On Saturday, February 20, 2016 at 8:45:17 AM UTC-8, Matt Martz wrote: > > Can't you just do? > > repo=http://username:[email protected]/git/reponame > <http://git.example.com/git/reponame> > > > As I said in my original post, that causes problems downstream, including breakage if the password changes, as well as password disclosure to anyone who has access to the same part of the file system on the box.
And that's just the problems I've discovered so far. Eric. > On Thu, Feb 18, 2016 at 1:25 PM, eric via Ansible Project < > [email protected] <javascript:>> wrote: > >> I'm using Ansible to clone / update a Git repository that I'm accessing >> via HTTP, using username & password. Except that the "git" task really >> doesn't help me. >> >> I can't put those credentials in the URL, because they then end up >> stashed in the config of the git repository. That causes problems >> downstream, including disclosure of the password to anyone else who has >> access to the box, and if the password changes, failures in the Ansible >> script. >> >> One work-around I came up with was the following: >> >> # set up the Git credential cache... >> - name: Set up credential cache >> command: git config --global credential.helper cache >> >> # shove credentials into it... >> - name: Fetch git repositories >> shell: printf 'protocol=http\nhost=git.example.com\nusername={{ username >> }}\npassword={{ password }}\n' | git credential approve ; if [ -d >> reponame.git ]; then (cd reponame.git && git pull); else git clone http://{{ >> username }}@git.example.com/git/reponame reponame.git ; fi >> >> This works, but doesn't take care of various corner cases that the Ansible >> "git" task does take care of. Also potentially puts the password in the log >> file. Next approximation is to write the input to git credential approve to >> a file, using the "template" task, but that leaves behind a file I have to >> delete. So at that point, rather than using credential "cache", use the >> "store". >> >> >> So I ended up with this: >> >> >> - name: Install temp file with personal git credentials >> template: src="git_creds.txt.j2" dest="{{ ansible_env.HOME >> }}/git_creds.txt" mode=0600 >> >> - name: Approve credentials for Git. >> command: /bin/bash -c "git config --global credential.helper store; cat >> git_creds.txt | git credential approve" >> >> >> - name: Fetch Git repository >> git: dest={{ ansible_env.HOME }}/reponame >> repo=http://git.example.com/git/reponame >> >> - name: remove stored creds >> command: /bin/bash -c "cat git_creds.txt | git credential reject ; rm >> git_creds.txt" >> >> >> This has a bad failure mode, though - if the script fails, then the >> credentials get left behind on the box. >> >> Is there any better way to do this?!?! >> >> Should I file a bug to have the "git" task take username and password, >> and perform the steps that I'm going through above, but then also able to >> do the cleanup if the Git command fails? Or should the "git" task be able >> to push the password on stdin? >> >> Thanks for any help! >> >> Eric. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/b086e2fc-0978-43e7-ba4f-bc154b428e88%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/b086e2fc-0978-43e7-ba4f-bc154b428e88%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Matt Martz > @sivel > sivel.net > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/764532ec-87e1-4b2c-b78c-e2817e31c3b6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
