ansible inline vault #13287
Comments
|
this is not a duplicate, since the other guy wants to get this implemented by filters and my intention is that this is handled by the ansible yaml parser itself, please reopen! |
|
i doubt that will happen as the performance penalty of examining every possible value for vault content will slow down Ansible considerably. |
|
therefore the initial idea was to scan only the first letters and check for a special content like @vault@ |
|
yes, that is what will be prohibitive for most users, only those with tiny inventories and few variables would not notice a huge delay. We have been doing a lot of performance optimization prior to the 2.0 release, most speedups came from avoiding copying and examining the variables as much as we did. |
|
hmm ok. but to check this statement: do you really think another loop on VariableManager.get_vars for replacing variable content is expensive too? (in comparision to copying on combine_vars). just scrolled the source code and it seems that it would work |
|
try it out, but look at the commit history and you'll see we removed lots of code that scanned and/or copied the variables. What you see now should be the minimal needed for ansible's functionality and it is still slower than what we would want when large inventories are invovled |
|
i've been thinking about this more, a much more efficient way to do this would be to use a YAML type handler instead of parsing the values. would just require that we create a function that handles vaulted strings and register it with the module parser as the one to handle the |
|
this seems to be pretty easy, wrote example implementation (not tested): |
|
I wrote ansible filter that does exactly what you want: Have fun :) |
|
@ahes i do not want to include a separate encryption library, i want to use it with ansible capabilities |
|
http://jpmens.net/2014/02/22/my-thoughts-on-ansible-s-vault/ describes something that decrypts to a string. Would an inline vault need to support decrypting to a more complex object (map, list, etc)? If a inline vault needed additional info (like an identifier for which key to use), would it be acceptable if that was in a wrapper mapping? Or 'args' to a !vault object? |
|
the first one is the intended one. inline vault should not need to decrypt to a complex object, but it should support to decrypt to a yaml multiline string. the intention is to hide the parts that should be secure only what do you mean by "wrapper mapping"? i do not have any preference at all |
Not a particular thing, just a vague idea that the key id may need to be defined outside of the vault blob. One thought was something like a map with the (map) keys being 'key_id' and 'vault_blob', but I didn't really think that through ;-> Current version of my branch should be fine with multiline strings. |
|
One advantage of keeping the decrypted value simple and deserializing to something string like is it makes it easier to wait until the last possible moment to decrypt (as opposed to attempting to decrypt while parsing). That could potentially be as late as remote node module execution[1]... [1] assuming shared secrets or some pki support in ansible-vault... |
|
Just as a note becaue i stumbled over this PR. the linked bug report is really about having a method to disable PBKDF2 with 10000 rounds for key material with already known high entropy and is no exact match to this discussion, but also discusses the principle problem in ansible vault. |
|
closing as implemented in #16274, released in 2.3 usable as |
ansibot
added
feature
Sometimes you want to define a complex variable dictionary and do not want to create a separate vault file for passwords. It would be cool for history purpose to use a plain yml file for variable definition and inline vault variable content like the following. This feature is described by @jpmens on http://jpmens.net/2014/02/22/my-thoughts-on-ansible-s-vault/
The text was updated successfully, but these errors were encountered: