Opportunity to use signed playbook.

Archives Ansible Project
1

Hi all.
I need to check a playbook authenticity before execution. Is it possible? If yes how can I sign a playbook and check it in ansible before execution (and also prohibit any execution of non signed playbooks)?

Sorry, if this question has been already discussed, but I have not found information.

Best regards.

2

... check a playbook authenticity before execution

For example

cat test-003.yml

- hosts: all
  gather_facts: false
  vars:
    my_filename: test-003.yml
    my_path: "{{ playbook_dir }}/{{ my_filename }}"
    my_hash_path: "{{ my_path }}.sha1"
    my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
  tasks:
    - name: Test integrity of the playbook
      block:
        - stat:
            path: "{{ my_path }}"
            checksum_algorithm: sha1
          register: result
        - assert:
            that: result.stat.checksum == my_hash
      delegate_to: localhost
      run_once: true

sha1sum test-003.yml > test-003.yml.sha1
cat test-003.yml.sha1

9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml

ansible-playbook test-003.yml

PLAY [all]

3

> cat test-003.yml
- hosts: all
  gather_facts: false
  vars:
    my_filename: test-003.yml
    my_path: "{{ playbook_dir }}/{{ my_filename }}"
    my_hash_path: "{{ my_path }}.sha1"
    my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
  tasks:
    - name: Test integrity of the playbook
      block:
        - stat:
            path: "{{ my_path }}"
            checksum_algorithm: sha1
          register: result
        - assert:
            that: result.stat.checksum == my_hash
      delegate_to: localhost
      run_once: true

That's a good enough way of checking that the hash of the playbook in question
does match the stored hash, but...

> sha1sum test-003.yml > test-003.yml.sha1
> cat test-003.yml.sha1
9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml

...means that it's trivial for someone to take a playbook, modify it, and
create a new hash file.

I interpret "signed" in the original question to mean something that cannot be
falsified by someone who is running the ansible commands.

Antony.

4

Yep, Antony right.
The idea is as follows: we have fileA and fileB. FileA is “signed” by me (for example has digital signature) and we can start it with ansible-playbook command. FileB doesn’t have signature so it can’t do any changes on remote hosts. Is it possible?

понедельник, 7 июня 2021 г. в 13:49:28 UTC+3, Antony Stone:

5

Locally, you might want to set the ownership and the permissions as
appropriate. Use get_url if the signatures are stored remotely
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html

6

Yep, Antony right.
The idea is as follows: we have fileA and fileB. FileA is "signed" by me (for example has digital signature) and we can start it with ansible-playbook command. FileB doesn't have signature so it can't do any changes on remote hosts. Is it possible?

I doubt that verifying the signature is a solution for preventing tampering ... the user simply can ssh to the machine for example.

Regards
           Racke