Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hashi_vault: allow mount_point for approle auth #46352

Closed
wants to merge 1 commit into from
Closed

hashi_vault: allow mount_point for approle auth #46352

wants to merge 1 commit into from
+10 −4

Conversation

bbayszczak
Copy link

@bbayszczak bbayszczak commented Oct 1, 2018
edited

SUMMARY

mount_point parameter is not used when using approle authentication

Default values are removed ('ldap' for LDAP, 'AppRole' for approle) because there
is already default values in hvac library

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

hashi_vault

ANSIBLE VERSION
ansible 2.5.10
  config file = /Users/bbayszczak/Documents/git/proctool/ansible/ansible.cfg
  configured module search path = [u'/Users/bbayszczak/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/bbayszczak/.pyenv/versions/2.7.14/envs/ansible_venv/lib/python2.7/site-packages/ansible
  executable location = /Users/bbayszczak/.pyenv/versions/ansible_venv/bin/ansible
  python version = 2.7.14 (default, Apr 17 2018, 13:45:08) [GCC 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.1)]
ADDITIONAL INFORMATION

Lookup request

"{{ lookup('hashi_vault', 'secret=path/to/secret:key auth_method=approle mount_point={{ vault_access.mount_point }} role_id={{ vault_access.role_id }} secret_id={{ vault_access.secret_id }} url={{ vault_access.url }}')}}"

Before

An unhandled exception occurred while running the lookup plugin 'hashi_vault'. Error was a <class 'hvac.exceptions.InternalServerError'>, original message: failed to validate credentials: invalid role_id

After

Secret correctly returned

hashi_vault: allow mount_point for approle auth
cc4dfd1 
As already made for LDAP, this will allow to specify a mount point
for approle authentication.
Default values for mount points ('ldap' for LDAP, 'AppRole' for approle)
are already default values in hvac library
@ansibot ansibot added affects_2.8 This issue/PR affects Ansible v2.8 bug This issue/PR relates to a bug. needs_triage Needs a first human triage before being processed. new_contributor This PR is the first contribution by a new community member. support:community This issue/PR relates to code supported by the Ansible community. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Oct 1, 2018
@bcoca bcoca removed the needs_triage Needs a first human triage before being processed. label Oct 1, 2018
@ansibot ansibot removed the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Oct 1, 2018
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Oct 9, 2018
@ansibot ansibot added the community_review In order to be merged, this PR must follow the community review workflow. label Oct 25, 2018
maxamillion
maxamillion reviewed Nov 2, 2018
View reviewed changes
lib/ansible/plugins/lookup/hashi_vault.py

self.client.auth_ldap(username, password, mount_point)
if not mount_point:
self.client.auth_ldap(username, password)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this going to alter the default behavior of the module or is the mount_point = 'ldap' inferred by client.auth_ldap ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default mount_point will stay ldap.
This module is using hvac as library and ldap is the default mount point if not specified:

            DEFAULT_MOUNT_POINT = 'ldap'
...
            def login(self, username, password, use_token=True, mount_point=DEFAULT_MOUNT_POINT):

https://github.com/hvac/hvac/blob/5b42620ddac5474574eb98437d2645dade1824c1/hvac/api/auth_methods/ldap.py#L8
https://github.com/hvac/hvac/blob/5b42620ddac5474574eb98437d2645dade1824c1/hvac/api/auth_methods/ldap.py#L355

@maxamillion
Copy link
Contributor

@bbayszczak this looks good, would you mind adding something to the integration testing to exercise the new functionality?

resmo
resmo approved these changes Jan 31, 2019
View reviewed changes
Copy link
Contributor

@resmo resmo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shipit

@maxamillion
Copy link
Contributor

needs_info

@ansibot ansibot added needs_info This issue requires further information. Please answer any outstanding questions. and removed community_review In order to be merged, this PR must follow the community review workflow. labels Jan 31, 2019
@ansibot ansibot added needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Feb 8, 2019
@ansibot
Copy link
Contributor

ansibot commented Feb 24, 2019

cc @defionscode
click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Mar 4, 2019

@bbayszczak This pullrequest is waiting for your response. Please respond or the pullrequest will be closed.

click here for bot help

@Akasurde
Copy link
Member

@bbayszczak Could you please rebase this branch and let me know ? Thanks.

@ansibot
Copy link
Contributor

ansibot commented Apr 4, 2019

@bbayszczak You have not responded to information requests in this pullrequest so we will assume it no longer affects you. If you are still interested in this, please create a new pullrequest with the requested information.

click here for bot help

@ansibot ansibot closed this Apr 4, 2019
@ansible ansible locked and limited conversation to collaborators Jul 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@maxamillion maxamillion maxamillion left review comments

@resmo resmo resmo approved these changes

Assignees
No one assigned
Labels
affects_2.8 This issue/PR affects Ansible v2.8 bug This issue/PR relates to a bug. needs_info This issue requires further information. Please answer any outstanding questions. needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. new_contributor This PR is the first contribution by a new community member. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. support:community This issue/PR relates to code supported by the Ansible community.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@bbayszczak @maxamillion @ansibot @Akasurde @resmo @bcoca