Encryption not working for basic authentication

[lcrawfo]

What happened? The node exporter config has the password as *0

Did you expect to see some different? Password should be a proper hash

How to reproduce it (as minimally and precisely as possible): `

• name: "Install node exporter" hosts: all gather_facts: true tags:

  • node vars_files:
  • vars/node-exporter.yml

  tasks:

  • name: "Install bcrypt" pip: name: - bcrypt executable: pip3

  • name: "Install node exporter" include_role: name: cloudalchemy.node_exporter `

Environment

Installing onto ubuntu machine

• Role version:

2.0.0

• Ansible version information:

ansible [core 2.11.2] python version = 3.8.10 jinja version = 3.0.1

• Variables:

node-exporter.yml contains

node_exporter_basic_auth_users: username: password

• Ansible playbook execution Logs:

changed: [rfi-ai-dev-ws-ostack-test-01] => changed=true
  checksum: 81695d57d6b1575ba31829ff7f5e91e8bf548a43
  dest: /etc/node_exporter/config.yaml
  diff: []
  gid: 0
  group: root
  invocation:
    module_args:
      _original_basename: config.yaml.j2
      attributes: null
      backup: false
      checksum: 81695d57d6b1575ba31829ff7f5e91e8bf548a43
      content: null
      dest: /etc/node_exporter/config.yaml
      directory_mode: null
      follow: false
      force: true
      group: root
      local_follow: null
      mode: 420
      owner: root
      remote_src: null
      selevel: null
      serole: null
      setype: null
      seuser: null
      src: <location>/.ansible/tmp/ansible-tmp-1641306365.1400058-1503729-120309611669019/source
      unsafe_writes: false
      validate: null
  md5sum: 12f3679e43b06af2901539dd7ba38373
  mode: '0644'
  owner: root
  size: 63
  src: <location>/.ansible/tmp/ansible-tmp-1641306365.1400058-1503729-120309611669019/source
  state: file
  uid: 0

(location - section of file path redacted)

Anything else we need to know?:

There is no error visible when ran with -vvv, yet still doesn't work correctly

[vrga]

@lcrawfo Make sure you install passlib on the machine/virtualenv you are running ansible from.

[lcrawfo]

I had already installed passlib version 1.7.4 and it doesn't fix the issue

[trihoangvo]

I have got the same issue. Target VM is Ubuntu 18.04. Here I installed pip, bcrypt, and debug password_hash:

- name: Test password_hash
  hosts: all
  become: true
  tasks:
    # node_exporter uses bcrypt to hash password so we install it
    - name: Install python3-pip
      package:
        name: [ 'python3-dev', 'python3-pip' ]
        state: present
    - name: Ensure bcrypt support is installed
      pip:
       name: "passlib[bcrypt]"
    - debug:
        msg: "{{ 'secret' | password_hash('bcrypt') }}"

Got

[2022-02-24 16:32:24][0fe9e4cb054342fd896b65d4fbd68a01-Environment-20222402162630][install][NodeExporter]Ansible task output:
PLAY [Test password_hash] TASK [Ensure bcrypt support is installed]
changed: [80.158.56.17] => changed=true
cmd:
- /usr/bin/pip3
- install
- passlib[bcrypt]
invocation:
module_args:
chdir: null
editable: false
executable: null
extra_args: null
name:
- passlib[bcrypt]
requirements: null
state: present
umask: null
version: null
virtualenv: null
virtualenv_command: virtualenv
virtualenv_python: null
virtualenv_site_packages: false
name:
- passlib[bcrypt]
requirements: null
state: present
stderr: ''
stderr_lines: <omitted>
stdout: |-
Collecting passlib[bcrypt]
Downloading https://files.pythonhosted.org/packages/3b/a4/ab6b7589382ca3df236e03faa71deac88cae040af60c071a78d254a62172/passlib-1.7.4-py2.py3-none-any.whl (525kB)
Collecting bcrypt>=3.1.0; extra == "bcrypt" (from passlib[bcrypt])
Downloading https://files.pythonhosted.org/packages/52/a7/51ab6481ac355517696477889d8ab232106a0ddadda642c54e47a2ab40b9/bcrypt-3.2.0-cp36-abi3-manylinux1_x86_64.whl (63kB)
Requirement already satisfied: six>=1.4.1 in /usr/lib/python3/dist-packages (from bcrypt>=3.1.0; extra == "bcrypt"->passlib[bcrypt])
Collecting cffi>=1.1 (from bcrypt>=3.1.0; extra == "bcrypt"->passlib[bcrypt])
Downloading https://files.pythonhosted.org/packages/49/7b/449daf9cacfd7355cea1b4106d2be614315c29ac16567e01756167f6daab/cffi-1.15.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.whl (405kB)
Collecting pycparser (from cffi>=1.1->bcrypt>=3.1.0; extra == "bcrypt"->passlib[bcrypt])
Downloading https://files.pythonhosted.org/packages/62/d5/5f610ebe421e85889f2e55e33b7f9a6795bd982198517d912eb1c76e1a53/pycparser-2.21-py2.py3-none-any.whl (118kB)
Installing collected packages: pycparser, cffi, bcrypt, passlib
Successfully installed bcrypt-3.2.0 cffi-1.15.0 passlib-1.7.4 pycparser-2.21
stdout_lines: <omitted>
version: null
virtualenv: null
[2022-02-24 16:32:24][0fe9e4cb054342fd896b65d4fbd68a01-Environment-20222402162630][install][NodeExporter]Ansible task output:
PLAY [Install node exporter] TASK [debug]
ok: [80.158.56.17] =>
msg: '*' 

However, debug with python on the target machine showed that bcrypt works

$ sudo pip3 list | grep passlib
passlib (1.7.4)

$ sudo pip3 list | grep bcrypt
bcrypt (3.2.0)

$ /usr/bin/python3
Python 3.6.9 (default, Dec  8 2021, 21:08:43) 
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import passlib
>>> from passlib.hash import bcrypt
>>> bcrypt.hash('secret')
'$2b$12$MGasQXT20idV0lbDZsSVtO6h2fiTl68qFsw4owfPHVjvTmU02SCnq'
>>>

In general, if we have 50 VMs, do you think we need to install bcrypt on all machines repeatedly to be able to use this role? Or it is better to allow users to input the password in the hash format?

[sdarwin]

@trihoangvo

"Like a lot of people I've installed "passlib" but it was still not working. What did I do wrong? You have to install "passlib" on your local controller and not on remote host! Hope it could help someone else! " - stackoverflow

[SuperQ]

This role has been deprecated in favor of a the prometheus-community/ansible collection.