Re: Ansible question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I just took a look at the keystone code.  Unfortunately, I don't think
this is coming from the module.  It's being logged because they're in
with_items  here's a simpler playbook that shows that happening:

$ cat test.yml                     *[devel]  (08:12:25)
---
- hosts: localhost
  gather_facts: False
  tasks:
    - name: test
      ping:
        data: "{{ item.name }}"
      with_items:
        - { name: kevin, password: example }
        - { name: laxathom, password: two }

$ ansible-playbook test.yml        *[devel]  (08:14:30)

PLAY [localhost] **************************************************************

TASK: [test] ******************************************************************
ok: [localhost] => (item={'password': 'example', 'name': 'kevin'})
ok: [localhost] => (item={'password': 'two', 'name': 'laxathom'})

PLAY RECAP ********************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0


There is a way to fix this though: no_log
http://docs.ansible.com/faq.html#how-do-i-keep-secret-data-in-my-playbook

no_log gives you the ability to make sure that tasks with passwords
aren't logging their output rather than relying on the module to do
the right thing.  You are also able to turn no_log on and off -- for
instance if you need to debug why a task isn't working and actually
need to see what password is being substituted in for that.  I would
use no_log for any task that contains a secret value.


Here's what the task looks like with no_log:

---
- hosts: localhost
  gather_facts: no
  tasks:
    - name: test
      ping:
        data: "{{ item.name }}"
      no_log: True
      with_items:
        - { name: kevin, password: example }
        - { name: laxathom, password: two }


And here's the task output with no_log:

$ ansible-playbook test.yml        *[devel]  (08:17:01)

PLAY [localhost] **************************************************************

TASK: [test] ******************************************************************
ok: [localhost]
ok: [localhost]

PLAY RECAP ********************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0


-Toshio

On Thu, Jan 29, 2015 at 7:12 AM, Bill Nottingham <notting@xxxxxxxx> wrote:
> Kevin Fenzi (kevin@xxxxxxxxx) said:
>> On Wed, 28 Jan 2015 16:57:56 +0100
>> Miroslav Suchý <msuchy@xxxxxxxxxx> wrote:
>>
>> ...snip...
>>
>> > Is there way to mask the output (using -name or something) so the
>> > password is not print to console?
>>
>>
>> Sadly, I don't know of any way to do that. ;(
>>
>> It does sound like something that would be a nice feature...
>> Perhaps it could be done in a handler?
>
> It's generally up to the modules to mask sensitive output (the user module
> does this, as an example). File an issue in github against ansible-modules-core?
>
> Bill
> _______________________________________________
> infrastructure mailing list
> infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure





[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux