Solution:
pip3 install bcrypt
And in my task:
user_combinehash: "{{ username_auth }}:{{ user_password |
password_hash('blowfish','1234567890123456789012') | regex_replace('\\$',
'$$') }}"
Thanks again Dick!
Le dimanche 13 septembre 2020 à 17:30:48 UTC+2, dick....@geant.org a écrit :
> Looking at this:
> https://github.com/ansible/ansible/issues/26322
>
> Are you sure your config needs a simple string of a single user? It looks
> like it should be a list.
>
> There are tips there on how to use bcrypt, I would try to get that to work
> as it's more secure.
>
>
> On Sun, 13 Sep 2020 at 14:51, Fred <frederic.gau...@quanticware.com>
> wrote:
>
>> Thanks for your answer.
>>
>> Your advice ldap_sha1 not working.
>>
>> Traefik is a reverseproxy and that's in their documentation that
>> mentionned need SHA1 or MD5 hash.
>>
>> I tried to hash password in md5 or sha in username_password variable but
>> no more working.
>>
>>
>>
>> Le dimanche 13 septembre 2020 à 14:10:43 UTC+2, dick....@geant.org a
>> écrit :
>>
>>> Hi
>>>
>>>
>>>
>>>
>>>
>>> It looks like someone told you "it needs to be hashed" and then you
>>>
>>>
>>> applied the 'hash' filter with ansible.
>>>
>>>
>>> But there are many subtleties when it comes to hashing, even more so
>>>
>>>
>>> with password hashing, and yet more because applications may expect
>>>
>>>
>>> something specific/dialect.
>>>
>>>
>>> I have no idea what "Traefik" is - you should look at their docs,
>>>
>>>
>>> those should tell you exactly what its expects.
>>>
>>>
>>> However, given that you mentioned that the {SHA} style password works,
>>>
>>>
>>> and you also mentioned "basicauth", it might be the "standard" LDAP
>>>
>>>
>>> SHA1, so try that:
>>>
>>>
>>>
>>>
>>>
>>> user_combinehash: "{{ username_auth }}:{{ user_password |
>>> hash('ldap_sha1') }}"
>>>
>>>
>>>
>>>
>>>
>>> This is all part of the docs BTW
>>>
>>>
>>> (
>>> https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#hashing-filters
>>> ).
>>>
>>>
>>> Definitely read this:
>>>
>>>
>>>
>>>
>>>
>>> "Hash types available depend on the master system running ansible,
>>>
>>>
>>> ‘hash’ depends on hashlib password_hash depends on passlib
>>>
>>>
>>> (https://passlib.readthedocs.io/en/stable/lib/passlib.hash.html)."
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Sun, 13 Sep 2020 at 13:40, Fred
>>>
>>>
>>> <frederic.gau...@quanticware.com> wrote:
>>>
>>>
>>> >
>>>
>>>
>>> >
>>>
>>>
>>> > Hello,
>>>
>>>
>>> >
>>>
>>>
>>> > ##### SUMMARY
>>>
>>>
>>> > When I tried to apply filter on variable password, Traefik BasicAuth
>>> rejected password.
>>>
>>>
>>> >
>>>
>>>
>>> > ##### ISSUE TYPE
>>>
>>>
>>> > - Bug Report
>>>
>>>
>>> >
>>>
>>>
>>> > ##### COMPONENT NAME
>>>
>>>
>>> >
>>>
>>>
>>> > ##### ANSIBLE VERSION
>>>
>>>
>>> > ```
>>>
>>>
>>> > ansible 2.9.12
>>>
>>>
>>> > config file = /etc/ansible/ansible.cfg
>>>
>>>
>>> > configured module search path =
>>> ['/home/fred/.ansible/plugins/modules',
>>> '/usr/share/ansible/plugins/modules']
>>>
>>>
>>> > ansible python module location =
>>> /home/fred/devops/lib/python3.6/site-packages/ansible
>>>
>>>
>>> > executable location = /home/fred/devops/bin/ansible
>>>
>>>
>>> > python version = 3.6.9 (default, Jul 17 2020, 12:50:27) [GCC 8.4.0]
>>>
>>>
>>> >
>>>
>>>
>>> > ```
>>>
>>>
>>> >
>>>
>>>
>>> > ##### CONFIGURATION
>>>
>>>
>>> > <!--- Paste verbatim output from "ansible-config dump --only-changed"
>>> between quotes -->
>>>
>>>
>>> > ```
>>>
>>>
>>> > Empty
>>>
>>>
>>> > ```
>>>
>>>
>>> >
>>>
>>>
>>> > ##### OS / ENVIRONMENT
>>>
>>>
>>> > Ubuntu 18.04
>>>
>>>
>>> > venv python3.8
>>>
>>>
>>> >
>>>
>>>
>>> >
>>>
>>>
>>> > ##### STEPS TO REPRODUCE
>>>
>>>
>>> >
>>>
>>>
>>> > A part of my playbook:
>>>
>>>
>>> > ```
>>>
>>>
>>> > username_auth: admin
>>>
>>>
>>> > user_password: hello
>>>
>>>
>>> > #user_combinehash: "admin:{SHA}qvTGHdzF6KLavt4PO0gs2a6pQ00="
>>>
>>>
>>> > #user_combinehash: "admin:$$apr1$$2mYRX92I$$udcUHex5PBj4vMOVHRWiD."
>>>
>>>
>>> > user_combinehash: "{{ username_auth }}:{{ user_password | hash('md5')
>>> }}"
>>>
>>>
>>> >
>>>
>>>
>>> > ```
>>>
>>>
>>> >
>>>
>>>
>>> > A part of my role task:
>>>
>>>
>>> > ```
>>>
>>>
>>> > labels:
>>>
>>>
>>> > - "traefik.http.routers.dashboard.rule=(PathPrefix(`/api`) ||
>>> PathPrefix(`/dashboard`))"
>>>
>>>
>>> > - "traefik.http.routers.dashboard.service=api@internal"
>>>
>>>
>>> > - "traefik.http.routers.dashboard.middlewares=auth"
>>>
>>>
>>> > - "traefik.http.middlewares.auth.basicauth.users={{ user_combinehash
>>> }}"
>>>
>>>
>>> > ```
>>>
>>>
>>> >
>>>
>>>
>>> > ##### EXPECTED RESULTS
>>>
>>>
>>> > BasicAuth module of Traefik accept my hash password
>>>
>>>
>>> >
>>>
>>>
>>> >
>>>
>>>
>>> > ##### ACTUAL RESULTS
>>>
>>>
>>> > Playbook works, but When I tried to access to traefik Dashboard,
>>> access denied, password unrecongnized.
>>>
>>>
>>> >
>>>
>>>
>>> > When I use variable:
>>>
>>>
>>> > `user_combinehash: "admin:{SHA}qvTGHdzF6KLavt4PO0gs2a6pQ00="`
>>>
>>>
>>> > It's works
>>>
>>>
>>> >
>>>
>>>
>>> > all others did not work. But I need to have hash filter instead.
>>>
>>>
>>> >
>>>
>>>
>>> > I tried with filter SHA1 and MD5
>>>
>>>
>>> >
>>>
>>>
>>> > I already install python3-passlib
>>>
>>>
>>> >
>>>
>>>
>>> > I'm sorry to don't understand where is the problem,
>>>
>>>
>>> > Thanks
>>>
>>>
>>> >
>>>
>>>
>>> > --
>>>
>>>
>>> > You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>>
>>>
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ansible-proje...@googlegroups.com.
>>>
>>>
>>> > To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/8aa5c24d-6dad-4222-8506-c8fa829b4a70n%40googlegroups.com
>>> .
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>> Dick Visser
>>>
>>>
>>> Trust & Identity Service Operations Manager
>>>
>>>
>>> GÉANT
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>>
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>>
>>
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ansible-proje...@googlegroups.com.
>>
>>
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/b1bdfe25-51ce-47e0-bfea-417ce5816826n%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/ansible-project/b1bdfe25-51ce-47e0-bfea-417ce5816826n%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>>
>> --
> Sent from a mobile device - please excuse the brevity, spelling and
> punctuation.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/52870b88-454a-4fb7-b704-43efcaaa4a7dn%40googlegroups.com.
