hashi_vault: add support for userpass authentication (#51538)

Added support for username and password authentication in hashi_vault
lookup plugin.

Fixes: #38878

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
pull/50373/head
Abhijeet Kasurde 6 years ago committed by René Moser
parent e81287593b
commit 18ed84b877

@ -0,0 +1,2 @@
minor_changes:
- hashi_vault lookup plugin now supports username and password method for the authentication (https://github.com/ansible/ansible/issues/38878).

@ -18,45 +18,51 @@ DOCUMENTATION = """
- Due to a current limitation in the HVAC library there won't necessarily be an error if a bad endpoint is specified.
options:
secret:
description: query you are making
description: query you are making.
required: True
token:
description: vault token
description: vault token.
env:
- name: VAULT_TOKEN
url:
description: url to vault service
description: URL to vault service.
env:
- name: VAULT_ADDR
default: 'http://127.0.0.1:8200'
username:
description: authentication user name
description: Authentication user name.
password:
description: authentication password
description: Authentication password.
role_id:
description: Role id for a vault AppRole auth
description: Role id for a vault AppRole auth.
env:
- name: VAULT_ROLE_ID
secret_id:
description: Secret id for a vault AppRole auth
description: Secret id for a vault AppRole auth.
env:
- name: VAULT_SECRET_ID
auth_method:
description: authentication method used
description:
- Authentication method to be used.
- C(userpass) is added in version 2.8.
env:
- name: VAULT_AUTH_METHOD
choices:
- userpass
- ldap
- approle
mount_point:
description: vault mount point, only required if you have a custom mount point
description: vault mount point, only required if you have a custom mount point.
default: ldap
cacert:
description: path to certificate to use for authentication
description: path to certificate to use for authentication.
validate_certs:
description: controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
type: boolean
default: True
namespace:
version_added: "2.8"
description: namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+
description: namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+.
default: None
"""
@ -72,6 +78,10 @@ EXAMPLES = """
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}"
- name: Vault that requires authentication via username and password
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=userpass username=myuser password=mypas url=http://myvault:8200')}}"
- name: Using an ssl vault
debug:
msg: "{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}"
@ -120,6 +130,7 @@ class HashiVault:
self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR)
self.namespace = kwargs.get('namespace', None)
self.avail_auth_method = ['approle', 'userpass', 'ldap']
# split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value'
s = kwargs.get('secret')
@ -152,7 +163,8 @@ class HashiVault:
# prefixing with auth_ to limit which methods can be accessed
getattr(self, 'auth_' + self.auth_method)(**kwargs)
except AttributeError:
raise AnsibleError("Authentication method '%s' not supported" % self.auth_method)
raise AnsibleError("Authentication method '%s' not supported."
" Available options are %r" % (self.auth_method, self.avail_auth_method))
else:
self.token = kwargs.get('token', os.environ.get('VAULT_TOKEN', None))
if self.token is None and os.environ.get('HOME'):
@ -189,16 +201,28 @@ class HashiVault:
return data['data'][self.secret_field]
def auth_ldap(self, **kwargs):
def check_params(self, **kwargs):
username = kwargs.get('username')
if username is None:
raise AnsibleError("Authentication method ldap requires a username")
raise AnsibleError("Authentication method %s requires a username" % self.auth_method)
password = kwargs.get('password')
if password is None:
raise AnsibleError("Authentication method ldap requires a password")
raise AnsibleError("Authentication method %s requires a password" % self.auth_method)
mount_point = kwargs.get('mount_point')
return username, password, mount_point
def auth_userpass(self, **kwargs):
username, password, mount_point = self.check_params(**kwargs)
if mount_point is None:
mount_point = 'userpass'
self.client.auth_userpass(username, password, mount_point)
def auth_ldap(self, **kwargs):
username, password, mount_point = self.check_params(**kwargs)
if mount_point is None:
mount_point = 'ldap'

Loading…
Cancel
Save