From feed68f6f0d74a9665901644220c53e58a3d7d35 Mon Sep 17 00:00:00 2001 From: Jordan Borean Date: Fri, 16 Jul 2021 05:27:29 +1000 Subject: [PATCH] winrm - Add explicit env vars to pass into kinit (#75256) * winrm - Add explicit env vars to pass into kinit * Add ini entry and don't override existing env vars --- changelogs/fragments/winrm-kinit-env.yml | 2 ++ lib/ansible/plugins/connection/winrm.py | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 changelogs/fragments/winrm-kinit-env.yml diff --git a/changelogs/fragments/winrm-kinit-env.yml b/changelogs/fragments/winrm-kinit-env.yml new file mode 100644 index 00000000000..5b42d41985a --- /dev/null +++ b/changelogs/fragments/winrm-kinit-env.yml @@ -0,0 +1,2 @@ +minor_changes: +- winrm - Allow explicit environment variables to be passed through to the ``kinit`` call for Kerberos authentication diff --git a/lib/ansible/plugins/connection/winrm.py b/lib/ansible/plugins/connection/winrm.py index 82bada26fcb..b8d73536614 100644 --- a/lib/ansible/plugins/connection/winrm.py +++ b/lib/ansible/plugins/connection/winrm.py @@ -92,6 +92,21 @@ DOCUMENTATION = """ vars: - name: ansible_winrm_kinit_args version_added: '2.11' + kinit_env_vars: + description: + - A list of environment variables to pass through to C(kinit) when getting the Kerberos authentication ticket. + - By default no environment variables are passed through and C(kinit) is run with a blank slate. + - The environment variable C(KRB5CCNAME) cannot be specified here as it's used to store the temp Kerberos + ticket used by WinRM. + type: list + elements: str + default: [] + ini: + - section: winrm + key: kinit_env_vars + vars: + - name: ansible_winrm_kinit_env_vars + version_added: '2.12' kerberos_mode: description: - kerberos usage mode. @@ -306,6 +321,12 @@ class Connection(ConnectionBase): os.environ["KRB5CCNAME"] = krb5ccname krb5env = dict(KRB5CCNAME=krb5ccname) + # Add any explicit environment vars into the krb5env block + kinit_env_vars = self.get_option('kinit_env_vars') + for var in kinit_env_vars: + if var not in krb5env and var in os.environ: + krb5env[var] = os.environ[var] + # Stores various flags to call with kinit, these could be explicit args set by 'ansible_winrm_kinit_args' OR # '-f' if kerberos delegation is requested (ansible_winrm_kerberos_delegation). kinit_cmdline = [self._kinit_cmd]