未检测到 group_vars 中的 Ansible 保险库密码 [英] Ansible vault password in group_vars not detected

问题描述

我正在尝试使用 ansible-vault 来保护单个 Windows 登录密码.我不想将 hte 密码作为纯文本放置在我的 windows.yml 文件中(见下文)，因此我尝试使用 ansible-vault 来保护/加密此密码.

I am trying to use ansible-vault to secure a single Windows login password. I do not want to place hte password as plain text in my windows.yml file (see below) and so I am trying to use ansible-vault to secure/encrypt this password.

我有这个目录结构:

myansiblehome
- windows_manage
  - group_vars
    - windows.yml
    - vault
  - hosts
  - win_playbook.yml

我的问题是关于文件 vault.我试图将 Windows 登录密码作为加密变量放置在这里，根据 this教程.变量名称是 ansible_password 并且这个想法是我应该在 vault 文件中有一个哈希值，而不是文本中的实际密码.

My question is about the file vault. I am trying to place a Windows login password here as an encrypted variable, as per this tutorial. The variable name is ansible_password and the idea is that I should have a hash in the vault file and not the actual password in text.

我的 windows.yml 文件如下所示(遵循 这里):

My windows.yml file looks like this (following the guidance here):

ansible_user: administrator
ansible_password: "{{ vault_ansible_password }}"
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

现在，要创建 vault 文件，我的步骤如下:

Now, to create the vault file, here are my steps:

cd windows_manage
ansible-vault create group_vars/vault

然后这里是我放入vault文件的所有内容:

Then here are all the contents that I place into the vault file:

---
vault_ansible_password: mypassword

当我使用 ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass 运行此文件时，出现此错误(问题 A):

When I run this file with ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass, I get this error (problem A):

The field 'password' has an invalid value, which includes an
undefined variable. The error was: 'vault_ansible_password' is 
undefined\nexception type: <...>\nexception: 'vault_ansible_password' is 
undefined.

因此，我尝试生成哈希而不是使用文本.我这样做了:

So, I tried to generate a hash instead of using text. I did this:

mkpasswd --method=SHA-512
# copy the resulting hash to the clipboard
ansible-vault create group_vars/vault

我用这个哈希替换了文本 mypassword.我将哈希粘贴到 vi 编辑器中并保存了 vault 文件.再次，我使用 ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass 运行剧本.这次我遇到了不同的错误(问题 B):

I replaced the text mypassword by this hash. I pasted the hash in the vi editor and saved the vault file. Again, I ran the playbook with ansible-playbook -i ./hosts win_playbook.yml --ask-vault-pass. This time I got a different error (problem B):

fatal: [...]: UNREACHABLE! => ..."ssl: the specified
credentials were rejected by the server", "unreachable": true}

为了克服这个，我必须做两件事:

To overcome this, I have to do 2 things:

1. 解决问题A.:在win_playbook.yml中，我需要添加vars_files: group_vars\vault，有点类似于this StackOverflow 帖子.
2. 要解决问题 B.:我必须用文本中的实际密码 (mypassword) 替换 vault 中的哈希值.

1. To resolve problem A.: in win_playbook.yml, I need to add vars_files: group_vars\vault, somewhat similar to this StackOverflow post.
2. To resolve problem B.: I have to replace the hash in vault with the actual password in text (mypassword).

问题:

1. 关于 A:在我遇到的 ansible Vault 教程中，我没有看到为什么 vars_file: group_vars\vars 应该出现在主剧本文件中的特殊原因(请参阅下面的链接 1-4)).任何地方都没有提到这一点.我以为 Ansible 会自动检测 group_vars 目录中的变量???需要这条线有什么原因吗?

1. Regarding A: In the tutorials I have come across for ansible vault, I do not see a particular reason why vars_file: group_vars\vars should be present in the main playbook file (see links 1-4 below).i.e. there is no mention of this anywhere. I thought Ansible would auto-detect the variables in the group_vars directory??? Is there a reason why this line is required?

1. https://serversforhackers.com/c/ansible-using-vault
2. https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data-on-ubuntu-16-04
   • 这些家伙使用group_vars/vars(类似于我的group_vars/vars 的未加密变量文件)和group_vars/vault(类似于我的group_vars/vault 的加密变量文件到我的 group_vars/vault) 但他们使用了一个角色而我没有使用 Ansible 角色

1. https://serversforhackers.com/c/ansible-using-vault
2. https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data-on-ubuntu-16-04
   • these guys use group_vars/vars (unencrypted variable file similar to my group_vars/vars) and group_vars/vault (encrypted variable file similar to my group_vars/vault) but they are using a role while I am not using an Ansible role

关于 B:它看起来像其他用户(见 此处 使用哈希作为其变量).实际上，即使是 Ansible 文档也建议 使用 mkpasswd 来生成密码.也许我误解了一些东西.我们不应该使用 mkpasswd --method=SHA-512 来散列密码，然后将散列作为变量值吗?是否不能使用散列作为 vault 文件中 key:value 的值?

Regarding B: It looks like other users (see here are using hashes as their variables). Actually, even the Ansible docs suggest to use mkpasswd to generate passwords. Maybe I am misunderstanding something. Should we not use mkpasswd --method=SHA-512 to hash the password and then place the hash as the variable value? Is it not possible to use a hash as the value in key:value in the vault file?

推荐答案

group_vars 依赖于文件/目录名——它应该对应特定的组名.

group_vars rely on file/directory name – it should correspond to specific group name.

如果 windows.yml 应用于名为 windows 的组，但 vault 将应用于名为 vault 的组.

In you case windows.yml is applied to group named windows, but vault would have been applied to group named vault.

为了解决您的问题，创建名为 windows 的目录并将您的文件放在那里(windows 目录下的每个文件都将应用于 windows 中的主机> 按字母顺序分组):

To overcome your issue, create directory named windows and place your files there (every file under windows directory will be applied to hosts in windows group in alphabetical order):

myansiblehome
\ windows_manage
  \ group_vars
    \ windows
      \ windows.yml
      - vault

这篇关于未检测到 group_vars 中的 Ansible 保险库密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！