I thought about this myself. One of the nice things with constrained endpoints (which is one of the things you can do with the "configuration" option is that the connection account doesn't have to be the same as the execution account on the server, which (imho) is an avenue that could potentially be worth exploring. That said, I have no idea how winrm implements configurations so it probably takes a bit of research.
On Thursday, April 6, 2017 at 8:43:27 PM UTC+2, Matt Davis wrote: > > Sorry, it's on the *2.4* roadmap to explore. > > On Thursday, April 6, 2017 at 11:42:59 AM UTC-7, Matt Davis wrote: >> >> Yeah, this is along the lines of "constrained sudo" on the Linux side. We >> haven't spent any time working on this yet, but it's on the 2.3 roadmap to >> explore. I won't say it's impossible to make it work with a constrained >> configuration, but as you've alluded, it's very difficult, and at least in >> the Linux case, you have to give so many privileges (eg, launching >> arbitrary processes) that the "jail" is very escapable anyway. The way we >> do things on Windows, I suspect the same will be true. Switching out the >> underlying WinRM protocol to PSRP is actually the easy part. >> >> I've thought through a couple of ways that we *might* be able to make >> this work, but they'd require a lot of infrastructure that's currently >> missing, so I wouldn't count on it for at least the next couple of >> releases... >> >> -Matt >> >> >> On Thursday, April 6, 2017 at 8:27:40 AM UTC-7, Vincent Desjardins wrote: >>> >>> Hi Jordan, >>> >>> This is a custom configuration created by one of our Windows admin to >>> control what Ansible could do on the server. Personally I have some doubts >>> about the maintainability and the usefulness of managing these >>> configurations since the purpose of Ansible is to configure the server... >>> Ansible needs to have Admin right to do anything meaningful in my opinion. >>> >>> Do you know if an upgrade to the protocol implementation in Ansible is >>> on the roadmap? >>> >>> Thanks, >>> Vincent >>> >>> On Wednesday, April 5, 2017 at 10:03:12 PM UTC-4, Jordan Borean wrote: >>>> >>>> Hi Vincent >>>> >>>> I don't believe this is possible right now as Ansible uses an older >>>> protocol than Enter-PSSession. What is the configuration that you need to >>>> use, potentially it can be covered with different arugments. >>>> >>>> Thanks >>>> >>>> Jordan >>>> >>>> On Thursday, April 6, 2017 at 10:08:48 AM UTC+10, Vincent Desjardins >>>> wrote: >>>>> >>>>> Hi, >>>>> >>>>> I wrote a small powershell module for Ansible. My Windows Admin wants >>>>> me to use a specific configuration when connecting to the server for >>>>> security. So I would like to know if Ansible can be configured to have a >>>>> session initialized like this: >>>>> >>>>> Enter-PSSession -ComputerName myhostname -ConfigurationName Ansible >>>>> >>>>> I did some digging and found nothing. >>>>> >>>>> Thanks! >>>>> Vincent >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f32190db-2021-4ad2-8c09-c370b4305c4e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
