On 03/21/14 16:59, Michael DeHaan wrote: > I'd definitely resent any inference of evil-doing from "The Ansible > Team" here :) > > While I'm open to pull requests to enhancements within reason, we've > had the discussion a few times already that this could be served > better by a "password2" style plugin that used the VaultLib classes. > > --Michael > > > On Fri, Mar 21, 2014 at 10:41 AM, Petros Moisiadis <[email protected] > <mailto:[email protected]>> wrote: > > On 03/21/14 13:54, [email protected] <mailto:[email protected]> > wrote: >> Hi all. >> >> (reposting because of a silly copy/paste error - sorry about that.) >> >> Vault was a great addition to Ansible. >> Some complained about the lack of leaf encryption. >> >> I just published a blog post about a few of our practices >> involving Ansible, >> and here is an excerpt about how we easily work around this >> limitation. >> Hope it helps some of you. >> (Blog post is >> here: >> http://reinteractive.net/posts/167-ansible-real-life-good-practices) >> >> Excerpt: >> >> >> *Vault Pseudo leaf encryption* >> >> Very recently, with version 1.5, Ansible introduced Ansible >> Vault, a way to encrypt data in the playbook, and decrypt it at >> run time. This feature was highly requested, and >> gives Ansible its true place among platform management tools. >> >> The thing is: what we like about Ansible is the readability, and >> encryption has a way of making things, well, less readable… >> |ansible-vault| command will encrypt or decrypt the whole var >> file, you can not encrypt just the value of a variable. The >> solution is simple enough: create a second var file, just for the >> sensitive data. But this raises another issue: your variables are >> now spread over multiple files, and some of them encrypted. This >> can get messy. For instance, if you define a dictionary of >> variables and only one of them is sensitive, you have to encrypt >> the whole dictionary. >> >> Leaf encryption was (is) a feature request, but in the meantime, >> there is an elegant way of keeping it both readable and secure: >> nested variables. >> >> For every sensitive variable, you create a prefixed double that >> goes in an encrypted file. >> >> # var_file >> db_password: {{ vaulted_db_passord }} >> # and for a dctionnary >> aws: >> - "access_key_id='abcdefgh'" >> - "secret_access_key='{{ vaulted_aws_secret_access_key }}'" >> >> >> >> # vault_file >> vaulted_db_passord: a_super_secret >> vaulted_aws_secret_access_key: the_aws_secret >> >> That way, you can manipulate all your vars like before, knowing >> the vaulted version stays encrypted. You can even solve the >> problem of having someone responsible for the encrypted file and >> the rest of the team never seeing its content but still being >> able to manage var files as they need. >> >> -- >> You received this message because you are subscribed to the >> Google Groups "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] >> <mailto:[email protected]>. >> To post to this group, send email to >> [email protected] >> <mailto:[email protected]>. >> To view this discussion on the web visit >> >> https://groups.google.com/d/msgid/ansible-project/2a8a43b6-b358-46a4-9d38-7874efc2fa8c%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/2a8a43b6-b358-46a4-9d38-7874efc2fa8c%40googlegroups.com?utm_medium=email&utm_source=footer>. >> For more options, visit https://groups.google.com/d/optout. > > Well, it will work, but this is still a workaround. You still have > to maintain two files and edit them both for a single addition. > Also, it becomes more complicated if you have repeated variable > names and values. For example, how much complexity you have to > introduce in your separate vault file in order to handle a simple > variable file like the following ? > > |system_users:|| > || - username: john|| > || password: secret_||password_1 > - username: alice > password: secret_password_2 > > db_users: > - username: john > password: another_secret_password_1 > - username: alice > password: another_secret_password_2 > | > > Unfortunately, the Ansible team has not (yet) given an answer on > whether a command-line option to enable a simple syntax for > leaf-node encryption mode would be considered for ansible-vault > (keeping the current whole-file encryption mode as the default > mode). There was a feature request for this mode and discussion by > many people _before_ vault's release and it seems it is still > desired by people _after_ vault's release. > -- > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to > [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > > https://groups.google.com/d/msgid/ansible-project/532C4F9E.6030303%40yahoo.gr > > <https://groups.google.com/d/msgid/ansible-project/532C4F9E.6030303%40yahoo.gr?utm_medium=email&utm_source=footer>. > > > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CAEVJ8QONjy_P7ZeMAJWiZAa-RFR7HSBDRJoVRwmX4t5H%3DKZ86g%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CAEVJ8QONjy_P7ZeMAJWiZAa-RFR7HSBDRJoVRwmX4t5H%3DKZ86g%40mail.gmail.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout.
I do not understand how this "password2" style plugin would serve leaf-node encryption better. What would be the user interface? Wouldn't it use a binary to spawn the editor after decrypting the file and encrypt the file after saving it, like ansible-vault conveniently does? Could you please give an example of a possible UI to support a workflow like this: create a new variable file, save it doing leaf-node only encryption, push it to GIT, check it out later, edit it, commit the changed file back and have a meaningful diff between the two versions? -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/532C5F11.4060103%40yahoo.gr. For more options, visit https://groups.google.com/d/optout.
