Good evening everyone, I'm looking for an automated way to create user
accounts with random passwords and re-using them for the
`ansible_sudo_pass` variable.
Is there an official position on how to do/accomplish this?
My current solution broke after an update from Ansible 1.9 to Ansible 2
and I struggle to make it work under Ansible 2.
For more details let me explain my solution and how it breaks with Ansible
2.
I create a new user and store its password with this task:
---
- name: Create user
user: name=deployer group=deployer password={{item}} state=present
with_password: "./passwords/my-server/users/deployer encrypt=sha256_crypt"
In a different playbook I use the previously created user and its password like
this:
---
- hosts: all
remote_user: deployer
vars:
- ansible_sudo_pass: "{{ lookup('password',
'./passwords/my-server/users/deployer') }}"
Creating the user creates the `./passwords/my-server/users/deployer` file
containing the password and a salt. The salt comes from the `encrypted`
parameter which in turn is needed by the `user` module because it requires an
encrypted password. Without this parameter you will set the users password to
an unknown one.
Different to the `user` module Ansible expects the `ansible_sudo_pass` variable
to be in plaintext. Therefore we use the lookup method without an encrypted
parameter. With Ansible 1.9 this resulted in a password file where the salt
part was removed. (I assume this was not intended, but for my use case it was
not a problem.)
Nonetheless this procedure worked with Ansible 1.9.
After updating to Ansible 2 my server provisioning process started to fail due
to a wrong sudo password. The first thing I noticed was that the lookup
function no longer removed the salt part of the password file. Secondly it
seems that compared to 1.9 it now reads the entire file instead of only the
password. This in turn means the `ansible_sudo_pass` also contains the salt
part of the file which results in an obviously wrong password.
Thank you for reading. I appreciate any pointers and tips on how to accomplish
my goal under Ansible 2.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/f594c0ec-a302-45ec-b8f8-20b6cf96c23c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
