Just a minor process note -- It's often troublesome to have a discussion
about a feature on github because less people are there to read a ticket.
I'd much prefer we discuss feature ideas here, for most major things,
since that allows greater discussion, and search is also better.
That all being said, the basics here is that vault is designed to encrypt
and decrypt YAML data files -- of which since Ansible is data driven is
mostly everything.
By contrast, the password lookup plugin is a clever tool, but it's a hack
and architecturally wrong for this solution, and it was not intended to
keep files in version control.
The "random password per server" approach works on writing little stub
files text here and there and I can see it being possible for, if
--ask-vault-pass was set, and I can see this approach being fiddly. We're
unlikely to want to implement this though, because the random password
generator bits are not designed to keep all the data in one file -- it was
an interesting plugin, but probably not implemented the way you want.
What you'd propose here I think is better served by keeping a file in a
configurable location, like
{{ lookup("password2", "password.yml", "mysql/" + inventory_hostname) }}
Which would store a key "mysql__{{inventory_hostname}}" in a YAML file.
Basically a rearchitected alternative to the password plugin.
where it would write a random password into password.yml under some_key and
then encrypt and decrypt as needed using --ask-vault-pass.
This is going to be out of scope for 1.5, and we're going to want to move
on rather than build this for you, but if someone wants to implement this
to the above suggested spec, I think it would be pretty interesting and
useful.
On Wed, Feb 19, 2014 at 9:58 PM, James Tanner <[email protected]> wrote:
> On 02/19/2014 02:01 PM, giulianob wrote:
>
> Will this work with lookup so if it generates a pass its stored in the
> vault automatically?
>
> (I asked this in the official post but didn't see my comment.)
>
> On Wednesday, February 19, 2014 1:20:34 PM UTC-5, James Tanner wrote:
>>
>> We just merged a new feature called "Ansible Vault" to devel (1.5).
>> Please read through Michael Dehaan's blog post about the tools for basic
>> usage:
>>
>> http://blog.ansibleworks.com/2014/02/19/ansible-vault/
>>
>> Follow the typical bug reporting process for any issues you may find.
>>
>> Other notes:
>>
>> 1) The default encryption cipher is AES, but the framework is
>> "pluggable" to encourage community contribution for other cipher methods.
>>
>> 2) All files used for a single playbook must be encrypted with the same
>> password.
>>
>>
>> Please test away!
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
> There is no integration with lookup plugins at the moment. If you have a
> specific workflow or a example in mind, file a feature request on github
> and we can consider it for later releases.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
