Bug 1839200
| Summary: | [ansible-freeipa] Vault password salt can change without password in vault module. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Varun Mylaraiah <mvarun> |
| Component: | ansible-freeipa | Assignee: | Rafael Jeffman <rjeffman> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | rjeffman, twoerner |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ansible-freeipa-0.1.11-1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:46:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
There is an upstream PR with a fix: https://github.com/freeipa/ansible-freeipa/pull/263 Upstream PR was merged. Verification failed
ansible-freeipa-0.1.12-5.el8.noarch
Automation test result:
ansible-freeipa-tests/ansible_freeipa_tests/vault_module.py::TestSymmetricVault::()::test_symmetric_vault_update_salt_without_password
-------------------------------------------------------------------------------
self = <ansible_freeipa_tests.vault_module.TestSymmetricVault object at 0x7f344d199e50>
multihost = <pytest_multihost.plugin.MultihostFixture object at 0x7f344fec2d30>
def test_symmetric_vault_update_salt_without_password(self, multihost): # noqa: F811
'''TC-30: Update vault password salt without providing password. Bug#1839200'''
check_details(multihost, ["Salt: "], 'vault-show', [vault29])
local_vault_inv = 'inventories/master.hosts.j2'
local_vault_playbook = 'playbooks/vault_symmetric_vault_update_salt_without_password.yaml'
# upload inventory and playbook to the runner
upload_inv_playbook(multihost, local_vault_inv,
local_vault_playbook)
# update vault
exp_error = "Symmetric vault requires password or password_file to store data or change `salt`."
> run_playbook_with_exp_msg(
multihost, runner_vault_inv, runner_vault_playbook, exp_error)
exp_error = 'Symmetric vault requires password or password_file to store data or change `salt`.'
local_vault_inv = 'inventories/master.hosts.j2'
local_vault_playbook = 'playbooks/vault_symmetric_vault_update_salt_without_password.yaml'
multihost = <pytest_multihost.plugin.MultihostFixture object at 0x7f344fec2d30>
self = <ansible_freeipa_tests.vault_module.TestSymmetricVault object at 0x7f344d199e50>
ansible_freeipa_tests/vault_module.py:252:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
multihost = <pytest_multihost.plugin.MultihostFixture object at 0x7f344fec2d30>
inventory_path = 'inventory/vault.hosts', playbook_path = 'vault_module.yml'
expected_msg = 'Symmetric vault requires password or password_file to store data or change `salt`.'
def run_playbook_with_exp_msg(multihost, inventory_path, playbook_path, expected_msg=None):
args = [
ANS_PLAYBOOK,
'--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv',
'-i', inventory_path, playbook_path]
result = multihost.runner.run_command(args, raiseonerr=False)
> assert expected_msg in result.stdout_text
E AssertionError
args = ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/vault.hosts', 'vault_module.yml']
expected_msg = 'Symmetric vault requires password or password_file to store data or change `salt`.'
inventory_path = 'inventory/vault.hosts'
multihost = <pytest_multihost.plugin.MultihostFixture object at 0x7f344fec2d30>
playbook_path = 'vault_module.yml'
result = <pytest_multihost.transport.SSHCommand object at 0x7f344d199c10>
ansible_freeipa_tests/util.py:127: AssertionError
------------------------------ Captured log call -------------------------------
channel.py 1212 DEBUG [chan 69] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 69] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 69 opened.
transport.py 318 INFO RUN ['kinit', 'admin']
transport.py 519 DEBUG RUN ['kinit', 'admin']
channel.py 1212 DEBUG [chan 69] Sesch channel 69 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py 563 DEBUG Password for admin:
channel.py 1212 DEBUG [chan 69] EOF received (69)
channel.py 1212 DEBUG [chan 69] EOF sent (69)
transport.py 217 DEBUG Exit code: 0
channel.py 1212 DEBUG [chan 70] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 70] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 70 opened.
transport.py 318 INFO RUN ['ipa', 'vault-show', '29syvault']
transport.py 519 DEBUG RUN ['ipa', 'vault-show', '29syvault']
channel.py 1212 DEBUG [chan 70] Sesch channel 70 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py 563 DEBUG Vault name: 29syvault
transport.py 563 DEBUG Type: symmetric
transport.py 563 DEBUG Salt: dYUXCs6PZGzMswnCbKtz1Did2uiS/lzReIG9TTau8Mg=
transport.py 563 DEBUG Owner users: admin
transport.py 563 DEBUG Vault user: admin
channel.py 1212 DEBUG [chan 70] EOF received (70)
channel.py 1212 DEBUG [chan 70] EOF sent (70)
transport.py 217 DEBUG Exit code: 0
channel.py 1212 DEBUG [chan 71] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 71] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 71 opened.
transport.py 318 INFO RUN ['kdestroy', '-A']
transport.py 519 DEBUG RUN ['kdestroy', '-A']
channel.py 1212 DEBUG [chan 71] Sesch channel 71 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
channel.py 1212 DEBUG [chan 71] EOF received (71)
channel.py 1212 DEBUG [chan 71] EOF sent (71)
transport.py 217 DEBUG Exit code: 0
transport.py 293 INFO WRITE inventory/vault.hosts
sftp.py 158 DEBUG [chan 0] open(b'inventory/vault.hosts', 'wb')
sftp.py 158 DEBUG [chan 0] open(b'inventory/vault.hosts', 'wb') -> 00000000
sftp.py 158 DEBUG [chan 0] close(00000000)
transport.py 329 INFO PUT vault_module.yml
sftp.py 158 DEBUG [chan 0] open(b'vault_module.yml', 'wb')
sftp.py 158 DEBUG [chan 0] open(b'vault_module.yml', 'wb') -> 00000000
sftp.py 158 DEBUG [chan 0] close(00000000)
sftp.py 158 DEBUG [chan 0] stat(b'vault_module.yml')
channel.py 1212 DEBUG [chan 17] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 17] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 17 opened.
transport.py 318 INFO RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/vault.hosts', 'vault_module.yml']
transport.py 519 DEBUG RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/vault.hosts', 'vault_module.yml']
channel.py 1212 DEBUG [chan 17] Sesch channel 17 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py 563 DEBUG ansible-playbook 2.9.11
transport.py 563 DEBUG config file = /root/ansible.cfg
transport.py 563 DEBUG configured module search path = ['/root/ansible-freeipa/plugins/modules', '/usr/share/ansible/plugins/modules']
transport.py 563 DEBUG ansible python module location = /usr/lib/python3.6/site-packages/ansible
transport.py 563 DEBUG executable location = /usr/bin/ansible-playbook
transport.py 563 DEBUG python version = 3.6.8 (default, Jun 26 2020, 12:10:09) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
transport.py 563 DEBUG Using /root/ansible.cfg as config file
transport.py 563 DEBUG
transport.py 563 DEBUG PLAYBOOK: vault_module.yml *****************************************************
transport.py 563 DEBUG 1 plays in vault_module.yml
transport.py 563 DEBUG
transport.py 563 DEBUG PLAY [Playbook to ensure, not able to change password salt without password] ***
transport.py 563 DEBUG
transport.py 563 DEBUG TASK [Gathering Facts] *********************************************************
transport.py 563 DEBUG task path: /root/vault_module.yml:2
transport.py 563 DEBUG ok: [master.ipadomain.test]
transport.py 563 DEBUG META: ran handlers
transport.py 563 DEBUG
transport.py 563 DEBUG TASK [vault module testing] ****************************************************
transport.py 563 DEBUG task path: /root/vault_module.yml:6
transport.py 563 DEBUG changed: [master.ipadomain.test] => {"changed": true}
transport.py 563 DEBUG META: ran handlers
transport.py 563 DEBUG META: ran handlers
transport.py 563 DEBUG
transport.py 563 DEBUG PLAY RECAP *********************************************************************
transport.py 563 DEBUG master.ipadomain.test : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
transport.py 563 DEBUG
channel.py 1212 DEBUG [chan 17] EOF received (17)
channel.py 1212 DEBUG [chan 17] EOF sent (17)
transport.py 217 DEBUG Exit code: 0
The correct upstream PR is https://github.com/freeipa/ansible-freeipa/pull/334 The upstream PR has been merged. Verified
ansible-freeipa-0.1.12-6.el8.noarch
Passed ansible_freeipa_tests/vault_module.py::TestSymmetricVault::()::test_symmetric_vault_update_salt_without_password
------------------------------ Captured log call -------------------------------
channel.py 1212 DEBUG [chan 18] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 18] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 18 opened.
transport.py 318 INFO RUN ['/usr/bin/rpm', '-q', 'ansible-freeipa']
transport.py 519 DEBUG RUN ['/usr/bin/rpm', '-q', 'ansible-freeipa']
channel.py 1212 DEBUG [chan 18] Sesch channel 18 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py 563 DEBUG ansible-freeipa-0.1.12-6.el8.noarch
channel.py 1212 DEBUG [chan 18] EOF received (18)
channel.py 1212 DEBUG [chan 18] EOF sent (18)
transport.py 217 DEBUG Exit code: 0
channel.py 1212 DEBUG [chan 75] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 75] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 75 opened.
transport.py 318 INFO RUN ['kinit', 'admin']
transport.py 519 DEBUG RUN ['kinit', 'admin']
channel.py 1212 DEBUG [chan 75] Sesch channel 75 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py 563 DEBUG Password for admin:
channel.py 1212 DEBUG [chan 75] EOF received (75)
channel.py 1212 DEBUG [chan 75] EOF sent (75)
transport.py 217 DEBUG Exit code: 0
channel.py 1212 DEBUG [chan 76] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 76] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 76 opened.
transport.py 318 INFO RUN ['ipa', 'vault-show', '29syvault']
transport.py 519 DEBUG RUN ['ipa', 'vault-show', '29syvault']
channel.py 1212 DEBUG [chan 76] Sesch channel 76 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py 563 DEBUG Vault name: 29syvault
transport.py 563 DEBUG Type: symmetric
transport.py 563 DEBUG Salt: RtWq6ij8P7OoTBCRiu6u0xBv/ooGOZeEPx9F9pROF1s=
transport.py 563 DEBUG Owner users: admin
transport.py 563 DEBUG Vault user: admin
channel.py 1212 DEBUG [chan 76] EOF received (76)
channel.py 1212 DEBUG [chan 76] EOF sent (76)
transport.py 217 DEBUG Exit code: 0
channel.py 1212 DEBUG [chan 77] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 77] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 77 opened.
transport.py 318 INFO RUN ['kdestroy', '-A']
transport.py 519 DEBUG RUN ['kdestroy', '-A']
channel.py 1212 DEBUG [chan 77] Sesch channel 77 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
channel.py 1212 DEBUG [chan 77] EOF received (77)
channel.py 1212 DEBUG [chan 77] EOF sent (77)
transport.py 217 DEBUG Exit code: 0
transport.py 293 INFO WRITE inventory/vault.hosts
sftp.py 158 DEBUG [chan 0] open(b'inventory/vault.hosts', 'wb')
sftp.py 158 DEBUG [chan 0] open(b'inventory/vault.hosts', 'wb') -> 00000000
sftp.py 158 DEBUG [chan 0] close(00000000)
transport.py 329 INFO PUT vault_module.yml
sftp.py 158 DEBUG [chan 0] open(b'vault_module.yml', 'wb')
sftp.py 158 DEBUG [chan 0] open(b'vault_module.yml', 'wb') -> 00000000
sftp.py 158 DEBUG [chan 0] close(00000000)
sftp.py 158 DEBUG [chan 0] stat(b'vault_module.yml')
channel.py 1212 DEBUG [chan 19] Max packet in: 32768 bytes
channel.py 1212 DEBUG [chan 19] Max packet out: 32768 bytes
transport.py 1819 DEBUG Secsh channel 19 opened.
transport.py 318 INFO RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/vault.hosts', 'vault_module.yml']
transport.py 519 DEBUG RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/vault.hosts', 'vault_module.yml']
channel.py 1212 DEBUG [chan 19] Sesch channel 19 request ok
transport.py 563 DEBUG -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py 563 DEBUG -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py 563 DEBUG ansible-playbook 2.9.12
transport.py 563 DEBUG config file = /root/ansible.cfg
transport.py 563 DEBUG configured module search path = ['/root/ansible-freeipa/plugins/modules', '/usr/share/ansible/plugins/modules']
transport.py 563 DEBUG ansible python module location = /usr/lib/python3.6/site-packages/ansible
transport.py 563 DEBUG executable location = /usr/bin/ansible-playbook
transport.py 563 DEBUG python version = 3.6.8 (default, Jun 26 2020, 12:10:09) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
transport.py 563 DEBUG Using /root/ansible.cfg as config file
transport.py 563 DEBUG
transport.py 563 DEBUG PLAYBOOK: vault_module.yml *****************************************************
transport.py 563 DEBUG 1 plays in vault_module.yml
transport.py 563 DEBUG
transport.py 563 DEBUG PLAY [Playbook to ensure, not able to change password salt without password] ***
transport.py 563 DEBUG
transport.py 563 DEBUG TASK [Gathering Facts] *********************************************************
transport.py 563 DEBUG task path: /root/vault_module.yml:2
transport.py 563 DEBUG ok: [master.ipadomain.test]
transport.py 563 DEBUG META: ran handlers
transport.py 563 DEBUG
transport.py 563 DEBUG TASK [vault module testing] ****************************************************
transport.py 563 DEBUG task path: /root/vault_module.yml:6
transport.py 563 DEBUG fatal: [master.ipadomain.test]: FAILED! => {"changed": false, "msg": "Symmetric vault requires password or password_file to store data or change `salt`."}
transport.py 563 DEBUG
transport.py 563 DEBUG PLAY RECAP *********************************************************************
transport.py 563 DEBUG master.ipadomain.test : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
transport.py 563 DEBUG
channel.py 1212 DEBUG [chan 19] EOF received (19)
channel.py 1212 DEBUG [chan 19] EOF sent (19)
transport.py 217 DEBUG Exit code: 2
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ansible-freeipa bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:4663 |
Description of problem: Vault password salt can change without password in ansible-freeipa vault module Version-Release number of selected component (if applicable): ansible-freeipa-0.1.9-1 Steps to Reproduce: [root@master ~]# ipa vault-show test_salt Vault name: test_salt Description: Testing vault password salt Type: symmetric Salt: JONdUPQI2V9WqBYDI5v9gB+/6G7nSdymAuTBGoVIr1M= Owner users: admin Vault user: admin [root@ansible ~]# cat g_01.yaml --- - name: Test vault hosts: ipaserver tasks: - name: vault module testing ipavault: ipaadmin_password: <xxxxxxx> name: test_salt salt: dGVzdGluZ192YXVsdF9zYWx0Cg== [root@ansible ~]# ansible-playbook -vv -i inventory/server.hosts g_01.yaml ansible-playbook 2.9.7 config file = /root/ansible.cfg configured module search path = ['/root/ansible-freeipa/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3.6/site-packages/ansible executable location = /usr/bin/ansible-playbook python version = 3.6.8 (default, Apr 3 2020, 16:09:51) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] Using /root/ansible.cfg as config file PLAYBOOK: g_01.yaml ************************************************************************************************************ 1 plays in g_01.yaml PLAY [Test vault] ************************************************************************************************************** TASK [Gathering Facts] ********************************************************************************************************* task path: /root/g_01.yaml:2 ok: [master.ipadomain.test] META: ran handlers TASK [vault module testing] **************************************************************************************************** task path: /root/g_01.yaml:6 changed: [master.ipadomain.test] => {"changed": true} META: ran handlers META: ran handlers PLAY RECAP ********************************************************************************************************************* master.ipadomain.test : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 Actual results: [root@master ~]# ipa vault-show test_salt Vault name: test_salt Description: Testing vault password salt Type: symmetric Salt: dGVzdGluZ192YXVsdF9zYWx0Cg== Owner users: admin Vault user: admin Expected results: Should ask for a password. Additional Info: CLI-Console-output =================== [root@master ~]# ipa vault-mod sy_vault_test_salt --salt=dGVzdGluZ192YXVsdF9zYWx0Cg== Password: New password: Enter New password again to verify: ----------------------------------- Modified vault "sy_vault_test_salt" ----------------------------------- Vault name: sy_vault_test_salt Description: Salt test Type: symmetric Salt: dGVzdGluZ192YXVsdF9zYWx0Cg== Owner users: admin Vault user: admin