Closed RobinR1 closed 4 months ago
AnatomicJC
commented
4 months ago Hi,
I got the same issue and it is a known behavior of ansible: https://github.com/ansible/ansible/issues/9623
In the last comment of the issue, I discovered https://github.com/GoodRx/ansible-cached-lookup who is working well.
Maybe can you give it a try ?
Here is a thread where another guy using passbolt lookup plugin uses this plugin as well: https://github.com/GoodRx/ansible-cached-lookup/pull/5
Best regards,
RobinR1
commented
4 months ago I will look into that. However, the fact that the project has not been touched for 6 years and the pull request from 2 years ago is still pending without comment from the author, does not really build confidence. But as it seem to be quite a simple plugin, it may be feasible to implement this method into the ansible passbolt lookup plugin itself (and then be maintained) in a secure way (since as I understand it, it currently writes the cached values, hence secret passwords, in plain text to disk) ? Even the in memory cache patch still stores the values in plain text in memory, which could possibly mean a security risk ?
When implemented in the passbolt lookup plugin, it could cache the encrypted value ?
RobinR1
commented
4 months ago I added the ansible-cached-lookup into our AWX Execution Environment containers and now call all passbolt lookups using the cached lookup which indeed seems to work correctly. Currently using the on-disk caching as otherwise I will need to set up a local pypi repo for a localy compiled version from that in-memory change request. So I still think it would by nice if (in-memory) caching would be included natively in the passbolt lookup plugin.
AnatomicJC
commented
4 months ago Hi @RobinR1
I published a new 0.0.14 release of the passbolt lookup plugin.
I included the in-memory version of the lookup plugin, you should be able to use it with lookup('anatomicjc.passbolt.cached', 'anatomicjc.passbolt.passbolt', 'Your-secret-name')
Let me know if it is ok on your side :-)
When the lookup is used in a host or group var. The lookup is performed again and again by Ansible each time that variable is used. So each task that uses that variable triggers a new lookup (for every host that has to run the task). I assume this is normal Ansible behaviour, but this slows down the plays and even passbolt itself when running a big play over many hosts. So it would be handy to have the lookup plugin cache recently looked up passwords so that it does not need to query passbolt for the same password over and over again within a play. I understand this is a possible security risk, and should be handled very carefully, but I think it would be a great enhancement. I don't think the caching should be long lived, at max 5 minutes or so,