Hi all,
I have a playbook that needs a number of passwords. Two of the passwords are specific to the user running the playbook and so I would like to use the -K and -k command line options to ansible-playbook to allow the user to enter their passwords.
My problem is that while I can use the variable ansible_ssh_pass to supply the -k password wherever it is needed in the playbook, the variable ansible_become_pass never seems to get defined. Can anyone explain why I have an ansible_ssh_pass, but not an ansible_become_pass variable and where the code is that does this?
My test playbook is
`
hosts: localhost
gather_facts: no
tasks:
debug: var=ansible_ssh_pass
debug: var=ansible_become_pass
`
and the output is (manually copied)
`
ok: [localhost] => {
“ansible_ssh_pass”: “foo”
}
ok: [localhost] => {
“ansible_become_pass”: “VARIABLE IS NOT DEFINED!”
}
Unfortunately, the commit doesn’t say which piece of code gets confused by the re-injection of of the become_user variables, so all I can do at the moment is make sure that the test case from the original PR still gets fixed.
I would actually remove ansible_pass/ansible_ssh_password to avoid
accidental disclosures.
Yeah, I know but…
Why do you need this information in the play?
Not all modules authenticate the same way. In particular, I’m using the vmware_guest module at the moment. There are many ways to skin this cat, but just making use of the second password that can be typed in on the command line involves a lot less friction.
The code is still broken in that the re-injection filtering is too aggressive for its stated purpose. Also, the original-original commit (75b6f61) left some code detritus around in the form of RESET_VARS which is a variable that is assigned to but no longer ever read from (AFAICT). Of course the tilde expansion code that gets bent out of shape over become_user probably shouldn’t do that, but I think I found that source code a couple of years ago and I’m not surprised that nobody is in a hurry to poke at it.
I have read the variables documentation quite often, and it never mentions this. vars_prompt only seems to be mentioned in the “Playbooks: Special Topics” page and it would be nice if the Playbooks / Variables page listed all the ways that variables can be specified in a playbook. It only has to note that vars_prompt is a special topic and move on.
I’ll try and create github issues for these so that they can be recorded in excruciating detail for posterity, if nothing else.