ansible-grafana
ansible-grafana copied to clipboard
cloudalchemy
LDAP password does not get decrypted in ldap.toml
What happened? when using an encrypted ldap password in your inventory file, you end up with an encrypted password in ldap.toml
grafana_ldap:
verbose_logging: false
servers:
host: <omitted>
port: 389
use_ssl: false
bind_dn: "<omitted>"
bind_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63343530316538303665303137643633356630393031333037613161363334653262663862636139
6361393832623765353736616538633133383438306638640a333966393931613363353565643963
64356237383130376235616233666265636433356538646363376333363836336264633735396137
3437623065633966630a333062306461616466613664313135396266623135653566333835643661
30666163306163643661303361636264636332303635363263376361306562323763
variable decryption on the ldap password in https://github.com/cloudalchemy/ansible-grafana/blob/f9b04329fb6416a204001255b67683e62496fc71/templates/ldap.toml.j2#L14 does not seem to work
ldap.toml looks like
bind_password = {
"__ansible_vault": "$ANSIBLE_VAULT;1.1;AES256\n65336637363062333863396632363937323438303662353865336266616138346663646535393565\n3732303931646564343761633937396264326536666261630a333630396534356239393261396437\n34386666326535376261616537663264613666663237336265663839343633656465383237643064\n3862623365623564340a313537613333313462343666353331343434376463313836633966303733\n65386635343639353464353230306337383235326337363265393561313731636165\n"
}
Did you expect to see some different? I expected an unencrypted passowrd
How to reproduce it (as minimally and precisely as possible):
Run the role with a ldap password that's encrypted with ansible vault
-
Role version:
0.17 -
Ansible version information:
ansible --version
ansible 2.9.17
config file = /opt/monitoring/ansible/ansible.cfg
configured module search path = [u'/home/smals-wdt/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
- Variables:
bind_password with an encrypted value
- Ansible playbook execution Logs:
No errors in the log
Anything else we need to know?:
The issue dissapears when the | to_nice_json is removed on https://github.com/cloudalchemy/ansible-grafana/blob/f9b04329fb6416a204001255b67683e62496fc71/templates/ldap.toml.j2#L14
[[servers]]
{% for k,v in grafana_ldap.servers.items() if k != 'attributes' %}
{% if k == 'port' %}
{{ k }} = {{ v | int }}
{% elif v in [True, False] %}
{{ k }} = {{ 'true' if v else 'false' }}
{% else %}
{{ k }} = {{ v }}
{% endif %}
{% endfor %}
So i was told that something like this would help (untested), but i dont know if to_nice_json is supposed to behave like that
{% elif v is vault_encrypted %}
{{ k }} = {{ v }}
workaround, not sure if restart is needed
post_tasks:
- name: workaround https://github.com/cloudalchemy/ansible-grafana/issues/283
lineinfile:
path: "{{ grafana_auth.ldap.config_file | default('/etc/grafana/ldap.toml') }}"
regexp: '^bind_password'
line: "bind_password = '{{grafana_ldap.servers.bind_password}}'"
when:
- grafana_ldap.servers.bind_password
notify: restart grafana
