1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

standardize connection variable names (#51776)

* standardize user/password connection vars

* docs: use ansible_user and ansible_password

* docs: var precedence for connection vars

* docs: ansible_become_pass -> ansible_become_password etc
This commit is contained in:
James Cassell 2019-02-11 10:43:10 -05:00 committed by Sandra McCann
parent 51061f8a5f
commit 953058d025
35 changed files with 120 additions and 93 deletions

View file

@ -0,0 +1,7 @@
minor_changes: |
Connection plugins have been standardized to allow use of ``ansible_<conn-type>_user``
and ``ansible_<conn-type>_password`` variables. Variables such as
``ansible_<conn-type>_pass`` and ``ansible_<conn-type>_username`` are treated
with lower priority than the standardized names and may be deprecated in the
future. In general, the ``ansible_user`` and ``ansible_password`` vars should
be used unless there is a reason to use the connection-specific variables.

View file

@ -19,7 +19,7 @@ To debug a module running on a remote target (i.e. not ``localhost``):
#. On your controller machine (running Ansible) set ``ANSIBLE_KEEP_REMOTE_FILES=1`` to tell Ansible to retain the modules it sends to the remote machine instead of removing them after you playbook runs. #. On your controller machine (running Ansible) set ``ANSIBLE_KEEP_REMOTE_FILES=1`` to tell Ansible to retain the modules it sends to the remote machine instead of removing them after you playbook runs.
#. Run your playbook targeting the remote machine and specify ``-vvvv`` (verbose) to display the remote location Ansible is using for the modules (among many other things). #. Run your playbook targeting the remote machine and specify ``-vvvv`` (verbose) to display the remote location Ansible is using for the modules (among many other things).
#. Take note of the directory Ansible used to store modules on the remote host. This directory is usually under the home directory of your ``ansible_ssh_user``, in the form ``~/.ansible/tmp/ansible-tmp-...``. #. Take note of the directory Ansible used to store modules on the remote host. This directory is usually under the home directory of your ``ansible_user``, in the form ``~/.ansible/tmp/ansible-tmp-...``.
#. SSH into the remote target after the playbook runs. #. SSH into the remote target after the playbook runs.
#. Navigate to the directory you noted in step 3. #. Navigate to the directory you noted in step 3.
#. Extract the module you want to debug from the zipped file that Ansible sent to the remote host: ``$ python my_test_module.py explode``. Ansible will expand the module into ``./debug-dir``. You can optionally run the zipped file by specifying ``python my_test_module.py``. #. Extract the module you want to debug from the zipped file that Ansible sent to the remote host: ``$ python my_test_module.py explode``. Ansible will expand the module into ``./debug-dir``. You can optionally run the zipped file by specifying ``python my_test_module.py``.

View file

@ -179,13 +179,13 @@ Create the encrypted ssh password for your VyOS network devices, pulling your an
.. code-block:: console .. code-block:: console
ansible-vault encrypt_string --vault-id my_user@~/my-ansible-vault-pw-file 'VyOS_SSH_password' --name 'ansible_ssh_pass' ansible-vault encrypt_string --vault-id my_user@~/my-ansible-vault-pw-file 'VyOS_SSH_password' --name 'ansible_password'
If you prefer to type your ansible-vault password rather than store it in a file, you can request a prompt: If you prefer to type your ansible-vault password rather than store it in a file, you can request a prompt:
.. code-block:: console .. code-block:: console
ansible-vault encrypt_string --vault-id my_user@prompt 'VyOS_SSH_password' --name 'ansible_ssh_pass' ansible-vault encrypt_string --vault-id my_user@prompt 'VyOS_SSH_password' --name 'ansible_password'
and type in the vault password for ``my_user``. and type in the vault password for ``my_user``.
@ -193,7 +193,7 @@ The :option:`--vault-id <ansible-playbook --vault-id>` flag allows different vau
.. code-block:: yaml .. code-block:: yaml
ansible_ssh_pass: !vault | ansible_password: !vault |
$ANSIBLE_VAULT;1.2;AES256;my_user $ANSIBLE_VAULT;1.2;AES256;my_user
66386134653765386232383236303063623663343437643766386435663632343266393064373933 66386134653765386232383236303063623663343437643766386435663632343266393064373933
3661666132363339303639353538316662616638356631650a316338316663666439383138353032 3661666132363339303639353538316662616638356631650a316338316663666439383138353032
@ -213,7 +213,7 @@ This is an example using an extract from a YAML inventory, as the INI format do
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: vyos ansible_network_os: vyos
ansible_user: my_vyos_user ansible_user: my_vyos_user
ansible_ssh_pass: !vault | ansible_password: !vault |
$ANSIBLE_VAULT;1.2;AES256;my_user $ANSIBLE_VAULT;1.2;AES256;my_user
66386134653765386232383236303063623663343437643766386435663632343266393064373933 66386134653765386232383236303063623663343437643766386435663632343266393064373933
3661666132363339303639353538316662616638356631650a316338316663666439383138353032 3661666132363339303639353538316662616638356631650a316338316663666439383138353032
@ -244,11 +244,11 @@ To see the original value, you can use the debug module. Please note if your YAM
cat vyos.yml | grep -v ansible_connection >> vyos_no_connection.yml cat vyos.yml | grep -v ansible_connection >> vyos_no_connection.yml
ansible localhost -m debug -a var="ansible_ssh_pass" -e "@vyos_no_connection.yml" --ask-vault-pass ansible localhost -m debug -a var="ansible_password" -e "@vyos_no_connection.yml" --ask-vault-pass
Vault password: Vault password:
localhost | SUCCESS => { localhost | SUCCESS => {
"ansible_ssh_pass": "VyOS_SSH_password" "ansible_password": "VyOS_SSH_password"
} }

View file

@ -80,7 +80,7 @@ Because Ansible is a flexible tool, there are a number of ways to specify connec
ansible_become_method=enable ansible_become_method=enable
ansible_network_os=eos ansible_network_os=eos
ansible_user=my_eos_user ansible_user=my_eos_user
ansible_ssh_pass= !vault | ansible_password= !vault |
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
37373735393636643261383066383235363664386633386432343236663533343730353361653735 37373735393636643261383066383235363664386633386432343236663533343730353361653735
6131363539383931353931653533356337353539373165320a316465383138636532343463633236 6131363539383931353931653533356337353539373165320a316465383138636532343463633236
@ -98,7 +98,7 @@ Because Ansible is a flexible tool, there are a number of ways to specify connec
ansible_become_method=enable ansible_become_method=enable
ansible_network_os=ios ansible_network_os=ios
ansible_user=my_ios_user ansible_user=my_ios_user
ansible_ssh_pass= !vault | ansible_password= !vault |
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
34623431313336343132373235313066376238386138316466636437653938623965383732373130 34623431313336343132373235313066376238386138316466636437653938623965383732373130
3466363834613161386538393463663861636437653866620a373136356366623765373530633735 3466363834613161386538393463663861636437653866620a373136356366623765373530633735
@ -114,7 +114,7 @@ Because Ansible is a flexible tool, there are a number of ways to specify connec
[vyos:vars] [vyos:vars]
ansible_network_os=vyos ansible_network_os=vyos
ansible_user=my_vyos_user ansible_user=my_vyos_user
ansible_ssh_pass= !vault | ansible_password= !vault |
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
39336231636137663964343966653162353431333566633762393034646462353062633264303765 39336231636137663964343966653162353431333566633762393034646462353062633264303765
6331643066663534383564343537343334633031656538370a333737656236393835383863306466 6331643066663534383564343537343334633031656538370a333737656236393835383863306466
@ -122,7 +122,7 @@ Because Ansible is a flexible tool, there are a number of ways to specify connec
3665626431626532630a353564323566316162613432373738333064366130303637616239396438 3665626431626532630a353564323566316162613432373738333064366130303637616239396438
9853 9853
If you use ssh-agent, you do not need the ``ansible_ssh_pass`` lines. If you use ssh keys, but not ssh-agent, and you have multiple keys, specify the key to use for each connection in the ``[group:vars]`` section with ``ansible_ssh_private_key_file=/path/to/correct/key``. For more information on ``ansible_ssh_`` options see the :ref:`behavioral_parameters`. If you use ssh-agent, you do not need the ``ansible_password`` lines. If you use ssh keys, but not ssh-agent, and you have multiple keys, specify the key to use for each connection in the ``[group:vars]`` section with ``ansible_ssh_private_key_file=/path/to/correct/key``. For more information on ``ansible_ssh_`` options see the :ref:`behavioral_parameters`.
.. FIXME FUTURE Gundalow - Link to network auth & proxy page (to be written) .. FIXME FUTURE Gundalow - Link to network auth & proxy page (to be written)
@ -137,7 +137,7 @@ The "Vault" feature of Ansible allows you to keep sensitive data such as passwor
Informs Ansible which Network platform this hosts corresponds to. This is required when using ``network_cli`` or ``netconf``. Informs Ansible which Network platform this hosts corresponds to. This is required when using ``network_cli`` or ``netconf``.
:ansible_user: The user to connect to the remote device (switch) as. Without this the user that is running ``ansible-playbook`` would be used. :ansible_user: The user to connect to the remote device (switch) as. Without this the user that is running ``ansible-playbook`` would be used.
Specifies which user on the network device the connection Specifies which user on the network device the connection
:ansible_ssh_pass: :ansible_password:
The corresponding password for ``ansible_user`` to log in as. If not specified SSH key will be used. The corresponding password for ``ansible_user`` to log in as. If not specified SSH key will be used.
:ansible_become: :ansible_become:
If enable mode (privilege mode) should be used, see the next section. If enable mode (privilege mode) should be used, see the next section.

View file

@ -703,7 +703,7 @@ Example Ansible inventory file
ansible_connection=netconf ansible_connection=netconf
ansible_network_os=junos ansible_network_os=junos
ansible_user=myuser ansible_user=myuser
ansible_ssh_pass=!vault... ansible_password=!vault...
.. note:: Using ``ProxyCommand`` with passwords via variables .. note:: Using ``ProxyCommand`` with passwords via variables

View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` | | | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` | | | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` | | | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` | | **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/cnos.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: cnos ansible_network_os: cnos
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_become: yes ansible_become: yes
ansible_become_method: enable ansible_become_method: enable
ansible_become_pass: !vault... ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` | | | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` | | | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` | | | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` | | **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/dellos10.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: dellos10 ansible_network_os: dellos10
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_become: yes ansible_become: yes
ansible_become_method: enable ansible_become_method: enable
ansible_become_pass: !vault... ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` | | | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` | | | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` | | | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` | | **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/dellos6.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: dellos6 ansible_network_os: dellos6
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_become: yes ansible_become: yes
ansible_become_method: enable ansible_become_method: enable
ansible_become_pass: !vault... ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` | | | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` | | | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` | | | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` | | **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/dellos9.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: dellos9 ansible_network_os: dellos9
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_become: yes ansible_become: yes
ansible_become_method: enable ansible_become_method: enable
ansible_become_pass: !vault... ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` | | | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` | | | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` | | | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` | | **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/enos.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: enos ansible_network_os: enos
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_become: yes ansible_become: yes
ansible_become_method: enable ansible_become_method: enable
ansible_become_pass: !vault... ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

View file

@ -52,14 +52,14 @@ Example CLI ``group_vars/eos.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: eos ansible_network_os: eos
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_become: yes ansible_become: yes
ansible_become_method: enable ansible_become_method: enable
ansible_become_pass: !vault... ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
@ -106,7 +106,7 @@ Example eAPI ``group_vars/eos.yml``
ansible_connection: httpapi ansible_connection: httpapi
ansible_network_os: eos ansible_network_os: eos
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_become: yes ansible_become: yes
ansible_become_method: enable ansible_become_method: enable
proxy_env: proxy_env:
@ -140,7 +140,7 @@ eAPI examples with ``connection: local``
ansible_connection: local ansible_connection: local
ansible_network_os: eos ansible_network_os: eos
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
eapi: eapi:
host: "{{ inventory_hostname }}" host: "{{ inventory_hostname }}"
transport: eapi transport: eapi

View file

@ -47,11 +47,11 @@ Example CLI ``group_vars/exos.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: exos ansible_network_os: exos
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` | | | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` | | | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` | | | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` | | **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/ios.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: ios ansible_network_os: ios
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_become: yes ansible_become: yes
ansible_become_method: enable ansible_become_method: enable
ansible_become_pass: !vault... ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

View file

@ -27,7 +27,7 @@ Connections Available
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` | | | **Enable Mode** | | supported - use ``ansible_become: yes`` |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` | | | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
| | | | and ``ansible_become_pass:`` | | | | | and ``ansible_become_password:`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
| **Returned Data Format** | ``stdout[0].`` | | **Returned Data Format** | ``stdout[0].`` |
+---------------------------+-----------------------------------------------+ +---------------------------+-----------------------------------------------+
@ -45,14 +45,14 @@ Example CLI ``group_vars/mlx.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: ironware ansible_network_os: ironware
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_become: yes ansible_become: yes
ansible_become_method: enable ansible_become_method: enable
ansible_become_pass: !vault... ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

View file

@ -46,11 +46,11 @@ Example CLI inventory ``[junos:vars]``
ansible_connection=network_cli ansible_connection=network_cli
ansible_network_os=junos ansible_network_os=junos
ansible_user=myuser ansible_user=myuser
ansible_ssh_pass=!vault... ansible_password=!vault...
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
@ -96,7 +96,7 @@ Example NETCONF inventory ``[junos:vars]``
ansible_connection=netconf ansible_connection=netconf
ansible_network_os=junos ansible_network_os=junos
ansible_user=myuser ansible_user=myuser
ansible_ssh_pass=!vault | ansible_password=!vault |
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion01"'

View file

@ -59,7 +59,7 @@ Example NETCONF inventory ``[junos:vars]``
ansible_connection=netconf ansible_connection=netconf
ansible_network_os=junos ansible_network_os=junos
ansible_user=myuser ansible_user=myuser
ansible_ssh_pass=!vault | ansible_password=!vault |
Example NETCONF Task Example NETCONF Task

View file

@ -47,11 +47,11 @@ Example CLI ``group_vars/nos.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: nos ansible_network_os: nos
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

View file

@ -29,7 +29,7 @@ Connections Available
+---------------------------+-----------------------------------------------+-----------------------------------------+ +---------------------------+-----------------------------------------------+-----------------------------------------+
| | **Enable Mode** | | supported - use ``ansible_become: yes`` | | not supported by NX-API | | | **Enable Mode** | | supported - use ``ansible_become: yes`` | | not supported by NX-API |
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` | | | | | (Privilege Escalation) | | with ``ansible_become_method: enable`` | | |
| | supported as of 2.5.3 | | and ``ansible_become_pass:`` | | | | | supported as of 2.5.3 | | and ``ansible_become_password:`` | | |
+---------------------------+-----------------------------------------------+-----------------------------------------+ +---------------------------+-----------------------------------------------+-----------------------------------------+
| **Returned Data Format** | ``stdout[0].`` | ``stdout[0].messages[0].`` | | **Returned Data Format** | ``stdout[0].`` | ``stdout[0].messages[0].`` |
+---------------------------+-----------------------------------------------+-----------------------------------------+ +---------------------------+-----------------------------------------------+-----------------------------------------+
@ -47,14 +47,14 @@ Example CLI ``group_vars/nxos.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: nxos ansible_network_os: nxos
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_become: yes ansible_become: yes
ansible_become_method: enable ansible_become_method: enable
ansible_become_pass: !vault... ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
@ -99,7 +99,7 @@ Example NX-API ``group_vars/nxos.yml``
ansible_connection: httpapi ansible_connection: httpapi
ansible_network_os: nxos ansible_network_os: nxos
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
proxy_env: proxy_env:
http_proxy: http://proxy.example.com:8080 http_proxy: http://proxy.example.com:8080

View file

@ -40,14 +40,14 @@ Example CLI ``group_vars/routeros.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: routeros ansible_network_os: routeros
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_become: yes ansible_become: yes
ansible_become_method: enable ansible_become_method: enable
ansible_become_pass: !vault... ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

View file

@ -47,11 +47,11 @@ Example CLI ``group_vars/slxos.yml``
ansible_connection: network_cli ansible_connection: network_cli
ansible_network_os: slxos ansible_network_os: slxos
ansible_user: myuser ansible_user: myuser
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

View file

@ -49,11 +49,11 @@ Example CLI ``group_vars/voss.yml``
ansible_user: myuser ansible_user: myuser
ansible_become: yes ansible_become: yes
ansible_become_method: enable ansible_become_method: enable
ansible_ssh_pass: !vault... ansible_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration. - If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. - If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables. - If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.

View file

@ -167,6 +167,13 @@ Noteworthy module changes
Plugins Plugins
======= =======
* Connection plugins have been standardized to allow use of ``ansible_<conn-type>_user``
and ``ansible_<conn-type>_password`` variables. Variables such as
``ansible_<conn-type>_pass`` and ``ansible_<conn-type>_username`` are treated
with lower priority than the standardized names and may be deprecated in the
future. In general, the ``ansible_user`` and ``ansible_password`` vars should
be used unless there is a reason to use the connection-specific variables.
* The ``powershell`` shell plugin now uses ``async_dir`` to define the async path for the results file and the default * The ``powershell`` shell plugin now uses ``async_dir`` to define the async path for the results file and the default
has changed to ``%USERPROFILE%\.ansible_async``. To control this path now, either set the ``ansible_async_dir`` has changed to ``%USERPROFILE%\.ansible_async``. To control this path now, either set the ``ansible_async_dir``
variable or the ``async_dir`` value in the ``powershell`` section of the config ini. variable or the ``async_dir`` value in the ``powershell`` section of the config ini.

View file

@ -135,7 +135,7 @@ So let us assume we have our target configured in the inventory using the FQDN n
my-apic-1: my-apic-1:
ansible_host: apic01.fqdn.intra ansible_host: apic01.fqdn.intra
ansible_user: admin ansible_user: admin
ansible_pass: my-password ansible_password: my-password
One way to set this up is to add to every task the directive: ``delegate_to: localhost``. One way to set this up is to add to every task the directive: ``delegate_to: localhost``.
@ -146,7 +146,7 @@ One way to set this up is to add to every task the directive: ``delegate_to: loc
aci_tenant: aci_tenant:
host: '{{ ansible_host }}' host: '{{ ansible_host }}'
username: '{{ ansible_user }}' username: '{{ ansible_user }}'
password: '{{ ansible_pass }}' password: '{{ ansible_password }}'
state: query state: query
delegate_to: localhost delegate_to: localhost
@ -168,7 +168,7 @@ In this case the inventory may look like this:
my-apic-1: my-apic-1:
ansible_host: apic01.fqdn.intra ansible_host: apic01.fqdn.intra
ansible_user: admin ansible_user: admin
ansible_pass: my-password ansible_password: my-password
ansible_connection: local ansible_connection: local
But used tasks do not need anything special added. But used tasks do not need anything special added.
@ -179,7 +179,7 @@ But used tasks do not need anything special added.
aci_tenant: aci_tenant:
host: '{{ ansible_host }}' host: '{{ ansible_host }}'
username: '{{ ansible_user }}' username: '{{ ansible_user }}'
password: '{{ ansible_pass }}' password: '{{ ansible_password }}'
state: query state: query
register: all_tenants register: all_tenants

View file

@ -130,7 +130,7 @@ The rax module returns data about the nodes it creates, like IP addresses, hostn
add_host: add_host:
hostname: "{{ item.name }}" hostname: "{{ item.name }}"
ansible_host: "{{ item.rax_accessipv4 }}" ansible_host: "{{ item.rax_accessipv4 }}"
ansible_ssh_pass: "{{ item.rax_adminpass }}" ansible_password: "{{ item.rax_adminpass }}"
groups: raxhosts groups: raxhosts
loop: "{{ rax.success }}" loop: "{{ rax.success }}"
when: rax.action == 'create' when: rax.action == 'create'
@ -511,7 +511,7 @@ Build a complete webserver environment with servers, custom networks and load ba
add_host: add_host:
hostname: "{{ item.name }}" hostname: "{{ item.name }}"
ansible_host: "{{ item.rax_accessipv4 }}" ansible_host: "{{ item.rax_accessipv4 }}"
ansible_ssh_pass: "{{ item.rax_adminpass }}" ansible_password: "{{ item.rax_adminpass }}"
ansible_user: root ansible_user: root
groups: web groups: web
loop: "{{ rax.success }}" loop: "{{ rax.success }}"
@ -592,7 +592,7 @@ Using a Control Machine
add_host: add_host:
hostname: "{{ item.name }}" hostname: "{{ item.name }}"
ansible_host: "{{ item.rax_accessipv4 }}" ansible_host: "{{ item.rax_accessipv4 }}"
ansible_ssh_pass: "{{ item.rax_adminpass }}" ansible_password: "{{ item.rax_adminpass }}"
ansible_user: root ansible_user: root
rax_id: "{{ item.rax_id }}" rax_id: "{{ item.rax_id }}"
groups: web,new_web groups: web,new_web

View file

@ -73,7 +73,7 @@ ansible_become_method
ansible_become_user ansible_become_user
set the user you become through privilege escalation; does not imply ``ansible_become: yes`` set the user you become through privilege escalation; does not imply ``ansible_become: yes``
ansible_become_pass ansible_become_password
set the privilege escalation password. See :doc:`playbooks_vault` for details on how to avoid having secrets in plain text set the privilege escalation password. See :doc:`playbooks_vault` for details on how to avoid having secrets in plain text
For example, if you want to run all tasks as ``root`` on a server named ``webserver``, but you can only connect as the ``manager`` user, you could use an inventory entry like this:: For example, if you want to run all tasks as ``root`` on a server named ``webserver``, but you can only connect as the ``manager`` user, you could use an inventory entry like this::
@ -298,7 +298,7 @@ Passwords for enable mode
If you need a password to enter ``enable`` mode, you can specify it in one of two ways: If you need a password to enter ``enable`` mode, you can specify it in one of two ways:
* providing the :option:`--ask-become-pass <ansible-playbook --ask-become-pass>` command line option * providing the :option:`--ask-become-pass <ansible-playbook --ask-become-pass>` command line option
* setting the ``ansible_become_pass`` connection variable * setting the ``ansible_become_password`` connection variable
.. warning:: .. warning::
@ -553,8 +553,8 @@ option for a Scheduled Task. In this scenario, the become process will not be
able to access any network resources like a normal WinRM process. able to access any network resources like a normal WinRM process.
To make a distinction between using become with no password and becoming an To make a distinction between using become with no password and becoming an
account that has no password make sure to keep ``ansible_become_pass`` as account that has no password make sure to keep ``ansible_become_password`` as
undefined or set ``ansible_become_pass:``. undefined or set ``ansible_become_password:``.
.. Note:: Because there are no guarantees an existing token will exist for a .. Note:: Because there are no guarantees an existing token will exist for a
user when Ansible runs, there's a high change the become process will only user when Ansible runs, there's a high change the become process will only
@ -568,7 +568,7 @@ Accounts without a Password
Ansible can be used to become an account that does not have a password (like the Ansible can be used to become an account that does not have a password (like the
``Guest`` account). To become an account without a password, set up the ``Guest`` account). To become an account without a password, set up the
variables like normal but set ``ansible_become_pass: ''``. variables like normal but set ``ansible_become_password: ''``.
Before become can work on an account like this, the local policy Before become can work on an account like this, the local policy
`Accounts: Limit local account use of blank passwords to console logon only <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852174(v=ws.11)>`_ `Accounts: Limit local account use of blank passwords to console logon only <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852174(v=ws.11)>`_
@ -586,7 +586,7 @@ or with this Ansible task:
state: present state: present
.. Note:: This is only for accounts that do not have a password. You still need .. Note:: This is only for accounts that do not have a password. You still need
to set the account's password under ``ansible_become_pass`` if the to set the account's password under ``ansible_become_password`` if the
become_user has a password. become_user has a password.
Become Flags Become Flags
@ -661,7 +661,7 @@ Here are some examples of how to use ``become_flags`` with Windows tasks:
ansible_become: yes ansible_become: yes
ansible_become_method: runas ansible_become_method: runas
ansible_become_user: DOMAIN\user ansible_become_user: DOMAIN\user
ansible_become_pass: Password01 ansible_become_password: Password01
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
- name: run a command under a batch logon - name: run a command under a batch logon

View file

@ -515,15 +515,15 @@ General for all connections:
ansible_host ansible_host
The name of the host to connect to, if different from the alias you wish to give to it. The name of the host to connect to, if different from the alias you wish to give to it.
ansible_port ansible_port
The ssh port number, if not 22 The connection port number, if not the default (22 for ssh)
ansible_user ansible_user
The default ssh user name to use. The user name to use when connecting to the host
ansible_password
The password to use to authenticate to the host (never store this variable in plain text; always use a vault. See :ref:`best_practices_for_variables_and_vaults`)
Specific to the SSH connection: Specific to the SSH connection:
ansible_ssh_pass
The ssh password to use (never store this variable in plain text; always use a vault. See :ref:`best_practices_for_variables_and_vaults`)
ansible_ssh_private_key_file ansible_ssh_private_key_file
Private key file used by ssh. Useful if using multiple keys and you don't want to use SSH agent. Private key file used by ssh. Useful if using multiple keys and you don't want to use SSH agent.
ansible_ssh_common_args ansible_ssh_common_args
@ -550,8 +550,8 @@ ansible_become_method
Allows to set privilege escalation method Allows to set privilege escalation method
ansible_become_user ansible_become_user
Equivalent to ``ansible_sudo_user`` or ``ansible_su_user``, allows to set the user you become through privilege escalation Equivalent to ``ansible_sudo_user`` or ``ansible_su_user``, allows to set the user you become through privilege escalation
ansible_become_pass ansible_become_password
Equivalent to ``ansible_sudo_pass`` or ``ansible_su_pass``, allows you to set the privilege escalation password (never store this variable in plain text; always use a vault. See :ref:`best_practices_for_variables_and_vaults`) Equivalent to ``ansible_sudo_password`` or ``ansible_su_password``, allows you to set the privilege escalation password (never store this variable in plain text; always use a vault. See :ref:`best_practices_for_variables_and_vaults`)
ansible_become_exe ansible_become_exe
Equivalent to ``ansible_sudo_exe`` or ``ansible_su_exe``, allows you to set the executable for the escalation method selected Equivalent to ``ansible_sudo_exe`` or ``ansible_su_exe``, allows you to set the executable for the escalation method selected
ansible_become_flags ansible_become_flags

View file

@ -1047,7 +1047,7 @@ Basically, anything that goes into "role defaults" (the defaults folder inside t
This last one can be superceeded by the user via ``ansible_group_priority``, which defaults to ``1`` for all groups. This last one can be superceeded by the user via ``ansible_group_priority``, which defaults to ``1`` for all groups.
This variable, ``ansible_group_priority``, can only be set in the inventory source and not in group_vars/ as the variable is used in the loading of group_vars/. This variable, ``ansible_group_priority``, can only be set in the inventory source and not in group_vars/ as the variable is used in the loading of group_vars/.
Another important thing to consider (for all versions) is that connection variables override config, command line and play/role/task specific options and keywords. For example, if your inventory specifies ``ansible_ssh_user: ramon`` and you run:: Another important thing to consider (for all versions) is that connection variables override config, command line and play/role/task specific options and keywords. For example, if your inventory specifies ``ansible_user: ramon`` and you run::
ansible -u lola myhost ansible -u lola myhost
@ -1060,7 +1060,7 @@ For plays/tasks this is also true for ``remote_user``. Assuming the same invento
- command: I'll connect as ramon still - command: I'll connect as ramon still
remote_user: lola remote_user: lola
will have the value of ``remote_user`` overwritten by ``ansible_ssh_user`` in the inventory. will have the value of ``remote_user`` overwritten by ``ansible_user`` in the inventory.
This is done so host-specific settings can override the general settings. These variables are normally defined per host or group in inventory, This is done so host-specific settings can override the general settings. These variables are normally defined per host or group in inventory,
but they behave like other variables. but they behave like other variables.
@ -1069,7 +1069,11 @@ If you want to override the remote user globally (even over inventory) you can u
ansible... -e "ansible_user=maria" -u lola ansible... -e "ansible_user=maria" -u lola
the ``lola`` value is still ignored, but ``ansible_user=maria`` takes precedence over all other places where ``ansible_user`` (or ``ansible_ssh_user``, or ``remote_user``) might be set. the ``lola`` value is still ignored, but ``ansible_user=maria`` takes precedence over all other places where ``ansible_user`` (or ``remote_user``) might be set.
A connection-specific version of a variable takes precedence over more generic
versions. For example, ``ansible_ssh_user`` specified as a group_var would have
a higher precedence than ``ansible_user`` specified as a host_var.
You can also override as a normal variable in a play:: You can also override as a normal variable in a play::

View file

@ -184,13 +184,13 @@ class ConnectionBase(AnsiblePlugin):
processed on the remote machine, not on the local machine so no processed on the remote machine, not on the local machine so no
shell is needed on the local machine. (Example, ``/bin/sh``) shell is needed on the local machine. (Example, ``/bin/sh``)
:ConnectionCommand: This is the command that connects us to the remote :ConnectionCommand: This is the command that connects us to the remote
machine to run the rest of the command. ``ansible_ssh_user``, machine to run the rest of the command. ``ansible_user``,
``ansible_ssh_host`` and so forth are fed to this piece of the ``ansible_ssh_host`` and so forth are fed to this piece of the
command to connect to the correct host (Examples ``ssh``, command to connect to the correct host (Examples ``ssh``,
``chroot``) ``chroot``)
:UsersLoginShell: This shell may or may not be created depending on :UsersLoginShell: This shell may or may not be created depending on
the ConnectionCommand used by the connection plugin. This is the the ConnectionCommand used by the connection plugin. This is the
shell that the ``ansible_ssh_user`` has configured as their login shell that the ``ansible_user`` has configured as their login
shell. In traditional UNIX parlance, this is the last field of shell. In traditional UNIX parlance, this is the last field of
a user's ``/etc/passwd`` entry We do not specifically try to run a user's ``/etc/passwd`` entry We do not specifically try to run
the ``UsersLoginShell`` when we connect. Instead it is implicit the ``UsersLoginShell`` when we connect. Instead it is implicit

View file

@ -61,6 +61,7 @@ options:
vars: vars:
- name: ansible_password - name: ansible_password
- name: ansible_httpapi_pass - name: ansible_httpapi_pass
- name: ansible_httpapi_password
use_ssl: use_ssl:
type: boolean type: boolean
description: description:

View file

@ -103,6 +103,7 @@ DOCUMENTATION = """
default: '' default: ''
vars: vars:
- name: ansible_kubectl_username - name: ansible_kubectl_username
- name: ansible_kubectl_user
env: env:
- name: K8S_AUTH_USERNAME - name: K8S_AUTH_USERNAME
kubectl_password: kubectl_password:

View file

@ -66,6 +66,7 @@ options:
vars: vars:
- name: ansible_password - name: ansible_password
- name: ansible_ssh_pass - name: ansible_ssh_pass
- name: ansible_ssh_password
private_key_file: private_key_file:
description: description:
- The private SSH key or certificate file used to authenticate to the - The private SSH key or certificate file used to authenticate to the

View file

@ -67,6 +67,8 @@ options:
vars: vars:
- name: ansible_password - name: ansible_password
- name: ansible_ssh_pass - name: ansible_ssh_pass
- name: ansible_ssh_password
- name: ansible_netconf_password
private_key_file: private_key_file:
description: description:
- The private SSH key or certificate file used to authenticate to the - The private SSH key or certificate file used to authenticate to the

View file

@ -63,6 +63,7 @@ options:
vars: vars:
- name: ansible_password - name: ansible_password
- name: ansible_ssh_pass - name: ansible_ssh_pass
- name: ansible_ssh_password
private_key_file: private_key_file:
description: description:
- The private SSH key or certificate file used to authenticate to the - The private SSH key or certificate file used to authenticate to the

View file

@ -51,7 +51,9 @@ DOCUMENTATION = """
vars: vars:
- name: ansible_password - name: ansible_password
- name: ansible_ssh_pass - name: ansible_ssh_pass
- name: ansible_ssh_password
- name: ansible_paramiko_pass - name: ansible_paramiko_pass
- name: ansible_paramiko_password
version_added: '2.5' version_added: '2.5'
host_key_auto_add: host_key_auto_add:
description: 'TODO: write it' description: 'TODO: write it'

View file

@ -47,6 +47,7 @@ DOCUMENTATION = '''
vars: vars:
- name: ansible_password - name: ansible_password
- name: ansible_ssh_pass - name: ansible_ssh_pass
- name: ansible_ssh_password
ssh_args: ssh_args:
description: Arguments to pass to all ssh cli tools description: Arguments to pass to all ssh cli tools
default: '-C -o ControlMaster=auto -o ControlPersist=60s' default: '-C -o ControlMaster=auto -o ControlPersist=60s'
@ -605,7 +606,7 @@ class Connection(ConnectionBase):
b"-o", b"PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey", b"-o", b"PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey",
b"-o", b"PasswordAuthentication=no" b"-o", b"PasswordAuthentication=no"
), ),
u"ansible_password/ansible_ssh_pass not set" u"ansible_password/ansible_ssh_password not set"
) )
user = self._play_context.remote_user user = self._play_context.remote_user
@ -924,7 +925,7 @@ class Connection(ConnectionBase):
if states[state] == 'awaiting_prompt': if states[state] == 'awaiting_prompt':
if self._flags['become_prompt']: if self._flags['become_prompt']:
display.debug('Sending become_pass in response to prompt') display.debug('Sending become_password in response to prompt')
stdin.write(to_bytes(self._play_context.become_pass) + b'\n') stdin.write(to_bytes(self._play_context.become_pass) + b'\n')
# On python3 stdin is a BufferedWriter, and we don't have a guarantee # On python3 stdin is a BufferedWriter, and we don't have a guarantee
# that the write will happen without a flush # that the write will happen without a flush