Cp-ansible: Exception SASL SCRAM User when password is vaulted
Describe the issue
Using your playbook with sasl_protocol to scram. If you set user password vaulted, you have an exception in this task :
fatal: [XXXXXXX]: FAILED! => {"msg": "An unhandled exception occurred while templating '{{ kafka_broker_combined_properties | combine(kafka_broker_custom_properties) }}'. [....] can only concatenate str (not \"AnsibleVaultEncryptedUnicode\") to str"}
I think problem raise from combine_properties function because in default configuration password is string. So if password is vault encode myabe fix it with 'toString() python method' :
def combine_properties(self, properties_dict):
# Loops over master properties dictionary and combines sub elements if enabled
final_dict = {}
for prop in properties_dict:
if properties_dict[prop].get('enabled'):
final_dict.update(properties_dict[prop].get('properties'))
return final_dict
To Reproduce
All Vars Configuration :
sasl_protocol: scram
sasl_scram_users:
admin:
principal: "admin"
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
32313537636131333038303532613231653233343565303831396530393061643031303432303632
6537306234393563343861643834336430353930643062370a663563376131653664653430363963
62303339313937646635663032326266383439623736623462373632313934643261303634663732
3331643634623337610a616365613231346630656564616265656231633238313932333437363461
65626165666531656463353562323165376135653631316435653337366164653063
client:
principal: "client"
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35653666663833386164616630353966363231633234633561663464653931393835653830303630
3263373337396137653637383332656539373766346438370a353164383737306535646234363065
66643863353439663064346564333062373265653036646137306531353336323931653931363032
3231373831366531640a323161386538333966646635353462623263346234306631383635646237
34613764663736346362616562623061333438613461616162386532373266393166
Workaround
A workaround exist, you need to convert vault encoded string :
sasl_protocol: scram
sasl_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
32313537636131333038303532613231653233343565303831396530393061643031303432303632
6537306234393563343861643834336430353930643062370a663563376131653664653430363963
62303339313937646635663032326266383439623736623462373632313934643261303634663732
3331643634623337610a616365613231346630656564616265656231633238313932333437363461
65626165666531656463353562323165376135653631316435653337366164653063
sasl_client_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35653666663833386164616630353966363231633234633561663464653931393835653830303630
3263373337396137653637383332656539373766346438370a353164383737306535646234363065
66643863353439663064346564333062373265653036646137306531353336323931653931363032
3231373831366531640a323161386538333966646635353462623263346234306631383635646237
34613764663736346362616562623061333438613461616162386532373266393166
sasl_scram_users:
admin:
principal: "admin"
password: "{{sasl_admin_password|string}}"
client:
principal: "client"
password: "{{sasl_client_password|string}}"
LGouellec
All 4 comments
@LGouellec Could the following Ansible best practice be a valid workaround for you: https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#keep-vaulted-variables-safely-visible, or is that irrelevant for the issue?
erikgb
on 6 Apr 2021
Hi @erikgb,
Yeah it's a valid workaround.
Could we not manage AnsibleVaultEncryptedUnicode in the function combine_properties ?
LGouellec
on 7 Apr 2021
Yeah it's a valid workaround.
That's nice! 👍
Could we not manage AnsibleVaultEncryptedUnicode in the function combine_properties ?
Yes, I think this could be fixed. Please submit a PR to fix this, and we can review it. This bug will be put in our backlog and handled according to best effort as described here. Or use Confluent Support if you are a Confluent customer.
erikgb
on 7 Apr 2021
Resolved in PR #640
JumaX
on 12 Aug 2021
Related issues
a-narenji
·
5Comments
luizm
·
18Comments
Fobhep
·
6Comments
chuck-confluent
·
5Comments
sandeeprapido
·
9Comments