wbrawner/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

standardize connection variable names (#51776)

Browse source 
* standardize user/password connection vars

* docs: use ansible_user and ansible_password

* docs: var precedence for connection vars

* docs: ansible_become_pass -> ansible_become_password etc
This commit is contained in:
James Cassell 2019-02-11 10:43:10 -05:00 committed by Sandra McCann
parent 51061f8a5f
commit 953058d025
35 changed files with 120 additions and 93 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
changelogs/fragments/standardize_connection_vars.yaml Normal file
View file

@ -0,0 +1,7 @@
minor_changes: |
Connection plugins have been standardized to allow use of ``ansible_<conn-type>_user``
and ``ansible_<conn-type>_password`` variables. Variables such as
``ansible_<conn-type>_pass`` and ``ansible_<conn-type>_username`` are treated
with lower priority than the standardized names and may be deprecated in the
future. In general, the ``ansible_user`` and ``ansible_password`` vars should
be used unless there is a reason to use the connection-specific variables.

2
docs/docsite/rst/dev_guide/debugging.rst
View file

@ -19,7 +19,7 @@ To debug a module running on a remote target (i.e. not ``localhost``):
#. On your controller machine (running Ansible) set ``ANSIBLE_KEEP_REMOTE_FILES=1`` to tell Ansible to retain the modules it sends to the remote machine instead of removing them after you playbook runs.
#. Run your playbook targeting the remote machine and specify ``-vvvv`` (verbose) to display the remote location Ansible is using for the modules (among many other things).
#. Take note of the directory Ansible used to store modules on the remote host. This directory is usually under the home directory of your ``ansible_ssh_user``, in the form ``~/.ansible/tmp/ansible-tmp-...``.
#. Take note of the directory Ansible used to store modules on the remote host. This directory is usually under the home directory of your ``ansible_user``, in the form ``~/.ansible/tmp/ansible-tmp-...``.
#. SSH into the remote target after the playbook runs.
#. Navigate to the directory you noted in step 3.
#. Extract the module you want to debug from the zipped file that Ansible sent to the remote host: ``$ python my_test_module.py explode``. Ansible will expand the module into ``./debug-dir``. You can optionally run the zipped file by specifying ``python my_test_module.py``.

12
docs/docsite/rst/network/getting_started/first_inventory.rst
View file

@ -179,13 +179,13 @@ Create the encrypted ssh password for your VyOS network devices, pulling your an
.. code-block:: console
ansible-vault encrypt_string --vault-id my_user@~/my-ansible-vault-pw-file 'VyOS_SSH_password' --name 'ansible_ssh_pass'
ansible-vault encrypt_string --vault-id my_user@~/my-ansible-vault-pw-file 'VyOS_SSH_password' --name 'ansible_password'
If you prefer to type your ansible-vault password rather than store it in a file, you can request a prompt:
.. code-block:: console
ansible-vault encrypt_string --vault-id my_user@prompt 'VyOS_SSH_password' --name 'ansible_ssh_pass'
ansible-vault encrypt_string --vault-id my_user@prompt 'VyOS_SSH_password' --name 'ansible_password'
and type in the vault password for ``my_user``.
@ -193,7 +193,7 @@ The :option:`--vault-id <ansible-playbook --vault-id>` flag allows different vau
.. code-block:: yaml
ansible_ssh_pass: !vault |
ansible_password: !vault |
$ANSIBLE_VAULT;1.2;AES256;my_user
66386134653765386232383236303063623663343437643766386435663632343266393064373933
3661666132363339303639353538316662616638356631650a316338316663666439383138353032
@ -213,7 +213,7 @@ This is an example using an extract from a YAML inventory, as the INI format do
ansible_connection: network_cli
ansible_network_os: vyos
ansible_user: my_vyos_user
ansible_ssh_pass: !vault |
ansible_password: !vault |
$ANSIBLE_VAULT;1.2;AES256;my_user
66386134653765386232383236303063623663343437643766386435663632343266393064373933
3661666132363339303639353538316662616638356631650a316338316663666439383138353032
@ -244,11 +244,11 @@ To see the original value, you can use the debug module. Please note if your YAM
cat vyos.yml | grep -v ansible_connection >> vyos_no_connection.yml
ansible localhost -m debug -a var="ansible_ssh_pass" -e "@vyos_no_connection.yml" --ask-vault-pass
ansible localhost -m debug -a var="ansible_password" -e "@vyos_no_connection.yml" --ask-vault-pass
Vault password:
localhost | SUCCESS => {
"ansible_ssh_pass": "VyOS_SSH_password"
"ansible_password": "VyOS_SSH_password"
}

10
docs/docsite/rst/network/user_guide/network_best_practices_2.5.rst
View file

@ -80,7 +80,7 @@ Because Ansible is a flexible tool, there are a number of ways to specify connec
ansible_become_method=enable
ansible_network_os=eos
ansible_user=my_eos_user
ansible_ssh_pass= !vault |
ansible_password= !vault |
$ANSIBLE_VAULT;1.1;AES256
37373735393636643261383066383235363664386633386432343236663533343730353361653735
6131363539383931353931653533356337353539373165320a316465383138636532343463633236
@ -98,7 +98,7 @@ Because Ansible is a flexible tool, there are a number of ways to specify connec
ansible_become_method=enable
ansible_network_os=ios
ansible_user=my_ios_user
ansible_ssh_pass= !vault |
ansible_password= !vault |
$ANSIBLE_VAULT;1.1;AES256
34623431313336343132373235313066376238386138316466636437653938623965383732373130
3466363834613161386538393463663861636437653866620a373136356366623765373530633735
@ -114,7 +114,7 @@ Because Ansible is a flexible tool, there are a number of ways to specify connec
[vyos:vars]
ansible_network_os=vyos
ansible_user=my_vyos_user
ansible_ssh_pass= !vault |
ansible_password= !vault |
$ANSIBLE_VAULT;1.1;AES256
39336231636137663964343966653162353431333566633762393034646462353062633264303765
6331643066663534383564343537343334633031656538370a333737656236393835383863306466
@ -122,7 +122,7 @@ Because Ansible is a flexible tool, there are a number of ways to specify connec
3665626431626532630a353564323566316162613432373738333064366130303637616239396438
9853
If you use ssh-agent, you do not need the ``ansible_ssh_pass`` lines. If you use ssh keys, but not ssh-agent, and you have multiple keys, specify the key to use for each connection in the ``[group:vars]`` section with ``ansible_ssh_private_key_file=/path/to/correct/key``. For more information on ``ansible_ssh_`` options see the :ref:`behavioral_parameters`.
If you use ssh-agent, you do not need the ``ansible_password`` lines. If you use ssh keys, but not ssh-agent, and you have multiple keys, specify the key to use for each connection in the ``[group:vars]`` section with ``ansible_ssh_private_key_file=/path/to/correct/key``. For more information on ``ansible_ssh_`` options see the :ref:`behavioral_parameters`.
.. FIXME FUTURE Gundalow - Link to network auth & proxy page (to be written)
@ -137,7 +137,7 @@ The "Vault" feature of Ansible allows you to keep sensitive data such as passwor
Informs Ansible which Network platform this hosts corresponds to. This is required when using ``network_cli`` or ``netconf``.
:ansible_user: The user to connect to the remote device (switch) as. Without this the user that is running ``ansible-playbook`` would be used.
Specifies which user on the network device the connection
:ansible_ssh_pass:
:ansible_password:
The corresponding password for ``ansible_user`` to log in as. If not specified SSH key will be used.
:ansible_become:
If enable mode (privilege mode) should be used, see the next section.

2
docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst
View file

@ -703,7 +703,7 @@ Example Ansible inventory file
ansible_connection=netconf
ansible_network_os=junos
ansible_user=myuser
ansible_ssh_pass=!vault...
ansible_password=!vault...
.. note:: Using ``ProxyCommand`` with passwords via variables

8
docs/docsite/rst/network/user_guide/platform_cnos.rst
View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` |
| | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/cnos.yml``
ansible_connection: network_cli
ansible_network_os: cnos
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
ansible_become_pass: !vault...
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

8
docs/docsite/rst/network/user_guide/platform_dellos10.rst
View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` |
| | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/dellos10.yml``
ansible_connection: network_cli
ansible_network_os: dellos10
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
ansible_become_pass: !vault...
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

8
docs/docsite/rst/network/user_guide/platform_dellos6.rst
View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` |
| | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/dellos6.yml``
ansible_connection: network_cli
ansible_network_os: dellos6
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
ansible_become_pass: !vault...
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

8
docs/docsite/rst/network/user_guide/platform_dellos9.rst
View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` |
| | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/dellos9.yml``
ansible_connection: network_cli
ansible_network_os: dellos9
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
ansible_become_pass: !vault...
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

8
docs/docsite/rst/network/user_guide/platform_enos.rst
View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` |
| | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/enos.yml``
ansible_connection: network_cli
ansible_network_os: enos
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
ansible_become_pass: !vault...
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

10
docs/docsite/rst/network/user_guide/platform_eos.rst
View file

@ -52,14 +52,14 @@ Example CLI ``group_vars/eos.yml``
ansible_connection: network_cli
ansible_network_os: eos
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
ansible_become_pass: !vault...
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
@ -106,7 +106,7 @@ Example eAPI ``group_vars/eos.yml``
ansible_connection: httpapi
ansible_network_os: eos
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
proxy_env:
@ -140,7 +140,7 @@ eAPI examples with ``connection: local``
ansible_connection: local
ansible_network_os: eos
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
eapi:
host: "{{ inventory_hostname }}"
transport: eapi

4
docs/docsite/rst/network/user_guide/platform_exos.rst
View file

@ -47,11 +47,11 @@ Example CLI ``group_vars/exos.yml``
ansible_connection: network_cli
ansible_network_os: exos
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

8
docs/docsite/rst/network/user_guide/platform_ios.rst
View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` |
| | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/ios.yml``
ansible_connection: network_cli
ansible_network_os: ios
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
ansible_become_pass: !vault...
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

8
docs/docsite/rst/network/user_guide/platform_ironware.rst
View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` |
| | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/mlx.yml``
ansible_connection: network_cli
ansible_network_os: ironware
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
ansible_become_pass: !vault...
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

6
docs/docsite/rst/network/user_guide/platform_junos.rst
View file

@ -46,11 +46,11 @@ Example CLI inventory ``[junos:vars]``
ansible_connection=network_cli
ansible_network_os=junos
ansible_user=myuser
ansible_ssh_pass=!vault...
ansible_password=!vault...
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
@ -96,7 +96,7 @@ Example NETCONF inventory ``[junos:vars]``
ansible_connection=netconf
ansible_network_os=junos
ansible_user=myuser
ansible_ssh_pass=!vault |
ansible_password=!vault |
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion01"'

2
docs/docsite/rst/network/user_guide/platform_netconf_enabled.rst
View file

@ -59,7 +59,7 @@ Example NETCONF inventory ``[junos:vars]``
ansible_connection=netconf
ansible_network_os=junos
ansible_user=myuser
ansible_ssh_pass=!vault |
ansible_password=!vault |
Example NETCONF Task

4
docs/docsite/rst/network/user_guide/platform_nos.rst
View file

@ -47,11 +47,11 @@ Example CLI ``group_vars/nos.yml``
ansible_connection: network_cli
ansible_network_os: nos
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

10
docs/docsite/rst/network/user_guide/platform_nxos.rst
View file

@ -29,7 +29,7 @@ Connections Available
+---------------------------+-----------------------------------------------+-----------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` | | not supported by NX-API |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` | | |
| | supported as of 2.5.3 | | and ``ansible_become_pass:`` | | |
| | supported as of 2.5.3 | | and ``ansible_become_password:`` | | |
+---------------------------+-----------------------------------------------+-----------------------------------------+
| **Returned Data Format** | ``stdout[0].`` | ``stdout[0].messages[0].`` |
+---------------------------+-----------------------------------------------+-----------------------------------------+
@ -47,14 +47,14 @@ Example CLI ``group_vars/nxos.yml``
ansible_connection: network_cli
ansible_network_os: nxos
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
ansible_become_pass: !vault...
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
@ -99,7 +99,7 @@ Example NX-API ``group_vars/nxos.yml``
ansible_connection: httpapi
ansible_network_os: nxos
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
proxy_env:
http_proxy: http://proxy.example.com:8080

6
docs/docsite/rst/network/user_guide/platform_routeros.rst
View file

@ -40,14 +40,14 @@ Example CLI ``group_vars/routeros.yml``
ansible_connection: network_cli
ansible_network_os: routeros
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
ansible_become_pass: !vault...
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

4
docs/docsite/rst/network/user_guide/platform_slxos.rst
View file

@ -47,11 +47,11 @@ Example CLI ``group_vars/slxos.yml``
ansible_connection: network_cli
ansible_network_os: slxos
ansible_user: myuser
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

4
docs/docsite/rst/network/user_guide/platform_voss.rst
View file

@ -49,11 +49,11 @@ Example CLI ``group_vars/voss.yml``
ansible_user: myuser
ansible_become: yes
ansible_become_method: enable
ansible_ssh_pass: !vault...
ansible_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

7
docs/docsite/rst/porting_guides/porting_guide_2.8.rst
View file

@ -167,6 +167,13 @@ Noteworthy module changes
Plugins
=======
* Connection plugins have been standardized to allow use of ``ansible_<conn-type>_user``
and ``ansible_<conn-type>_password`` variables. Variables such as
``ansible_<conn-type>_pass`` and ``ansible_<conn-type>_username`` are treated
with lower priority than the standardized names and may be deprecated in the
future. In general, the ``ansible_user`` and ``ansible_password`` vars should
be used unless there is a reason to use the connection-specific variables.
* The ``powershell`` shell plugin now uses ``async_dir`` to define the async path for the results file and the default
has changed to ``%USERPROFILE%\.ansible_async``. To control this path now, either set the ``ansible_async_dir``
variable or the ``async_dir`` value in the ``powershell`` section of the config ini.

8
docs/docsite/rst/scenario_guides/guide_aci.rst
View file

@ -135,7 +135,7 @@ So let us assume we have our target configured in the inventory using the FQDN n
my-apic-1:
ansible_host: apic01.fqdn.intra
ansible_user: admin
ansible_pass: my-password
ansible_password: my-password
One way to set this up is to add to every task the directive: ``delegate_to: localhost``.
@ -146,7 +146,7 @@ One way to set this up is to add to every task the directive: ``delegate_to: loc
aci_tenant:
host: '{{ ansible_host }}'
username: '{{ ansible_user }}'
password: '{{ ansible_pass }}'
password: '{{ ansible_password }}'
state: query
delegate_to: localhost
@ -168,7 +168,7 @@ In this case the inventory may look like this:
my-apic-1:
ansible_host: apic01.fqdn.intra
ansible_user: admin
ansible_pass: my-password
ansible_password: my-password
ansible_connection: local
But used tasks do not need anything special added.
@ -179,7 +179,7 @@ But used tasks do not need anything special added.
aci_tenant:
host: '{{ ansible_host }}'
username: '{{ ansible_user }}'
password: '{{ ansible_pass }}'
password: '{{ ansible_password }}'
state: query
register: all_tenants

6
docs/docsite/rst/scenario_guides/guide_rax.rst
View file

@ -130,7 +130,7 @@ The rax module returns data about the nodes it creates, like IP addresses, hostn
add_host:
hostname: "{{ item.name }}"
ansible_host: "{{ item.rax_accessipv4 }}"
ansible_ssh_pass: "{{ item.rax_adminpass }}"
ansible_password: "{{ item.rax_adminpass }}"
groups: raxhosts
loop: "{{ rax.success }}"
when: rax.action == 'create'
@ -511,7 +511,7 @@ Build a complete webserver environment with servers, custom networks and load ba
add_host:
hostname: "{{ item.name }}"
ansible_host: "{{ item.rax_accessipv4 }}"
ansible_ssh_pass: "{{ item.rax_adminpass }}"
ansible_password: "{{ item.rax_adminpass }}"
ansible_user: root
groups: web
loop: "{{ rax.success }}"
@ -592,7 +592,7 @@ Using a Control Machine
add_host:
hostname: "{{ item.name }}"
ansible_host: "{{ item.rax_accessipv4 }}"
ansible_ssh_pass: "{{ item.rax_adminpass }}"
ansible_password: "{{ item.rax_adminpass }}"
ansible_user: root
rax_id: "{{ item.rax_id }}"
groups: web,new_web

14
docs/docsite/rst/user_guide/become.rst
View file

@ -73,7 +73,7 @@ ansible_become_method
ansible_become_user
set the user you become through privilege escalation; does not imply ``ansible_become: yes``
ansible_become_pass
ansible_become_password
set the privilege escalation password. See :doc:`playbooks_vault` for details on how to avoid having secrets in plain text
For example, if you want to run all tasks as ``root`` on a server named ``webserver``, but you can only connect as the ``manager`` user, you could use an inventory entry like this::
@ -298,7 +298,7 @@ Passwords for enable mode
If you need a password to enter ``enable`` mode, you can specify it in one of two ways:
* providing the :option:`--ask-become-pass <ansible-playbook --ask-become-pass>` command line option
* setting the ``ansible_become_pass`` connection variable
* setting the ``ansible_become_password`` connection variable
.. warning::
@ -553,8 +553,8 @@ option for a Scheduled Task. In this scenario, the become process will not be
able to access any network resources like a normal WinRM process.
To make a distinction between using become with no password and becoming an
account that has no password make sure to keep ``ansible_become_pass`` as
undefined or set ``ansible_become_pass:``.
account that has no password make sure to keep ``ansible_become_password`` as
undefined or set ``ansible_become_password:``.
.. Note:: Because there are no guarantees an existing token will exist for a
user when Ansible runs, there's a high change the become process will only
@ -568,7 +568,7 @@ Accounts without a Password
Ansible can be used to become an account that does not have a password (like the
``Guest`` account). To become an account without a password, set up the
variables like normal but set ``ansible_become_pass: ''``.
variables like normal but set ``ansible_become_password: ''``.
Before become can work on an account like this, the local policy
`Accounts: Limit local account use of blank passwords to console logon only <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852174(v=ws.11)>`_
@ -586,7 +586,7 @@ or with this Ansible task:
state: present
.. Note:: This is only for accounts that do not have a password. You still need
to set the account's password under ``ansible_become_pass`` if the
to set the account's password under ``ansible_become_password`` if the
become_user has a password.
Become Flags
@ -661,7 +661,7 @@ Here are some examples of how to use ``become_flags`` with Windows tasks:
ansible_become: yes
ansible_become_method: runas
ansible_become_user: DOMAIN\user
ansible_become_pass: Password01
ansible_become_password: Password01
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
- name: run a command under a batch logon

12
docs/docsite/rst/user_guide/intro_inventory.rst
View file

@ -515,15 +515,15 @@ General for all connections:
ansible_host
The name of the host to connect to, if different from the alias you wish to give to it.
ansible_port
The ssh port number, if not 22
The connection port number, if not the default (22 for ssh)
ansible_user
The default ssh user name to use.
The user name to use when connecting to the host
ansible_password
The password to use to authenticate to the host (never store this variable in plain text; always use a vault. See :ref:`best_practices_for_variables_and_vaults`)
Specific to the SSH connection:
ansible_ssh_pass
The ssh password to use (never store this variable in plain text; always use a vault. See :ref:`best_practices_for_variables_and_vaults`)
ansible_ssh_private_key_file
Private key file used by ssh. Useful if using multiple keys and you don't want to use SSH agent.
ansible_ssh_common_args
@ -550,8 +550,8 @@ ansible_become_method
Allows to set privilege escalation method
ansible_become_user
Equivalent to ``ansible_sudo_user`` or ``ansible_su_user``, allows to set the user you become through privilege escalation
ansible_become_pass
Equivalent to ``ansible_sudo_pass`` or ``ansible_su_pass``, allows you to set the privilege escalation password (never store this variable in plain text; always use a vault. See :ref:`best_practices_for_variables_and_vaults`)
ansible_become_password
Equivalent to ``ansible_sudo_password`` or ``ansible_su_password``, allows you to set the privilege escalation password (never store this variable in plain text; always use a vault. See :ref:`best_practices_for_variables_and_vaults`)
ansible_become_exe
Equivalent to ``ansible_sudo_exe`` or ``ansible_su_exe``, allows you to set the executable for the escalation method selected
ansible_become_flags

10
docs/docsite/rst/user_guide/playbooks_variables.rst
View file

@ -1047,7 +1047,7 @@ Basically, anything that goes into "role defaults" (the defaults folder inside t
This last one can be superceeded by the user via ``ansible_group_priority``, which defaults to ``1`` for all groups.
This variable, ``ansible_group_priority``, can only be set in the inventory source and not in group_vars/ as the variable is used in the loading of group_vars/.
Another important thing to consider (for all versions) is that connection variables override config, command line and play/role/task specific options and keywords. For example, if your inventory specifies ``ansible_ssh_user: ramon`` and you run::
Another important thing to consider (for all versions) is that connection variables override config, command line and play/role/task specific options and keywords. For example, if your inventory specifies ``ansible_user: ramon`` and you run::
ansible -u lola myhost
@ -1060,7 +1060,7 @@ For plays/tasks this is also true for ``remote_user``. Assuming the same invento
- command: I'll connect as ramon still
remote_user: lola
will have the value of ``remote_user`` overwritten by ``ansible_ssh_user`` in the inventory.
will have the value of ``remote_user`` overwritten by ``ansible_user`` in the inventory.
This is done so host-specific settings can override the general settings. These variables are normally defined per host or group in inventory,
but they behave like other variables.
@ -1069,7 +1069,11 @@ If you want to override the remote user globally (even over inventory) you can u
ansible... -e "ansible_user=maria" -u lola
the ``lola`` value is still ignored, but ``ansible_user=maria`` takes precedence over all other places where ``ansible_user`` (or ``ansible_ssh_user``, or ``remote_user``) might be set.
the ``lola`` value is still ignored, but ``ansible_user=maria`` takes precedence over all other places where ``ansible_user`` (or ``remote_user``) might be set.
A connection-specific version of a variable takes precedence over more generic
versions. For example, ``ansible_ssh_user`` specified as a group_var would have
a higher precedence than ``ansible_user`` specified as a host_var.
You can also override as a normal variable in a play::

4
lib/ansible/plugins/connection/__init__.py
View file

@ -184,13 +184,13 @@ class ConnectionBase(AnsiblePlugin):
processed on the remote machine, not on the local machine so no
shell is needed on the local machine. (Example, ``/bin/sh``)
:ConnectionCommand: This is the command that connects us to the remote
machine to run the rest of the command. ``ansible_ssh_user``,
machine to run the rest of the command. ``ansible_user``,
``ansible_ssh_host`` and so forth are fed to this piece of the
command to connect to the correct host (Examples ``ssh``,
``chroot``)
:UsersLoginShell: This shell may or may not be created depending on
the ConnectionCommand used by the connection plugin. This is the
shell that the ``ansible_ssh_user`` has configured as their login
shell that the ``ansible_user`` has configured as their login
shell. In traditional UNIX parlance, this is the last field of
a user's ``/etc/passwd`` entry We do not specifically try to run
the ``UsersLoginShell`` when we connect. Instead it is implicit

1
lib/ansible/plugins/connection/httpapi.py
View file

@ -61,6 +61,7 @@ options:
vars:
- name: ansible_password
- name: ansible_httpapi_pass
- name: ansible_httpapi_password
use_ssl:
type: boolean
description:

1
lib/ansible/plugins/connection/kubectl.py
View file

@ -103,6 +103,7 @@ DOCUMENTATION = """
default: ''
vars:
- name: ansible_kubectl_username
- name: ansible_kubectl_user
env:
- name: K8S_AUTH_USERNAME
kubectl_password:

1
lib/ansible/plugins/connection/napalm.py
View file

@ -66,6 +66,7 @@ options:
vars:
- name: ansible_password
- name: ansible_ssh_pass
- name: ansible_ssh_password
private_key_file:
description:
- The private SSH key or certificate file used to authenticate to the

2
lib/ansible/plugins/connection/netconf.py
View file

@ -67,6 +67,8 @@ options:
vars:
- name: ansible_password
- name: ansible_ssh_pass
- name: ansible_ssh_password
- name: ansible_netconf_password
private_key_file:
description:
- The private SSH key or certificate file used to authenticate to the

1
lib/ansible/plugins/connection/network_cli.py
View file

@ -63,6 +63,7 @@ options:
vars:
- name: ansible_password
- name: ansible_ssh_pass
- name: ansible_ssh_password
private_key_file:
description:
- The private SSH key or certificate file used to authenticate to the

2
lib/ansible/plugins/connection/paramiko_ssh.py
View file

@ -51,7 +51,9 @@ DOCUMENTATION = """
vars:
- name: ansible_password
- name: ansible_ssh_pass
- name: ansible_ssh_password
- name: ansible_paramiko_pass
- name: ansible_paramiko_password
version_added: '2.5'
host_key_auto_add:
description: 'TODO: write it'

5
lib/ansible/plugins/connection/ssh.py
View file

@ -47,6 +47,7 @@ DOCUMENTATION = '''
vars:
- name: ansible_password
- name: ansible_ssh_pass
- name: ansible_ssh_password
ssh_args:
description: Arguments to pass to all ssh cli tools
default: '-C -o ControlMaster=auto -o ControlPersist=60s'
@ -605,7 +606,7 @@ class Connection(ConnectionBase):
b"-o", b"PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey",
b"-o", b"PasswordAuthentication=no"
),
u"ansible_password/ansible_ssh_pass not set"
u"ansible_password/ansible_ssh_password not set"
)
user = self._play_context.remote_user
@ -924,7 +925,7 @@ class Connection(ConnectionBase):
if states[state] == 'awaiting_prompt':
if self._flags['become_prompt']:
display.debug('Sending become_pass in response to prompt')
display.debug('Sending become_password in response to prompt')
stdin.write(to_bytes(self._play_context.become_pass) + b'\n')
# On python3 stdin is a BufferedWriter, and we don't have a guarantee
# that the write will happen without a flush