when setting st2.conf variables, double quotes are converted to single quotes

[johnarnold]

Example in ansible:

- name: auth | Configure ldap backend
  become: yes
  ini_file:
    dest: /etc/st2/st2.conf
    section: auth
    option: backend_kwargs
    value: '{ "ldap_uri": "ldaps://ad.domain.com:3269", "use_tls": false, "bind_dn": "user@domain.com", "bind_pw": "{{ _user_pass }}", "user": {"base_dn": "CN=Users,DC=domain,DC=com", "search_filter": "(&(objectClass=user)(sAMAccountName={username})(|(memberOf=CN=group1,OU=SecurityGroups,DC=domain,DC=com)(memberOf=CN=group2,OU=SecurityGroups,DC=domain,DC=com)))", "scope": "subtree"}}'
    backup: yes

Results in:

backend_kwargs = {'use_tls': false, 'bind_pw': 'a_string', 'ldap_uri': 'ldaps://ad.domain.com:3269', 
...

I believe ansible is interpretting everything in the value: as json, and converting it into ?yaml? internally. Possibly related: https://www.reddit.com/r/ansible/comments/4m1njk/whats_the_proper_way_to_escape_double_quotes_in/

I'm not sure what the best "fix" is, but a workaround is to just put a space at the beginning of your value, like:

value: ' { ...

[arm4b]

We have related logic in bwc role where we set the backend_kwargs

ansible-st2/roles/bwc/tasks/ldap.yml

Line 27 in d7ca9a9

value: "{{ bwc_ldap.backend_kwargs | to_json | string }}"

It works as expected, see the configuration example with bwc_ldap: https://docs.stackstorm.com/install/ansible.html#bwc-st2-enterprise

Maybe var | string is the magic that did the trick for us.

[arm4b]

Closing, since it's not a problem of ansible-st2 codebase.

[lingfish]

I know this is closed, but was an answer really provided? @armab are you suggesting we have to hack this in ourselves, in order to configure "auth other than BWC's one"?

[arm4b]

#234 should help to manage it in the following way from st2 role, st2_config var:

---
- name: Install st2
  hosts: all
  roles:
    - role: StackStorm.st2
      vars:
        st2_config:
          auth:
            backend_kwargs: |
              {"group_dns": ["CN=stormers,OU=groups,DC=stackstorm,DC=net"], "bind_dn": "cn=Administrator,cn=users,dc=stackstorm,dc=net", "id_attr": "samAccountName", "base_ou": "dc=stackstorm,dc=net", "host": "1.2.3.4", "bind_password": "...", "port": 389}

outside of the enterprise ewc role which handles it already well.

@johnarnold @lingfish Given the pointers above, I guess it wouldn't be too hard to contribute something like that back as a PR for those using free/community version of ldap backend :)

[lingfish]

Interesting. I've actually started a slightly different way to tackle it with the view to a PR.

[arm4b]

@lingfish Cool! Can you please help checking if #234 really fixes it for your specific case?