Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New module: cyberark_credential #52190

Open
wants to merge 22 commits into
base: devel
from

Conversation

Projects
None yet
7 participants
@JimmyJamCABD
Copy link

JimmyJamCABD commented Feb 13, 2019

cyberark_credential

Module to retrieve privileged credential from CyberArk Vault using Web Services SDK through Central Credential Provider.

Requirements

  • CyberArk Privileged Account Security Web Services SDK.
  • CyberArk AIM Central Credential Provider

Role Variables

cyberark.modules

Provided Modules

  • cyberark_credential: Module for CyberArk credential retrieval using Cyberark Central Credential Provider.

Example Playbook

NOTE: These playbooks are examples of retrieving credentials with CCP using a client cert and assumes that you have implemented SSL authentication for you CCP server. For more information on this capability reference the Configure Client Authentication with client certificates section of the Central Credential Provider Implementation Guide.

  1. Example playbook showing the use of cyberark_credential module for retrieving a least privileged credential using a client certificate.
---
- hosts: all

  roles:
    - role: cyberark.modules

  tasks:

    - cyberark_credential:
        api_base_url: "https://components.cyberark.local"
        validate_certs: no
        client_cert: "/home/user/certs/cert.cer"
        client_key: "/home/user/certs/priv.key"
        app_id: "app_ansible"
        query: "safe=Linux Root Accounts;folder=root;UserName=root;address={{ inventory_hostname }}"
        reason: "Testing Ansible Playbook"
      register: cyberark_response
      delegate_to: localhost

    - name: set response to fact named cyberark_secret
      set_fact:
        cyberark_secret: "{{ cyberark_response.result.Content }}"
      no_log: true
  1. Example playbook showing the use of cyberark_credential module for retrieving a least privileged SSH Key using a client certificate and setting it as the ssh credential for Ansible to SSH to the hosts.
---
- hosts: all
  connection: local
  gather_facts: false

  tasks:

    - name: Cyberark Credential retrieval
      include_role:
        name: cyberark.modules

    - name: Fetch password from Cyberark Vault
      cyberark_credential:
        api_base_url: "https://components.cyberark.local"
        validate_certs: no
        client_cert: "/home/user/certs/cert.cer"
        client_key: "/home/user/certs/priv.key"
        app_id: "app_ansible"
        query: "safe=Linux Root Accounts;folder=root;UserName=root;address={{ inventory_hostname }}"
        reason: "Testing Ansible Playbook"
      register: cyberark_response
      delegate_to: localhost
      no_log: true

    - name: Set response to fact named cyberark_secret
      set_fact:
        cyberark_secret: "{{ cyberark_response.result.Content }}"
      no_log: true


- hosts: all
  connection: local
  gather_facts: false
  vars:
    ansible_ssh_pass: "{{ cyberark_secret }}"
  1. Example playbook showing the use of cyberark_credential module to retrieve a least privilege SSH Key using a client certificate, connecting to host, then retrieving an elevated credential from the hosts to elevate the session on the host, adhering to the Best Practice model.
---

- hosts: all
  connection: local
  gather_facts: true

  roles:
    - role: cyberark.modules

  tasks:

    - name: Fetch SSH Key content from CyberArk Vault
      cyberark_credential:
        api_base_url: "https://components.cyberark.local"
        validate_certs: no
        client_cert: "{{ CYBERARK_CLIENT_CERT }}"
        client_key: "{{ CYBERARK_PRIV_KEY }}"
        app_id: "app_ansible"
        query: "safe=SSH Private Keys;folder=root;address={{ inventory_hostname }}"
        reason: "Testing Ansible Playbook"
      register: cyberark_response
      delegate_to: localhost
      no_log: true

    - name: tempfile module to define file variable
      tempfile:
        state: file
        suffix: key
      register: temp_key
      no_log: true

    - name: writing key contents to a temp file
      copy:
        dest: "{{ temp_key.path }}"
        content: "{{ cyberark_response.result.Content }}"
      delegate_to: localhost
      changed_when: false
      no_log: true

- hosts: all
  gather_facts: true
  vars:
    ansible_ssh_user: "{{ cyberark_response.result.UserName }}"
    ansible_ssh_private_key_file: "{{ temp_key.path }}"

  tasks:

    - name: Fetch root credential for sudo privilege escalation
      cyberark_credential:
        api_base_url: "https://components.cyberark.local"
        app_id: "sudo_privilege"
        validate_certs: no
        query: "safe=Linux Root Accounts;folder=root;address={{ inventory_hostname }}"
        reason: "testing escalation in shell module"
      register: sudo_cred
      no_log: false

    - name: Setting the become variable
      set_fact:
        become_user: "{{ sudo_cred.result.UserName }}"
        ansible_become_pass: "{{ sudo_cred.result.Content }}"
      no_log: false

    - name: Switch User to root
      become: true
      become_method: su
      shell: whoami
      changed_when: false

License

MIT

Author Information

JimmyJamCABD added some commits Aug 16, 2018

@ansibot

This comment has been minimized.

Copy link
Contributor

ansibot commented Feb 13, 2019

@ansibot

This comment was marked as resolved.

Copy link
Contributor

ansibot commented Feb 13, 2019

The test ansible-test sanity --test pylint [explain] failed with 4 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:172:0: trailing-whitespace Trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:179:0: trailing-whitespace Trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:180:37: singleton-comparison Comparison to None should be 'expr is not None'
lib/ansible/modules/identity/cyberark/cyberark_credential.py:258:0: trailing-newlines Trailing newlines

The test ansible-test sanity --test ansible-doc --python 2.6 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test ansible-doc --python 2.7 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test ansible-doc --python 3.5 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test ansible-doc --python 3.6 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test ansible-doc --python 3.7 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test docs-build [explain] failed with the error:

Command "/usr/bin/python test/sanity/code-smell/docs-build.py" returned exit status 1.
>>> Standard Error
Command 'make singlehtmldocs' failed with status code: 2
--> Standard Output
cat _themes/srtd/static/css/theme.css | sed -e 's/^[ 	]*//g; s/[ 	]*$//g; s/\([:{;,]\) /\1/g; s/ {/{/g; s/\/\*.*\*\///g; /^$/d' | sed -e :a -e '$!N; s/\n\(.\)/\1/; ta' > _themes/srtd/static/css/theme.min.css
PYTHONPATH=../../lib ../bin/dump_config.py --template-file=../templates/config.rst.j2 --output-dir=rst/reference_appendices/ -d ../../lib/ansible/config/base.yml
mkdir -p rst/cli
PYTHONPATH=../../lib ../bin/generate_man.py --template-file=../templates/cli_rst.j2 --output-dir=rst/cli/ --output-format rst ../../lib/ansible/cli/*.py
PYTHONPATH=../../lib ../bin/dump_keywords.py --template-dir=../templates --output-dir=rst/reference_appendices/ -d ./keyword_desc.yml
PYTHONPATH=../../lib ../bin/plugin_formatter.py -t rst --template-dir=../templates --module-dir=../../lib/ansible/modules -o rst/modules/ 
Evaluating module files...
Makefile:93: recipe for target 'modules' failed
--> Standard Error
Traceback (most recent call last):
  File "../bin/plugin_formatter.py", line 774, in <module>
    main()
  File "../bin/plugin_formatter.py", line 729, in main
    plugin_info, categories = get_plugin_info(options.module_dir, limit_to=options.limit_to, verbose=(options.verbosity > 0))
  File "../bin/plugin_formatter.py", line 294, in get_plugin_info
    doc, examples, returndocs, metadata = plugin_docs.get_docstring(module_path, fragment_loader, verbose=verbose)
  File "/root/ansible/lib/ansible/utils/plugin_docs.py", line 103, in get_docstring
    data = read_docstring(filename, verbose=verbose, ignore_errors=ignore_errors)
  File "/root/ansible/lib/ansible/parsing/plugin_docs.py", line 59, in read_docstring
    data[varkey] = AnsibleLoader(child.value.s, file_name=filename).get_single_data()
  File "/usr/local/lib/python3.6/dist-packages/yaml/constructor.py", line 35, in get_single_data
    node = self.get_single_node()
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 36, in get_single_node
    document = self.compose_document()
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 55, in compose_document
    node = self.compose_node(None, None)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 133, in compose_mapping_node
    item_value = self.compose_node(node, item_key)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 133, in compose_mapping_node
    item_value = self.compose_node(node, item_key)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 127, in compose_mapping_node
    while not self.check_event(MappingEndEvent):
  File "/usr/local/lib/python3.6/dist-packages/yaml/parser.py", line 98, in check_event
    self.current_event = self.state()
  File "/usr/local/lib/python3.6/dist-packages/yaml/parser.py", line 439, in parse_block_mapping_key
    "expected <block end>, but found %r" % token.id, token.start_mark)
yaml.parser.ParserError: while parsing a block mapping
  in "<unicode string>", line 39, column 9:
            description:
            ^
expected <block end>, but found '<block sequence start>'
  in "<unicode string>", line 41, column 13:
                - A string containing the file l ... 
                ^
make: *** [modules] Error 1

The test ansible-test sanity --test pep8 [explain] failed with 35 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:15:138: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:19:95: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:35:12: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:54:1: E101 indentation contains mixed spaces and tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:54:1: W191 indentation contains tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:55:1: W191 indentation contains tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:56:1: W191 indentation contains tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:56:3: E101 indentation contains mixed spaces and tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:57:1: W191 indentation contains tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:58:1: W191 indentation contains tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:58:2: E101 indentation contains mixed spaces and tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:59:1: E101 indentation contains mixed spaces and tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:78:1: E101 indentation contains mixed spaces and tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:78:1: W191 indentation contains tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:79:1: W191 indentation contains tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:80:1: W191 indentation contains tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:81:1: E101 indentation contains mixed spaces and tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:83:1: E101 indentation contains mixed spaces and tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:83:1: W191 indentation contains tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:84:1: E101 indentation contains mixed spaces and tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:96:76: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:112:83: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:116:87: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:120:77: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:128:73: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:132:70: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:136:71: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:145:1: E101 indentation contains mixed spaces and tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:145:1: W191 indentation contains tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:156:1: E101 indentation contains mixed spaces and tabs
lib/ansible/modules/identity/cyberark/cyberark_credential.py:172:1: W293 blank line contains whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:179:1: W293 blank line contains whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:180:62: E711 comparison to None should be 'if cond is not None:'
lib/ansible/modules/identity/cyberark/cyberark_credential.py:228:1: E302 expected 2 blank lines, found 1
lib/ansible/modules/identity/cyberark/cyberark_credential.py:258:1: W391 blank line at end of file

The test ansible-test sanity --test validate-modules [explain] failed with 8 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E324 Value for "default" from the argument_spec ('present') for "state" does not match the documentation (None)
lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E324 Value for "default" from the argument_spec (True) for "validate_certs" does not match the documentation (False)
lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E325 argument_spec for "validate_certs" defines type="bool" but documentation does not
lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E326 Value for "choices" from the argument_spec (['present']) for "state" does not match the documentation ([])
lib/ansible/modules/identity/cyberark/cyberark_credential.py:52:13: E302 DOCUMENTATION is not valid YAML
lib/ansible/modules/identity/cyberark/cyberark_credential.py:72:22: E311 EXAMPLES is not valid YAML
lib/ansible/modules/identity/cyberark/cyberark_credential.py:96:13: E313 RETURN is not valid YAML
lib/ansible/modules/identity/cyberark/cyberark_credential.py:257:0: E109 Next to last line should be: if __name__ == "__main__":

The test ansible-test sanity --test yamllint [explain] failed with 3 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:52:13: error DOCUMENTATION: syntax error: expected <block end>, but found '<block sequence start>'
lib/ansible/modules/identity/cyberark/cyberark_credential.py:72:22: error EXAMPLES: syntax error: expected <block end>, but found '<scalar>'
lib/ansible/modules/identity/cyberark/cyberark_credential.py:96:13: error RETURN: syntax error: expected ',' or '}', but got '<scalar>'

click here for bot help

@ansibot

This comment was marked as resolved.

Copy link
Contributor

ansibot commented Feb 14, 2019

The test ansible-test sanity --test ansible-doc --python 2.6 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test ansible-doc --python 2.7 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test ansible-doc --python 3.5 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test ansible-doc --python 3.6 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test ansible-doc --python 3.7 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test docs-build [explain] failed with the error:

Command "/usr/bin/python test/sanity/code-smell/docs-build.py" returned exit status 1.
>>> Standard Error
Command 'make singlehtmldocs' failed with status code: 2
--> Standard Output
cat _themes/srtd/static/css/theme.css | sed -e 's/^[ 	]*//g; s/[ 	]*$//g; s/\([:{;,]\) /\1/g; s/ {/{/g; s/\/\*.*\*\///g; /^$/d' | sed -e :a -e '$!N; s/\n\(.\)/\1/; ta' > _themes/srtd/static/css/theme.min.css
PYTHONPATH=../../lib ../bin/dump_config.py --template-file=../templates/config.rst.j2 --output-dir=rst/reference_appendices/ -d ../../lib/ansible/config/base.yml
mkdir -p rst/cli
PYTHONPATH=../../lib ../bin/generate_man.py --template-file=../templates/cli_rst.j2 --output-dir=rst/cli/ --output-format rst ../../lib/ansible/cli/*.py
PYTHONPATH=../../lib ../bin/dump_keywords.py --template-dir=../templates --output-dir=rst/reference_appendices/ -d ./keyword_desc.yml
PYTHONPATH=../../lib ../bin/plugin_formatter.py -t rst --template-dir=../templates --module-dir=../../lib/ansible/modules -o rst/modules/ 
Evaluating module files...
Makefile:93: recipe for target 'modules' failed
--> Standard Error
Traceback (most recent call last):
  File "../bin/plugin_formatter.py", line 774, in <module>
    main()
  File "../bin/plugin_formatter.py", line 729, in main
    plugin_info, categories = get_plugin_info(options.module_dir, limit_to=options.limit_to, verbose=(options.verbosity > 0))
  File "../bin/plugin_formatter.py", line 294, in get_plugin_info
    doc, examples, returndocs, metadata = plugin_docs.get_docstring(module_path, fragment_loader, verbose=verbose)
  File "/root/ansible/lib/ansible/utils/plugin_docs.py", line 103, in get_docstring
    data = read_docstring(filename, verbose=verbose, ignore_errors=ignore_errors)
  File "/root/ansible/lib/ansible/parsing/plugin_docs.py", line 59, in read_docstring
    data[varkey] = AnsibleLoader(child.value.s, file_name=filename).get_single_data()
  File "/usr/local/lib/python3.6/dist-packages/yaml/constructor.py", line 35, in get_single_data
    node = self.get_single_node()
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 36, in get_single_node
    document = self.compose_document()
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 55, in compose_document
    node = self.compose_node(None, None)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 133, in compose_mapping_node
    item_value = self.compose_node(node, item_key)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 133, in compose_mapping_node
    item_value = self.compose_node(node, item_key)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 127, in compose_mapping_node
    while not self.check_event(MappingEndEvent):
  File "/usr/local/lib/python3.6/dist-packages/yaml/parser.py", line 98, in check_event
    self.current_event = self.state()
  File "/usr/local/lib/python3.6/dist-packages/yaml/parser.py", line 439, in parse_block_mapping_key
    "expected <block end>, but found %r" % token.id, token.start_mark)
yaml.parser.ParserError: while parsing a block mapping
  in "<unicode string>", line 39, column 9:
            description:
            ^
expected <block end>, but found '<block sequence start>'
  in "<unicode string>", line 41, column 13:
                - A string containing the file l ... 
                ^
make: *** [modules] Error 1

The test ansible-test sanity --test pep8 [explain] failed with 11 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:15:138: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:19:95: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:35:12: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:96:76: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:112:83: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:116:87: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:120:77: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:128:73: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:132:70: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:136:71: W291 trailing whitespace
lib/ansible/modules/identity/cyberark/cyberark_credential.py:228:1: E302 expected 2 blank lines, found 1

The test ansible-test sanity --test validate-modules [explain] failed with 7 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E324 Value for "default" from the argument_spec ('present') for "state" does not match the documentation (None)
lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E324 Value for "default" from the argument_spec (True) for "validate_certs" does not match the documentation (False)
lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E325 argument_spec for "validate_certs" defines type="bool" but documentation does not
lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E326 Value for "choices" from the argument_spec (['present']) for "state" does not match the documentation ([])
lib/ansible/modules/identity/cyberark/cyberark_credential.py:52:13: E302 DOCUMENTATION is not valid YAML
lib/ansible/modules/identity/cyberark/cyberark_credential.py:72:22: E311 EXAMPLES is not valid YAML
lib/ansible/modules/identity/cyberark/cyberark_credential.py:96:13: E313 RETURN is not valid YAML

The test ansible-test sanity --test yamllint [explain] failed with 5 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:52:13: error DOCUMENTATION: syntax error: expected <block end>, but found '<block sequence start>'
lib/ansible/modules/identity/cyberark/cyberark_credential.py:58:9: key-duplicates DOCUMENTATION: duplication of key "description" in mapping
lib/ansible/modules/identity/cyberark/cyberark_credential.py:59:9: key-duplicates DOCUMENTATION: duplication of key "required" in mapping
lib/ansible/modules/identity/cyberark/cyberark_credential.py:72:22: error EXAMPLES: syntax error: expected <block end>, but found '<scalar>'
lib/ansible/modules/identity/cyberark/cyberark_credential.py:96:13: error RETURN: syntax error: expected ',' or '}', but got '<scalar>'

click here for bot help

@ansibot

This comment was marked as outdated.

Copy link
Contributor

ansibot commented Feb 14, 2019

The test ansible-test sanity --test ansible-doc --python 2.6 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test ansible-doc --python 2.7 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test ansible-doc --python 3.5 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test ansible-doc --python 3.6 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test ansible-doc --python 3.7 [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: has a documentation error formatting or is missing documentation.

The test ansible-test sanity --test docs-build [explain] failed with the error:

Command "/usr/bin/python test/sanity/code-smell/docs-build.py" returned exit status 1.
>>> Standard Error
Command 'make singlehtmldocs' failed with status code: 2
--> Standard Output
cat _themes/srtd/static/css/theme.css | sed -e 's/^[ 	]*//g; s/[ 	]*$//g; s/\([:{;,]\) /\1/g; s/ {/{/g; s/\/\*.*\*\///g; /^$/d' | sed -e :a -e '$!N; s/\n\(.\)/\1/; ta' > _themes/srtd/static/css/theme.min.css
PYTHONPATH=../../lib ../bin/dump_config.py --template-file=../templates/config.rst.j2 --output-dir=rst/reference_appendices/ -d ../../lib/ansible/config/base.yml
mkdir -p rst/cli
PYTHONPATH=../../lib ../bin/generate_man.py --template-file=../templates/cli_rst.j2 --output-dir=rst/cli/ --output-format rst ../../lib/ansible/cli/*.py
PYTHONPATH=../../lib ../bin/dump_keywords.py --template-dir=../templates --output-dir=rst/reference_appendices/ -d ./keyword_desc.yml
PYTHONPATH=../../lib ../bin/plugin_formatter.py -t rst --template-dir=../templates --module-dir=../../lib/ansible/modules -o rst/modules/ 
Evaluating module files...
Makefile:93: recipe for target 'modules' failed
--> Standard Error
Traceback (most recent call last):
  File "../bin/plugin_formatter.py", line 774, in <module>
    main()
  File "../bin/plugin_formatter.py", line 729, in main
    plugin_info, categories = get_plugin_info(options.module_dir, limit_to=options.limit_to, verbose=(options.verbosity > 0))
  File "../bin/plugin_formatter.py", line 294, in get_plugin_info
    doc, examples, returndocs, metadata = plugin_docs.get_docstring(module_path, fragment_loader, verbose=verbose)
  File "/root/ansible/lib/ansible/utils/plugin_docs.py", line 103, in get_docstring
    data = read_docstring(filename, verbose=verbose, ignore_errors=ignore_errors)
  File "/root/ansible/lib/ansible/parsing/plugin_docs.py", line 59, in read_docstring
    data[varkey] = AnsibleLoader(child.value.s, file_name=filename).get_single_data()
  File "/usr/local/lib/python3.6/dist-packages/yaml/constructor.py", line 35, in get_single_data
    node = self.get_single_node()
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 36, in get_single_node
    document = self.compose_document()
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 55, in compose_document
    node = self.compose_node(None, None)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 133, in compose_mapping_node
    item_value = self.compose_node(node, item_key)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 133, in compose_mapping_node
    item_value = self.compose_node(node, item_key)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/local/lib/python3.6/dist-packages/yaml/composer.py", line 127, in compose_mapping_node
    while not self.check_event(MappingEndEvent):
  File "/usr/local/lib/python3.6/dist-packages/yaml/parser.py", line 98, in check_event
    self.current_event = self.state()
  File "/usr/local/lib/python3.6/dist-packages/yaml/parser.py", line 439, in parse_block_mapping_key
    "expected <block end>, but found %r" % token.id, token.start_mark)
yaml.parser.ParserError: while parsing a block mapping
  in "<unicode string>", line 38, column 9:
            description:
            ^
expected <block end>, but found '<block sequence start>'
  in "<unicode string>", line 40, column 13:
                - A string containing the file l ... 
                ^
make: *** [modules] Error 1

The test ansible-test sanity --test yamllint [explain] failed with 5 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:51:13: error DOCUMENTATION: syntax error: expected <block end>, but found '<block sequence start>'
lib/ansible/modules/identity/cyberark/cyberark_credential.py:57:9: key-duplicates DOCUMENTATION: duplication of key "description" in mapping
lib/ansible/modules/identity/cyberark/cyberark_credential.py:58:9: key-duplicates DOCUMENTATION: duplication of key "required" in mapping
lib/ansible/modules/identity/cyberark/cyberark_credential.py:71:22: error EXAMPLES: syntax error: expected <block end>, but found '<scalar>'
lib/ansible/modules/identity/cyberark/cyberark_credential.py:95:13: error RETURN: syntax error: expected ',' or '}', but got '<scalar>'

The test ansible-test sanity --test validate-modules [explain] failed with 7 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E324 Value for "default" from the argument_spec ('present') for "state" does not match the documentation (None)
lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E324 Value for "default" from the argument_spec (True) for "validate_certs" does not match the documentation (False)
lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E325 argument_spec for "validate_certs" defines type="bool" but documentation does not
lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E326 Value for "choices" from the argument_spec (['present']) for "state" does not match the documentation ([])
lib/ansible/modules/identity/cyberark/cyberark_credential.py:51:13: E302 DOCUMENTATION is not valid YAML
lib/ansible/modules/identity/cyberark/cyberark_credential.py:71:22: E311 EXAMPLES is not valid YAML
lib/ansible/modules/identity/cyberark/cyberark_credential.py:95:13: E313 RETURN is not valid YAML

click here for bot help

@ansibot ansibot removed the ci_verified label Feb 14, 2019

@ansibot

This comment was marked as resolved.

Copy link
Contributor

ansibot commented Feb 14, 2019

The test ansible-test sanity --test validate-modules [explain] failed with 4 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E305 DOCUMENTATION.author: Invalid author for dictionary value @ data['author']. Got 'Edward Nunez @ CyberArk BizDev (@enunez-cyberark, @cyberark-bizdev, @erasmix)'
lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E307 version_added should be '2.8'. Currently 2.4
lib/ansible/modules/identity/cyberark/cyberark_credential.py:74:22: E311 EXAMPLES is not valid YAML
lib/ansible/modules/identity/cyberark/cyberark_credential.py:95:13: E313 RETURN is not valid YAML

The test ansible-test sanity --test yamllint [explain] failed with 2 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:74:22: error EXAMPLES: syntax error: expected <block end>, but found '<scalar>'
lib/ansible/modules/identity/cyberark/cyberark_credential.py:95:13: error RETURN: syntax error: expected ',' or '}', but got '<scalar>'

click here for bot help

@ansibot ansibot added the ci_verified label Feb 14, 2019

@ansibot

This comment was marked as resolved.

Copy link
Contributor

ansibot commented Feb 14, 2019

The test ansible-test sanity --test validate-modules [explain] failed with 2 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E305 DOCUMENTATION.author: Invalid author for dictionary value @ data['author']. Got 'Edward Nunez @ CyberArk BizDev(@enunez-cyberark, @cyberark-bizdev, @erasmix)'
lib/ansible/modules/identity/cyberark/cyberark_credential.py:95:13: E313 RETURN is not valid YAML

The test ansible-test sanity --test yamllint [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:95:13: error RETURN: syntax error: expected ',' or '}', but got '<scalar>'

click here for bot help

@ansibot

This comment was marked as resolved.

Copy link
Contributor

ansibot commented Feb 14, 2019

The test ansible-test sanity --test validate-modules [explain] failed with 2 errors:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:0:0: E305 DOCUMENTATION.author: Invalid author for dictionary value @ data['author']. Got "Edward Nunez @ CyberArk BizDev('@enunez-cyberark, @cyberark-bizdev, @erasmix, @jammyjamcabd')"
lib/ansible/modules/identity/cyberark/cyberark_credential.py:95:13: E313 RETURN is not valid YAML

The test ansible-test sanity --test yamllint [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:95:13: error RETURN: syntax error: expected ',' or '}', but got '<scalar>'

click here for bot help

@ansibot ansibot removed the ci_verified label Feb 14, 2019

@ansibot

This comment was marked as resolved.

Copy link
Contributor

ansibot commented Feb 14, 2019

The test ansible-test sanity --test validate-modules [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:99:18: E313 RETURN is not valid YAML

The test ansible-test sanity --test yamllint [explain] failed with 1 error:

lib/ansible/modules/identity/cyberark/cyberark_credential.py:99:18: error RETURN: syntax error: mapping values are not allowed here

click here for bot help

@ansibot ansibot added the ci_verified label Feb 14, 2019

@ansibot ansibot removed the ci_verified label Feb 14, 2019

@ansibot

This comment has been minimized.

Copy link
Contributor

ansibot commented Feb 14, 2019

@cyberark-bizdev @enunez-cyberark @erasmix

As a maintainer of a module in the same namespace this new module has been submitted to, your vote counts for shipits. Please review this module and add shipit if you would like to see it merged.

click here for bot help

@ansibot ansibot added the stale_ci label Feb 25, 2019

@gundalow gundalow changed the title ReadMe.md New module: cyberark_credential Feb 26, 2019

@gundalow

This comment has been minimized.

Copy link
Contributor

gundalow commented Feb 26, 2019

@cyberark-bizdev

This comment has been minimized.

Copy link
Contributor

cyberark-bizdev commented Feb 26, 2019

@gundalow this has a different mechanism which allows for the execution to happen on the target systems as you said. The lookup function still there but it requires to be executed from the master, which doesn't allow to enforce more security from the targets itself.

@JimmyJamCABD

@JimmyJamCABD

This comment has been minimized.

Copy link
Author

JimmyJamCABD commented Feb 26, 2019

The module you reference is an agent based credential lookup and it was founded to not cooperate with the RBAC workflow and did not adhere to Best Practice model. With the cyberarkpassword module, the retrieval agent is on Tower and it is the only entity retrieving credentials.

With the most recent module the retrieval of the credentials can be pushed out to the hosts and this adheres to Best Practice and creates a more accurate chain of custody.

To answer #1, We don't want to combine them, but we also think there is value in having it as an option if someone wanted to use that workflow.

@gundalow

This comment has been minimized.

Copy link
Contributor

gundalow commented Feb 26, 2019

@cyberark-bizdev @JimmyJamCABD Thank you for the detailed response.

Maybe after this is merged we could update the existing docs for the lookup plugin to mention this new module so people.

@JimmyJamCABD

This comment has been minimized.

Copy link
Author

JimmyJamCABD commented Feb 26, 2019

We completely agree, this is a great suggestion. We would definitely need to identify the different workflows in the existing module.

Show resolved Hide resolved lib/ansible/modules/identity/cyberark/cyberark_credential.py Outdated
Show resolved Hide resolved lib/ansible/modules/identity/cyberark/cyberark_credential.py
api_base_url: "{{ web_services_base_url }}"
app_id: "{{ application_id }}"
query: "Safe=test&UserName=admin"
register: cyberarkcredential

This comment has been minimized.

@gundalow

gundalow Feb 26, 2019

Contributor

Indentation doesn't look right here.

This comment has been minimized.

@JimmyJamCABD

JimmyJamCABD Feb 26, 2019

Author

I'll be honest, I am not completely sure that it is or isn't, but it mirrors my playbooks from the Gist where I ran them. If there is something I am missing, please let me know.

app_id: "{{ application_id }}"
query: "Safe=test&UserName=admin"
reason: "requesting credential for Ansible deployment"
register: cyberarkcredential

This comment has been minimized.

@gundalow

gundalow Feb 26, 2019

Contributor

indentation doesn't look right here

This comment has been minimized.

@JimmyJamCABD

JimmyJamCABD Feb 26, 2019

Author

Same with this one.

Account Security Web Services SDK by requesting access to a specific object through an Application ID
It returns an Ansible fact called I(cyberarkcredential) as a JSON message with object information
that can be used by other modules. Every module can use this fact as C(cyberarkcredential) parameter.
options:

This comment has been minimized.

@gundalow

gundalow Feb 26, 2019

Contributor

We are working on improving module documentation, please include type: str,int, bool for the options.

Show resolved Hide resolved lib/ansible/modules/identity/cyberark/cyberark_credential.py
Show resolved Hide resolved lib/ansible/modules/identity/cyberark/cyberark_credential.py Outdated
Show resolved Hide resolved lib/ansible/modules/identity/cyberark/cyberark_credential.py Outdated
Show resolved Hide resolved lib/ansible/modules/identity/cyberark/cyberark_credential.py Outdated
required: False
description:
- Reason for requesting credential if required by policy.
state:

This comment has been minimized.

@gundalow

gundalow Feb 26, 2019

Contributor

Will there be other states in the future?

This comment has been minimized.

@JimmyJamCABD

JimmyJamCABD Feb 26, 2019

Author

For this particular module the state will always be present, there is no workflow for absent.

This comment has been minimized.

@tima

tima Mar 4, 2019

Contributor

Why have a state option at all then if there is only one value allowed?

This comment has been minimized.

@JimmyJamCABD

JimmyJamCABD Mar 4, 2019

Author

I had originally left it off and I want to say that during lint testing it was added back. I think it was conflicting with either documentation or another setting. I would prefer to leave it off.

gundalow and others added some commits Feb 26, 2019

Update lib/ansible/modules/identity/cyberark/cyberark_credential.py
Co-Authored-By: JimmyJamCABD <42448656+JimmyJamCABD@users.noreply.github.com>
Update lib/ansible/modules/identity/cyberark/cyberark_credential.py
committed

Co-Authored-By: JimmyJamCABD <42448656+JimmyJamCABD@users.noreply.github.com>

@ansibot ansibot removed the stale_ci label Feb 26, 2019

gundalow and others added some commits Feb 26, 2019

Update lib/ansible/modules/identity/cyberark/cyberark_credential.py
Co-Authored-By: JimmyJamCABD <42448656+JimmyJamCABD@users.noreply.github.com>
Update lib/ansible/modules/identity/cyberark/cyberark_credential.py
Co-Authored-By: JimmyJamCABD <42448656+JimmyJamCABD@users.noreply.github.com>
Update lib/ansible/modules/identity/cyberark/cyberark_credential.py
Co-Authored-By: JimmyJamCABD <42448656+JimmyJamCABD@users.noreply.github.com>
Update lib/ansible/modules/identity/cyberark/cyberark_credential.py
Co-Authored-By: JimmyJamCABD <42448656+JimmyJamCABD@users.noreply.github.com>
Update lib/ansible/modules/identity/cyberark/cyberark_credential.py
Co-Authored-By: JimmyJamCABD <42448656+JimmyJamCABD@users.noreply.github.com>
@JimmyJamCABD

This comment has been minimized.

Copy link
Author

JimmyJamCABD commented Feb 26, 2019

@gundalow, thank you VERY much for your input!! Please let me know if there is anything else you see that needs to be addressed.

@gundalow

This comment has been minimized.

Copy link
Contributor

gundalow commented Mar 4, 2019

Thanks for the updates
I wonder if this should be a _fact module since

  1. It only returns, doesn't set
  2. It requires you to use along side set_fact to do anything with

If so, I don't think it would take much to make this into a _fact module

@JohnLieske

This comment has been minimized.

Copy link

JohnLieske commented Mar 7, 2019

Could we get a bit of clarity about the use of delegate_to: localhost in the examples?

@ansibot ansibot added the stale_ci label Mar 7, 2019

@JimmyJamCABD

This comment has been minimized.

Copy link
Author

JimmyJamCABD commented Mar 7, 2019

The delegation to localhost is meant to be for the SSH key and storage to a temp file. I am going to modify the second retrieval to correct the workflow to reflect a retrieval from the host.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.