On 06/10/2014 08:28 PM, Scott Sturdivant wrote:
> This is something I'd be quite interested in as well. All of our
> private data is stored via ansible-vault, but then it winds up being
> displayed in plain text as the playbook executes. In a slightly
> contrived example, I've got an encrypted users.yml file that has user
> passwords. In my playbook, I pass the variable to the users module as
> "with_items: users", and wind up seeing all of the passwords, exactly
> like Thom pasted above.
>
> Certainly the argument can be made that since I knew the vault
> password, I could go look up that information anyway, but I'm more
> concerned with someone looking over my shoulder, or the output being
> some where I don't control (Jenkins, for instance).
>
> So nothing valuable to add to this discussion, only hoping to see what
> others have done to work around this!
>
>
> On Tue, Jun 10, 2014 at 7:46 AM, Nadir Lloret <[email protected]
> <mailto:[email protected]>> wrote:
>
> I was facing some similar problem.
> Mine is just that the dictionary being included in the output has
> too many values that it makes output messy and I would prefer just
> to include dict.key at the item=() output.
>
> It would be really nice to be able to decide if all the item or
> just a part of it is printed to the output.
>
> El jueves, 5 de junio de 2014 20:15:48 UTC+2, Thom Seddon escribió:
>
>
> When you use a loop in an ansible task, e.g. with_items or
> with_dict, a dump of the item is included in the output.
> Sometimes these items contain secure infomation which it is
> undesirable to have output on screen, for example:
>
> |
> ---
> -name:Test
> hosts:127.0.0.1
> vars:
> dbs:
> prod:
> port:3306
> password:secret
> dev:
> port:3307
> password:notsosecret
> tasks:
> -command:echo {{item.value.port }}
> with_dict:dbs
>
> |
>
> outputs:
>
> |
> [thom@ThomComp test]$ ansible-playbook ansible/test.yml
>
>
> PLAY
>
> [Test]*******************************************************************
>
>
> GATHERING FACTS
> ***************************************************************
> ok:[127.0.0.1]
>
>
> TASK:[command echo
> {{item.value.port}}]**************************************
>
> changed:[127.0.0.1]=>(item={'value':{'password':'secret','port':3306},'key':'prod'})
>
> changed:[127.0.0.1]=>(item={'value':{'password':'notsosecret','port':3307},'key':'dev'})
>
>
> PLAY RECAP
> ********************************************************************
> 127.0.0.1 :ok=2 changed=1 unreachable=0
> failed=0
>
> |
>
> At best, I think there should be a way to choose what is
> output (in this case I would choose the dict.key), at least I
> think there should be a way to suppress this output.
>
> Opinions/ideas?
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to [email protected]
> <mailto:[email protected]>.
> To post to this group, send email to
> [email protected]
> <mailto:[email protected]>.
> To view this discussion on the web visit
>
> https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com
>
> <https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
>
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected]
> <mailto:[email protected]>.
> To post to this group, send email to [email protected]
> <mailto:[email protected]>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CAPcsqxnEn_wLyAsVHaEGtQuaHVb9i0X1qiczfCp1ob7h%2BSJnBA%40mail.gmail.com
> <https://groups.google.com/d/msgid/ansible-project/CAPcsqxnEn_wLyAsVHaEGtQuaHVb9i0X1qiczfCp1ob7h%2BSJnBA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
This is indeed a security weakness (unnecessary exposure of sensitive data).
So, I propose the introduction of a new playbook directive called
'sensitive_keys' with a list of keys that are considered to hold
sensitive data. Then, at output (logs / console output), all variables
would be recursively checked if they contain a key that is included in
the 'sensitive_keys' list. If a key is matched, its value would be
replaced with a 'hidden' version. For example:
sensitive_keys:
- password
- key
So, the following var:
users:
- name: Alice
password: somesecret
- name: Bob
password: anothersecret
api:
url: http://example.org/api/
key: someapikey
would have this 'hidden' version at logs / console output:
users:
- name: Alice
password: xxxxxxx
- name: Bob
password: xxxxxxx
api:
url: http://example.org/api/
key: xxxxxxx
As a proactive measure, if 'sensitive_keys' is not explicitly set, it
could include 'password' by default. Also, for debugging purposes or to
speed up things if users are not interested in that measure, a
configuration option that disables all this could be introduced.
What do you think?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/53981BA1.7040205%40yahoo.gr.
For more options, visit https://groups.google.com/d/optout.
