Can use playbook without password if executed locally.

theforeman / foreman-ansible-modules

Ansible modules for interacting with the Foreman API and various plugin APIs such as Katello

GNU General Public License v3.0

147 stars 164 forks source link

Can use playbook without password if executed locally. #1704

Closed Et7f3 closed 8 months ago

Et7f3 commented 8 months ago

SUMMARY

When we see the documentation the expectation seems to be run outside of the satellite. We have cron based script that use hammer and we would like to use ansible (so we get the audit built into foreman). However it seems odd that we need service account from the same machine (If attacker is on the machine we have already lost)

ISSUE TYPE

Feature Idea

evgeni commented 8 months ago

The API needs authentication. That's how it works, I'm sorry.

mdellweg commented 8 months ago

You can provide it via the environment, and also you can use api tokens in place of the password. Maybe that helps not to put the admin password into a file. ... i mean vault.

Et7f3 commented 8 months ago

You can provide it via the environment

You suggest using global parameter ? Ok if it is the recommended way.

i mean vault

Using vault would still need an initial password stored and accessible to from ansible.

I thought like mysql/postgres/docker we could authentificate with unix socket instead of https endpoint

mdellweg commented 8 months ago

I thought like mysql/postgres/docker we could authentificate with unix socket instead of https endpoint

If foreman allowed this...