Warkdev
commented
2 years ago So, some more extra info. There's actually a need for two fields:
ansible_httpapi_client_cert: <path to cert>
ansible_httpapi_client_key: <key_name_in_cert>ansible_httpapi_user may still need to exist (in some case, some API requires a BA user even for client cert) and be sent over the wire, so leave that option to the end-user, don't make client_cert the only requirement.
I've checked the httpapi connection plugin and it's already accepting extra kwargs today that are passed along to the open_url method:
def send(self, path, data, retries=None, **kwargs):
...
url_kwargs.update(kwargs)
...
response = open_url(url, data=data, **url_kwargs)That open_url accepts already client_cert & client_key keywords and can thus allow further authentication through that way:
def open_url(url, data=None, headers=None, method=None, use_proxy=True,
force=False, last_mod_time=None, timeout=10, validate_certs=True,
url_username=None, url_password=None, http_agent=None,
force_basic_auth=False, follow_redirects='urllib2',
client_cert=None, client_key=None, cookies=None,
use_gssapi=False, unix_socket=None, ca_path=None,
unredirected_headers=None):Shouldn't be that difficult to have it managed natively by the connection plugin :)
Cédric S.
Summary
The HTTPAPI connection plugin allows to manage remotely a device through API calls which is nice.
Yet, the only supported authentication scheme is currently user/password using Basic Authentication, another use case, for some appliances, is to use a client certificate to authenticate. This enforce security, from a certain point of view.
Therefore, it would be nice if a new ansible configuration variable may be added to support the definition of client certificate to issue an HTTP request towards a network device.
Regards,
Cédric S.
Issue Type
Feature Idea
Component Name
httpapi
Additional Information
ansible_httpapi_password could then be used as a password for the httpapi_cert.
Code of Conduct