diff options
| author | Abhijeet Kasurde <akasurde@redhat.com> | 2019-02-02 17:02:53 +0530 |
|---|---|---|
| committer | René Moser <mail@renemoser.net> | 2019-02-02 12:32:53 +0100 |
| commit | 18ed84b877e48a33fbb9745b34b47f321dd26061 (patch) | |
| tree | 06bbe7aba8dd3541d408bf9f73f5aa797f598722 /lib/ansible | |
| parent | e81287593b856d126e3ea1a0c7dcfed62cdeeac1 (diff) | |
| download | ansible-18ed84b877e48a33fbb9745b34b47f321dd26061.tar.gz | |
hashi_vault: add support for userpass authentication (#51538)
Added support for username and password authentication in hashi_vault
lookup plugin.
Fixes: #38878
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Diffstat (limited to 'lib/ansible')
| -rw-r--r-- | lib/ansible/plugins/lookup/hashi_vault.py | 54 |
1 files changed, 39 insertions, 15 deletions
diff --git a/lib/ansible/plugins/lookup/hashi_vault.py b/lib/ansible/plugins/lookup/hashi_vault.py index 015fd627f8..b58280cc46 100644 --- a/lib/ansible/plugins/lookup/hashi_vault.py +++ b/lib/ansible/plugins/lookup/hashi_vault.py @@ -18,45 +18,51 @@ DOCUMENTATION = """ - Due to a current limitation in the HVAC library there won't necessarily be an error if a bad endpoint is specified. options: secret: - description: query you are making + description: query you are making. required: True token: - description: vault token + description: vault token. env: - name: VAULT_TOKEN url: - description: url to vault service + description: URL to vault service. env: - name: VAULT_ADDR default: 'http://127.0.0.1:8200' username: - description: authentication user name + description: Authentication user name. password: - description: authentication password + description: Authentication password. role_id: - description: Role id for a vault AppRole auth + description: Role id for a vault AppRole auth. env: - name: VAULT_ROLE_ID secret_id: - description: Secret id for a vault AppRole auth + description: Secret id for a vault AppRole auth. env: - name: VAULT_SECRET_ID auth_method: - description: authentication method used + description: + - Authentication method to be used. + - C(userpass) is added in version 2.8. env: - name: VAULT_AUTH_METHOD + choices: + - userpass + - ldap + - approle mount_point: - description: vault mount point, only required if you have a custom mount point + description: vault mount point, only required if you have a custom mount point. default: ldap cacert: - description: path to certificate to use for authentication + description: path to certificate to use for authentication. validate_certs: description: controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones. type: boolean default: True namespace: version_added: "2.8" - description: namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+ + description: namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+. default: None """ @@ -72,6 +78,10 @@ EXAMPLES = """ debug: msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}" +- name: Vault that requires authentication via username and password + debug: + msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=userpass username=myuser password=mypas url=http://myvault:8200')}}" + - name: Using an ssl vault debug: msg: "{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}" @@ -120,6 +130,7 @@ class HashiVault: self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR) self.namespace = kwargs.get('namespace', None) + self.avail_auth_method = ['approle', 'userpass', 'ldap'] # split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value' s = kwargs.get('secret') @@ -152,7 +163,8 @@ class HashiVault: # prefixing with auth_ to limit which methods can be accessed getattr(self, 'auth_' + self.auth_method)(**kwargs) except AttributeError: - raise AnsibleError("Authentication method '%s' not supported" % self.auth_method) + raise AnsibleError("Authentication method '%s' not supported." + " Available options are %r" % (self.auth_method, self.avail_auth_method)) else: self.token = kwargs.get('token', os.environ.get('VAULT_TOKEN', None)) if self.token is None and os.environ.get('HOME'): @@ -189,16 +201,28 @@ class HashiVault: return data['data'][self.secret_field] - def auth_ldap(self, **kwargs): + def check_params(self, **kwargs): username = kwargs.get('username') if username is None: - raise AnsibleError("Authentication method ldap requires a username") + raise AnsibleError("Authentication method %s requires a username" % self.auth_method) password = kwargs.get('password') if password is None: - raise AnsibleError("Authentication method ldap requires a password") + raise AnsibleError("Authentication method %s requires a password" % self.auth_method) mount_point = kwargs.get('mount_point') + + return username, password, mount_point + + def auth_userpass(self, **kwargs): + username, password, mount_point = self.check_params(**kwargs) + if mount_point is None: + mount_point = 'userpass' + + self.client.auth_userpass(username, password, mount_point) + + def auth_ldap(self, **kwargs): + username, password, mount_point = self.check_params(**kwargs) if mount_point is None: mount_point = 'ldap' |