raise AnsibleError("Authentication method %s requires a username" % self.auth_method)
password = kwargs.get('password')
if password is None:
- raise AnsibleError("Authentication method ldap requires a password")
+ raise AnsibleError("Authentication method %s requires a password" % self.auth_method)
mount_point = kwargs.get('mount_point')
+
+ return username, password, mount_point
+
+ def auth_userpass(self, **kwargs):
+ username, password, mount_point = self.check_params(**kwargs)
+ if mount_point is None:
+ mount_point = 'userpass'
+
+ self.client.auth_userpass(username, password, mount_point)
+
+ def auth_ldap(self, **kwargs):
+ username, password, mount_point = self.check_params(**kwargs)
if mount_point is None:
mount_point = 'ldap'