On 03/21/14 16:59, Michael DeHaan wrote: > I'd definitely resent any inference of evil-doing from "The Ansible > Team" here :) > > While I'm open to pull requests to enhancements within reason, we've > had the discussion a few times already that this could be served > better by a "password2" style plugin that used the VaultLib classes. > > --Michael > > > On Fri, Mar 21, 2014 at 10:41 AM, Petros Moisiadis <ernes...@yahoo.gr > <mailto:ernes...@yahoo.gr>> wrote: > > On 03/21/14 13:54, ralov...@gmail.com <mailto:ralov...@gmail.com> > wrote: >> Hi all. >> >> (reposting because of a silly copy/paste error - sorry about that.) >> >> Vault was a great addition to Ansible. >> Some complained about the lack of leaf encryption. >> >> I just published a blog post about a few of our practices >> involving Ansible, >> and here is an excerpt about how we easily work around this >> limitation. >> Hope it helps some of you. >> (Blog post is >> here: >> http://reinteractive.net/posts/167-ansible-real-life-good-practices) >> >> Excerpt: >> >> >> *Vault Pseudo leaf encryption* >> >> Very recently, with version 1.5, Ansible introduced Ansible >> Vault, a way to encrypt data in the playbook, and decrypt it at >> run time. This feature was highly requested, and >> gives Ansible its true place among platform management tools. >> >> The thing is: what we like about Ansible is the readability, and >> encryption has a way of making things, well, less readable… >> |ansible-vault| command will encrypt or decrypt the whole var >> file, you can not encrypt just the value of a variable. The >> solution is simple enough: create a second var file, just for the >> sensitive data. But this raises another issue: your variables are >> now spread over multiple files, and some of them encrypted. This >> can get messy. For instance, if you define a dictionary of >> variables and only one of them is sensitive, you have to encrypt >> the whole dictionary. >> >> Leaf encryption was (is) a feature request, but in the meantime, >> there is an elegant way of keeping it both readable and secure: >> nested variables. >> >> For every sensitive variable, you create a prefixed double that >> goes in an encrypted file. >> >> # var_file >> db_password: {{ vaulted_db_passord }} >> # and for a dctionnary >> aws: >> - "access_key_id='abcdefgh'" >> - "secret_access_key='{{ vaulted_aws_secret_access_key }}'" >> >> >> >> # vault_file >> vaulted_db_passord: a_super_secret >> vaulted_aws_secret_access_key: the_aws_secret >> >> That way, you can manipulate all your vars like before, knowing >> the vaulted version stays encrypted. You can even solve the >> problem of having someone responsible for the encrypted file and >> the rest of the team never seeing its content but still being >> able to manage var files as they need. >> >> -- >> You received this message because you are subscribed to the >> Google Groups "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to ansible-project+unsubscr...@googlegroups.com >> <mailto:ansible-project+unsubscr...@googlegroups.com>. >> To post to this group, send email to >> ansible-project@googlegroups.com >> <mailto:ansible-project@googlegroups.com>. >> To view this discussion on the web visit >> >> https://groups.google.com/d/msgid/ansible-project/2a8a43b6-b358-46a4-9d38-7874efc2fa8c%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/2a8a43b6-b358-46a4-9d38-7874efc2fa8c%40googlegroups.com?utm_medium=email&utm_source=footer>. >> For more options, visit https://groups.google.com/d/optout. > > Well, it will work, but this is still a workaround. You still have > to maintain two files and edit them both for a single addition. > Also, it becomes more complicated if you have repeated variable > names and values. For example, how much complexity you have to > introduce in your separate vault file in order to handle a simple > variable file like the following ? > > |system_users:|| > || - username: john|| > || password: secret_||password_1 > - username: alice > password: secret_password_2 > > db_users: > - username: john > password: another_secret_password_1 > - username: alice > password: another_secret_password_2 > | > > Unfortunately, the Ansible team has not (yet) given an answer on > whether a command-line option to enable a simple syntax for > leaf-node encryption mode would be considered for ansible-vault > (keeping the current whole-file encryption mode as the default > mode). There was a feature request for this mode and discussion by > many people _before_ vault's release and it seems it is still > desired by people _after_ vault's release. > -- > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to ansible-project+unsubscr...@googlegroups.com > <mailto:ansible-project+unsubscr...@googlegroups.com>. > To post to this group, send email to > ansible-project@googlegroups.com > <mailto:ansible-project@googlegroups.com>. > To view this discussion on the web visit > > https://groups.google.com/d/msgid/ansible-project/532C4F9E.6030303%40yahoo.gr > > <https://groups.google.com/d/msgid/ansible-project/532C4F9E.6030303%40yahoo.gr?utm_medium=email&utm_source=footer>. > > > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ansible-project+unsubscr...@googlegroups.com > <mailto:ansible-project+unsubscr...@googlegroups.com>. > To post to this group, send email to ansible-project@googlegroups.com > <mailto:ansible-project@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CAEVJ8QONjy_P7ZeMAJWiZAa-RFR7HSBDRJoVRwmX4t5H%3DKZ86g%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CAEVJ8QONjy_P7ZeMAJWiZAa-RFR7HSBDRJoVRwmX4t5H%3DKZ86g%40mail.gmail.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout.
I do not understand how this "password2" style plugin would serve leaf-node encryption better. What would be the user interface? Wouldn't it use a binary to spawn the editor after decrypting the file and encrypt the file after saving it, like ansible-vault conveniently does? Could you please give an example of a possible UI to support a workflow like this: create a new variable file, save it doing leaf-node only encryption, push it to GIT, check it out later, edit it, commit the changed file back and have a meaningful diff between the two versions? -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/532C5F11.4060103%40yahoo.gr. For more options, visit https://groups.google.com/d/optout.
