In Ansible, is it possible to define the authentication method per playbook?

Question

TL;DR: Is it possible to chain two playbooks with one ansible-playbook command where one playbook is password auth and the other playbook is key auth? (see last section for real-world purpose).

Setup:

I have two playbooks, the second of which includes the first.

PlaybookA.yml

---
- name: PlaybookA # requires password authentication
  hosts: sub.domain.ext
  remote_user: root
  roles:
    - { role: role1, sudo: yes }
...

PlaybookB.yml

---
- name: Run PlaybookA
  include: PlaybookA.yml

- name: PlaybookB # requires ssh-key authentication
  hosts: sub.domain.ext
  remote_user: ansible
  roles:
    - { role: role2, sudo: yes }
...

Requirements:

1. Execute only one command.
2. Use password auth for PlaybookA.
3. Use ssh-key auth for PlaybookB.

Question 1:

Is it possible within Ansible (versions 1.9.4 or lower) to execute one ansible-playbook command that will successfully run PlaybookB using ssh-key authentication but when PlaybookB includes PlaybookA, run PlaybookA using password authentication?

Question 2:

If this is not possible with Ansible 1.9.4 or lower, is this possible with 2.0.0+?

Notes of worth:

1. Ansible provides --ask-pass (or -k) as a command line switch enabling password authentication.
2. Ansible provides ask_pass as a variable but it seems as though it can only be set within ansible.cfg (I haven't been able to set this as a playbook variable to the desired effect).
3. Attempting to set ask_pass as an instruction within a playbook results in the following: ERROR: ask_pass is not a legal parameter of an Ansible Play. If this parameter was legal, it would provide a way to instruct ansible on a per-playbook level, what authentication method to use.

Purpose / Real World:

I'm attempting to create a configuration management workflow with Ansible that will be simple enough that others at work will be able to learn / adapt to it (and hopefully the use of Ansible in general for CM and orchestration).

For any new machine (VM or physical) that gets built, I intend for us to run two playbooks immediately. PlaybookA (as shown above) has the responsibility of logging in with the correct default user (typically depends upon the infrastructure [aws, vsphere, none, etc]). Once in, its very limited job is to:

1. Create the standardized user for ansible to run as (and install its ssh-key).
2. Remove any non-root users that may exist (artifacts of the vm infrastructure, etc).
3. Disable root access.
4. Disable password authentication (ssh-key only from this point on).

Depending upon the vm infrastructure (or lack thereof), the default user or the default authentication method can be different. Toward the goal of adoption of Ansible, I'm attempting to keep things extremely simple for fellow co-workers, so I'd like to automate as much of this flow-control as possible.

Once PlaybookA has locked down the vm and setup the standardized user, PlaybookB uses that standardized user to perform all other operations necessary to bring our vm's up to the necessary baseline of tools and utilities, etc.

Any tips, hints, suggestions would be greatly appreciated.

Answer 1

I have been facing the same problem today. Two ideas may help you here: You can ask for the password using vars_prompt in your playbook instead of --ask-pass Set the password using set_fact:

---

- name: "set password for the play"

  set_fact: ansible_ssh_pass="{{ my_pass }}"

You could store the password in a file, or prompt for it, as in the example below. In my example, the sshd config thats being created will forbid password logins, but using ansible defaults, you will be surprised that the second playbook will still be executed (!), even though I "forgot" to create an authorized_key. Thats due to the fact, that ansible uses the ControlPersist options of ssh, and simply keeps the connection between single tasks open. You can turn that off in ansible.cfg

Example Playbook:

---

- name: "MAKE BARE: Run preparatory steps on a newly acquired server"
  hosts: blankee

  tasks:
    - name: "set password for the play"
      set_fact: ansible_ssh_pass="{{ my_pass }}"

    - name: "Create directory {{ pathsts }}/registry/ansible-init"
      file: name="{{ pathsts }}/registry/ansible-init" state=directory owner=root group=www-data mode=770

    - name: "copy sshd config file"
      copy:
        src:    'roles/newhost/files/sshd_config'
        dest:   '/etc/ssh/sshd_config'
        owner:  'root'
        group:  'root'
        mode:   '0644'


    - name: "Check syntax of sshd configuration"
      shell: sshd -t
      register: result
      changed_when: false
      failed_when: "result.rc != 0"

    - name: "Restart SSHD and enable Service to start at boot"
      service: name=sshd state=restarted
      changed_when: false

  vars:
    my_pass2: foobar

  vars_prompt:
    - name: "my_pass"
      prompt: "########## Enter PWD:\n "



- name: "Second run: This should authenticate w/out password:"
  hosts: blankee

  tasks:

    - name: "Create directory {{ pathsts }}/registry/ansible-init"
      file: name="{{ pathsts }}/registry/ansible-init22" state=directory owner=root group=www-data mode=770

Answer 2

I don't know a way to change the authentication method within the play. I think I'd prefer running two different playbooks as Jenkins job or similar, but I can think of a pure Ansible workaround: instead of including the second playbook, you could get ansible to run a shell command as a local action, and run the command to execute the second playbook from the first one. Here's a rough proof of concept:

---
- hosts: all
  vars_files:
    - vars.yml
  tasks:
    - debug: msg="Run your first role here."

    - name: Then call Ansible to run the second playbook.
      local_action: shell ansible-playbook -i ~/workspace/hosts ~/workspace/second_playbook.yml
      register: playbook_results

    - debug: var=playbook_results.stdout_lines

Here's the output:

GATHERING FACTS *************************************************************** 
ok: [vagrantbox]

TASK: [debug msg="Run your first role here."] ********************************* 
ok: [vagrantbox] => {
    "msg": "Run your first role here."
}

TASK: [Then call Ansible to run the second playbook.] ************************* 
changed: [vagrantbox -> 127.0.0.1]

TASK: [debug var=playbook_results.stdout_lines] ******************************* 
ok: [vagrantbox] => {
    "var": {
        "playbook_results.stdout_lines": [
            "", 
            "PLAY [Proof of concept] ******************************************************* ", 
            "", 
            "GATHERING FACTS *************************************************************** ", 
            "ok: [vagrantbox]", 
            "", 
            "TASK: [debug msg=\"This playbook was called from another playbook!\"] *********** ", 
            "ok: [vagrantbox] => {", 
            "    \"msg\": \"This playbook was called from another playbook!\"", 
            "}", 
            "", 
            "PLAY RECAP ******************************************************************** ", 
            "vagrantbox                 : ok=2    changed=0    unreachable=0    failed=0   "
        ]
    }
}

PLAY RECAP ******************************************************************** 
vagrantbox                 : ok=4    changed=1    unreachable=0    failed=0