mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
improve become_method: runas error handling (#23328)
Prescriptive errors for username/password issues and NTLM/Kerb auth failures, cleans up exception noise.
This commit is contained in:
parent
e66c98281e
commit
8d291f91ee
2 changed files with 34 additions and 3 deletions
|
@ -553,6 +553,13 @@ class PlayContext(Base):
|
||||||
elif self.become_method == 'runas':
|
elif self.become_method == 'runas':
|
||||||
# become is handled inside the WinRM connection plugin
|
# become is handled inside the WinRM connection plugin
|
||||||
display.warning("The Windows 'runas' become method is experimental, and may change significantly in future Ansible releases.")
|
display.warning("The Windows 'runas' become method is experimental, and may change significantly in future Ansible releases.")
|
||||||
|
|
||||||
|
if not self.become_user:
|
||||||
|
raise AnsibleError(("The 'runas' become method requires a username "
|
||||||
|
"(specify with the '--become-user' CLI arg, the 'become_user' keyword, or the 'ansible_become_user' variable)"))
|
||||||
|
if not self.become_pass:
|
||||||
|
raise AnsibleError(("The 'runas' become method requires a password "
|
||||||
|
"(specify with the '-K' CLI arg or the 'ansible_become_password' variable)"))
|
||||||
becomecmd = cmd
|
becomecmd = cmd
|
||||||
|
|
||||||
elif self.become_method == 'doas':
|
elif self.become_method == 'doas':
|
||||||
|
|
|
@ -316,6 +316,15 @@ Write-Output $output
|
||||||
|
|
||||||
} # end exec_wrapper
|
} # end exec_wrapper
|
||||||
|
|
||||||
|
Function Dump-Error ($excep) {
|
||||||
|
$eo = @{failed=$true}
|
||||||
|
|
||||||
|
$eo.msg = $excep.Exception.Message
|
||||||
|
$eo.exception = $excep | Out-String
|
||||||
|
$host.SetShouldExit(1)
|
||||||
|
|
||||||
|
$eo | ConvertTo-Json -Depth 10
|
||||||
|
}
|
||||||
|
|
||||||
Function Run($payload) {
|
Function Run($payload) {
|
||||||
# NB: action popping handled inside subprocess wrapper
|
# NB: action popping handled inside subprocess wrapper
|
||||||
|
@ -370,14 +379,25 @@ Function Run($payload) {
|
||||||
$psi.Username = $username
|
$psi.Username = $username
|
||||||
$psi.Password = $($password | ConvertTo-SecureString -AsPlainText -Force)
|
$psi.Password = $($password | ConvertTo-SecureString -AsPlainText -Force)
|
||||||
|
|
||||||
|
Try {
|
||||||
[Ansible.Shell.ProcessUtil]::GrantAccessToWindowStationAndDesktop($username)
|
[Ansible.Shell.ProcessUtil]::GrantAccessToWindowStationAndDesktop($username)
|
||||||
|
}
|
||||||
|
Catch {
|
||||||
|
$excep = $_
|
||||||
|
throw "Error granting windowstation/desktop access to '$username' (is the username valid?): $excep"
|
||||||
|
}
|
||||||
|
|
||||||
Try {
|
Try {
|
||||||
$proc.Start() | Out-Null # will always return $true for non shell-exec cases
|
$proc.Start() | Out-Null # will always return $true for non shell-exec cases
|
||||||
}
|
}
|
||||||
Catch {
|
Catch {
|
||||||
Write-Output $_.Exception.InnerException
|
$excep = $_
|
||||||
return
|
if ($excep.Exception.InnerException -and `
|
||||||
|
$excep.Exception.InnerException -is [System.ComponentModel.Win32Exception] -and `
|
||||||
|
$excep.Exception.InnerException.NativeErrorCode -eq 5) {
|
||||||
|
throw "Become method 'runas' become is not currently supported with the NTLM or Kerberos auth types"
|
||||||
|
}
|
||||||
|
throw "Error launching under identity '$username': $excep"
|
||||||
}
|
}
|
||||||
|
|
||||||
$payload_string = $payload | ConvertTo-Json -Depth 99 -Compress
|
$payload_string = $payload | ConvertTo-Json -Depth 99 -Compress
|
||||||
|
@ -404,6 +424,10 @@ Function Run($payload) {
|
||||||
Throw "failed, rc was $rc, stderr was $stderr, stdout was $stdout"
|
Throw "failed, rc was $rc, stderr was $stderr, stdout was $stdout"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Catch {
|
||||||
|
$excep = $_
|
||||||
|
Dump-Error $excep
|
||||||
|
}
|
||||||
Finally {
|
Finally {
|
||||||
Remove-Item $temp -ErrorAction SilentlyContinue
|
Remove-Item $temp -ErrorAction SilentlyContinue
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue