Michael,
That's pretty much exactly what I would want it to do. I currently do my
own poor man's vault by running a bash file which encrypts a folder where
all the lookup passwords are generated to. The vault as is isn't really
useful for me since all my passwords are generated per server. Is this not
a common thing? Would you have a different recommendation for how to manage
passwords in general?
On Thursday, February 20, 2014 8:27:41 AM UTC-5, Michael DeHaan wrote:
>
> Just a minor process note -- It's often troublesome to have a discussion
> about a feature on github because less people are there to read a ticket.
> I'd much prefer we discuss feature ideas here, for most major things,
> since that allows greater discussion, and search is also better.
>
> That all being said, the basics here is that vault is designed to encrypt
> and decrypt YAML data files -- of which since Ansible is data driven is
> mostly everything.
>
> By contrast, the password lookup plugin is a clever tool, but it's a hack
> and architecturally wrong for this solution, and it was not intended to
> keep files in version control.
>
> The "random password per server" approach works on writing little stub
> files text here and there and I can see it being possible for, if
> --ask-vault-pass was set, and I can see this approach being fiddly. We're
> unlikely to want to implement this though, because the random password
> generator bits are not designed to keep all the data in one file -- it was
> an interesting plugin, but probably not implemented the way you want.
>
> What you'd propose here I think is better served by keeping a file in a
> configurable location, like
>
> {{ lookup("password2", "password.yml", "mysql/" + inventory_hostname) }}
>
> Which would store a key "mysql__{{inventory_hostname}}" in a YAML file.
>
> Basically a rearchitected alternative to the password plugin.
>
> where it would write a random password into password.yml under some_key
> and then encrypt and decrypt as needed using --ask-vault-pass.
>
> This is going to be out of scope for 1.5, and we're going to want to move
> on rather than build this for you, but if someone wants to implement this
> to the above suggested spec, I think it would be pretty interesting and
> useful.
>
>
>
>
>
>
> On Wed, Feb 19, 2014 at 9:58 PM, James Tanner <[email protected]<javascript:>
> > wrote:
>
>> On 02/19/2014 02:01 PM, giulianob wrote:
>>
>> Will this work with lookup so if it generates a pass its stored in the
>> vault automatically?
>>
>> (I asked this in the official post but didn't see my comment.)
>>
>> On Wednesday, February 19, 2014 1:20:34 PM UTC-5, James Tanner wrote:
>>>
>>> We just merged a new feature called "Ansible Vault" to devel (1.5).
>>> Please read through Michael Dehaan's blog post about the tools for basic
>>> usage:
>>>
>>> http://blog.ansibleworks.com/2014/02/19/ansible-vault/
>>>
>>> Follow the typical bug reporting process for any issues you may find.
>>>
>>> Other notes:
>>>
>>> 1) The default encryption cipher is AES, but the framework is
>>> "pluggable" to encourage community contribution for other cipher methods.
>>>
>>> 2) All files used for a single playbook must be encrypted with the
>>> same password.
>>>
>>>
>>> Please test away!
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To post to this group, send email to [email protected]<javascript:>
>> .
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>> There is no integration with lookup plugins at the moment. If you have a
>> specific workflow or a example in mind, file a feature request on github
>> and we can consider it for later releases.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To post to this group, send email to [email protected]<javascript:>
>> .
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
