From 96aaa6df25774e05cda3e4a6f73b030ae989100a Mon Sep 17 00:00:00 2001 From: Vinny Valdez Date: Tue, 5 Apr 2016 18:17:36 -0500 Subject: Refactor use of rhsm_password to prevent display to CLI --- roles/subscription-manager/README.md | 30 ++++++++++++++++++---- roles/subscription-manager/pre_tasks/pre_tasks.yml | 9 +++++++ roles/subscription-manager/tasks/main.yml | 23 ++++++++++++----- 3 files changed, 50 insertions(+), 12 deletions(-) (limited to 'roles/subscription-manager') diff --git a/roles/subscription-manager/README.md b/roles/subscription-manager/README.md index e604c7475..a5dd1ac44 100644 --- a/roles/subscription-manager/README.md +++ b/roles/subscription-manager/README.md @@ -18,7 +18,9 @@ Default: none ### rhsm_password -Subscription Manager password. Required for RHSM Hosted. Can be optionally used for Satellite, but it may be better to use **rhsm_activationkey** for this. +Subscription Manager password. Required for RHSM Hosted. Can be optionally used for Satellite, but it may be better to use **rhsm_activationkey** for this. + +NOTE: This variable is prompted for at the start of the playbook run. This is for security purposes so the password is not left in the command history. If specified on the command-line or set in a variable file it will be ignored and the value captured from the prompt will overwrite it instead. Default: none @@ -50,7 +52,25 @@ rhsm_repos='["rhel-7-server-rpms", "rhel-7-server-ose-3.1-rpms", "rhel-7-server- Default: none -## Pre-tasks +## Calling This Role +Calling this role requires adding a **vars_prompt**, **pre_tasks**, and **roles** section of a play + +### vars_prompt +Unfortunately **vars_prompt** can only be used at the play level before role tasks are executed, so this is the only place it can go. See http://stackoverflow.com/questions/25466675/ansible-to-conditionally-prompt-for-a-variable + +Add a prompt to capture **rhsm_password** + +``` +- hosts: localhost + vars_prompt: + # Unfortunately vars_prompt can only be used at the play level before role tasks, so this is the only place it can go. See http://stackoverflow.com/questions/25466675/ansible-to-conditionally-prompt-for-a-variable + - name: "rhsm_password" + prompt: "Subscription Manager password (enter blank if using rhsm_activationkey or to disable registration)" + confirm: yes + private: yes +``` + +### pre-tasks A number of variable checks are performed before any tasks to ensure the proper parameters are set. To include these checks call the pre_task yaml before any roles: @@ -59,7 +79,7 @@ A number of variable checks are performed before any tasks to ensure the proper - include: roles/subscription-manager/pre_tasks/pre_tasks.yml ``` -## Tasks +### roles The bulk of the work is performed in the main.yml for this role. The pre-task play will set a variable which can be checked to contitionally include this role as such: @@ -73,7 +93,7 @@ The bulk of the work is performed in the main.yml for this role. The pre-task pl To register to RHSM Hosted with username and password: ``` -ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_username=vvaldez rhsm_password=hunter2" +ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_username=vvaldez" ``` To register to a Satellite server with an activation key: @@ -82,4 +102,4 @@ To register to a Satellite server with an activation key: ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_satellite=satellite.example.com rhsm_org=example_org rhsm_activationkey=rhel-7-ose-3-1" ``` -To ignore any Subscription Manager activities, simply do not set any parameters. +To ignore any Subscription Manager activities, simply do not set any parameters. When prompted for the password, hit **Enter** to set a blank password. diff --git a/roles/subscription-manager/pre_tasks/pre_tasks.yml b/roles/subscription-manager/pre_tasks/pre_tasks.yml index dcd56b2b9..31441785e 100644 --- a/roles/subscription-manager/pre_tasks/pre_tasks.yml +++ b/roles/subscription-manager/pre_tasks/pre_tasks.yml @@ -1,4 +1,13 @@ --- +- name: Set password fact + set_fact: + rhsm_password: "{{ rhsm_password }}" + no_log: true + when: + - rhsm_password is defined + - rhsm_password is not none + - rhsm_password|trim != '' + - name: Initialize Subscription Manager fact set_fact: rhsm_register: true diff --git a/roles/subscription-manager/tasks/main.yml b/roles/subscription-manager/tasks/main.yml index 414bf8f7a..6e51be7e4 100644 --- a/roles/subscription-manager/tasks/main.yml +++ b/roles/subscription-manager/tasks/main.yml @@ -1,5 +1,12 @@ --- - +- name: Initialize rhsm_password variable if vars_prompt was used + set_fact: + rhsm_password: "{{ hostvars.localhost.rhsm_password }}" + when: + - rhsm_password is defined + - rhsm_password is not none + - rhsm_password|trim != '' + - name: Initializing Subscription Manager authenticaiton method set_fact: rhsm_authentication: false @@ -19,8 +26,12 @@ set_fact: rhsm_authentication: "password" when: - - rhsm_username is defined and rhsm_username is not none and rhsm_username|trim != '' - - rhsm_password is defined and rhsm_password is not none and rhsm_password|trim != '' + - rhsm_username is defined + - rhsm_username is not none + - rhsm_username|trim != '' + - rhsm_password is defined + - rhsm_password is not none + - rhsm_password|trim != '' - not rhsm_authentication - name: Initializing registration status @@ -62,18 +73,17 @@ - rhsm_satellite|trim != '' # This can apply to either Hosted or Satellite - - name: Register using username and password command: "/usr/bin/subscription-manager register --username={{ rhsm_username }} --password={{ rhsm_password }}" + no_log: true when: - not registered - - rhsm_authentication != "key" + - rhsm_authentication == "password" - name: Auto-attach to Subscription Manager Pool command: "/usr/bin/subscription-manager attach --auto" when: - not registered - - rhsm_authentication != "key" - rhsm_pool is undefined or rhsm_pool is none or rhsm_pool|trim == '' - name: Attach to a specific pool @@ -83,7 +93,6 @@ - rhsm_pool is not none - rhsm_pool|trim != '' - not registered - - rhsm_authentication != "key" - name: Disable all repositories command: "/usr/bin/subscription-manager repos --disable=*" -- cgit v1.2.3