Unauthenticated Endpoint Support

ngine-io / ansible-collection-cloudstack

CloudStack Ansible Collections

https://galaxy.ansible.com/ngine_io/cloudstack

GNU General Public License v3.0

21 stars 29 forks source link

Unauthenticated Endpoint Support #16

Open rvalle opened 4 years ago

rvalle commented 4 years ago

I am trying to get a fully automated ACS deployment.

I use playbooks to install ACS and then I continue with these modules to configure ACS.

There is a missing link in the right in the middle.

I need an automated way to configure the credentials (API Token) for Ansible modules to work.

Is it possible to use username/password authentication in these Ansible Modules? CMK can handle either username/password or TOKEN auth.

That would allow to create the API token and then switch to TOKEN authentication afterwards.

resmo commented 4 years ago

Hi @rvalle

The api library used (https://github.com/exoscale/cs) in the modules does not allow to auth with username and password (AFAICS). However, the way I we do in the cloustack test container (to test the modules against the simulator api) is to use the internal API which allows unauthenticated api calls on localhost:8096.

To get an idea see https://github.com/ansible/cloudstack-test-container/blob/master/run.sh

rvalle commented 4 years ago

@resmo my current workaround is to install cloudmonkey and do it with it, but since it is not packaged is a bit messy.

I did not realize that cs has a CLI, that helps.

Perhaps we could allow usage of the modules on the unauthenticated endpoint for edge use cases like this one? what do you think?

https://github.com/ngine-io/ansible-collection-cloudstack/blob/8b4e8c61890927dd11b3b31fefd9bad4ba544ad7/plugins/module_utils/cloudstack.py#L139

resmo commented 4 years ago

Yes, perhaps.

I found it good enough for this special case to use dummy values for secret and key since as they are not validated by the internal API.

rvalle commented 4 years ago

OK, I see. I did not think of that. So, this use case was supported, after all. Would be useful to document it.

Document or we could allow a setting such as:

api_url_auth: false

which simply disables the check for TOKEN, and defaults to true. Its more of less the same but would produce self documented playbooks, and it is actually a feature:

something like:

- name: Configure initial Admin password, get keys.
  cs_user:
    api_url: localhost:8080
    api_url_auth: false
    ...
  register: acs_admin_user
  delegate_to: manager

If you want this I can submit a PR...

rvalle commented 3 years ago

... However, the way I we do in the cloustack test container (to test the modules against the simulator api) is to use the internal API which allows unauthenticated api calls on localhost:8096.

@resmo any idea how to get that port working on the manager?

I can find a reference in the documentation for manager HA. but in my install the port is not up.

rvalle commented 3 years ago

I can see here: https://github.com/apache/cloudstack/pull/3504 that the port ships disabled with global configuration:

integration.api.port=0

but I wonder if I can override its value without using the API