Hi, Thanks for getting vault<http://blog.ansibleworks.com/2014/01/15/ssh-connection-upgrades-coming-in-ansible-1-5/>into trunk! I have a few questions.
1. If we have multiple users that need to edit an encrypted vars file, is there any way to avoid distributing a shared key amongst all them? Is there any kind of LDAP plugin envisioned for the future that would allow --ask-vault-pass to have acls without a separate key distribution solution? 2. Is there a way to separate out the ability to edit a sensitive file vs run a playbook that depends on it? Let me give a specific use-case example of what we might like to accomplish assuming we have to distribute keys: a. A team leader creates a vars file with sensitive info. Only she can edit the file. b. Other team members are given the vault key to add to a secure keys directory or add to the commandline to enable them to run the playbook using the vaulted file. They cannot use the key to open/edit the sensitive vars file. 3. Is there/will-there-be any way to handle nested security levels? Suppose you had an openstack deployment and wanted a whole team to be able to access that cloud with an openstack_creds.yml file. But only the sysadmin should be able to run a playbook agains a host vm in that cloud. The restriction of only one key per ansible-playbook command would seem to prevent this: ansible-playbook - i hosts site.yml --ask-vault-pass key-to-play-in-cloud ansible-playbook -i hosts site.yml --ask-vault-pass key-to-administer-vm -- Kesten Broughton 512 701 4209 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAO2fFsVCuBN08HzC9viqjgX22GG4T_FeUh1_rPHwoj8GoGy4QA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
