Yep, Antony right.
The idea is as follows: we have fileA and fileB. FileA is "signed" by me
(for example has digital signature) and we can start it with
ansible-playbook command. FileB doesn't have signature so it can't do any
changes on remote hosts. Is it possible?
понедельник, 7 июня 2021 г. в 13:49:28 UTC+3, Antony Stone:
> On Monday 07 June 2021 at 12:44:23, Vladimir Botka wrote:
>
> > shell> cat test-003.yml
> > - hosts: all
> > gather_facts: false
> > vars:
> > my_filename: test-003.yml
> > my_path: "{{ playbook_dir }}/{{ my_filename }}"
> > my_hash_path: "{{ my_path }}.sha1"
> > my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
> > tasks:
> > - name: Test integrity of the playbook
> > block:
> > - stat:
> > path: "{{ my_path }}"
> > checksum_algorithm: sha1
> > register: result
> > - assert:
> > that: result.stat.checksum == my_hash
> > delegate_to: localhost
> > run_once: true
>
> That's a good enough way of checking that the hash of the playbook in
> question
> does match the stored hash, but...
>
> > shell> sha1sum test-003.yml > test-003.yml.sha1
> > shell> cat test-003.yml.sha1
> > 9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml
>
> ...means that it's trivial for someone to take a playbook, modify it, and
> create a new hash file.
>
> I interpret "signed" in the original question to mean something that
> cannot be
> falsified by someone who is running the ansible commands.
>
>
> Antony.
>
> --
> The more 'success' you get, the easier it is to be disappointed by not
> getting
> things.
> The only difference is that now no-one feels sorry for you.
>
> - Matt Haig
>
> Please reply to the list;
> please *don't* CC me.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/8c93e9ff-5675-4847-b493-dabe145bac32n%40googlegroups.com.
