We're not going to be adding anything called "sensitive_keys", especially as filtering is not just about sensitivity.
Tasks take a "no_log: True" attribute to prevent their output from hitting syslog, easiest is to also make this automatically dock the verbosity in the callback. On Wed, Jun 11, 2014 at 5:04 AM, 'Petros Moisiadis' via Ansible Project < [email protected]> wrote: > On 06/10/2014 08:28 PM, Scott Sturdivant wrote: > > This is something I'd be quite interested in as well. All of our private > data is stored via ansible-vault, but then it winds up being displayed in > plain text as the playbook executes. In a slightly contrived example, I've > got an encrypted users.yml file that has user passwords. In my playbook, I > pass the variable to the users module as "with_items: users", and wind up > seeing all of the passwords, exactly like Thom pasted above. > > Certainly the argument can be made that since I knew the vault password, > I could go look up that information anyway, but I'm more concerned with > someone looking over my shoulder, or the output being some where I don't > control (Jenkins, for instance). > > So nothing valuable to add to this discussion, only hoping to see what > others have done to work around this! > > > On Tue, Jun 10, 2014 at 7:46 AM, Nadir Lloret <[email protected]> > wrote: > >> I was facing some similar problem. >> Mine is just that the dictionary being included in the output has too >> many values that it makes output messy and I would prefer just to include >> dict.key at the item=() output. >> >> It would be really nice to be able to decide if all the item or just a >> part of it is printed to the output. >> >> El jueves, 5 de junio de 2014 20:15:48 UTC+2, Thom Seddon escribió: >> >>> >>> When you use a loop in an ansible task, e.g. with_items or with_dict, a >>> dump of the item is included in the output. Sometimes these items contain >>> secure infomation which it is undesirable to have output on screen, for >>> example: >>> >>> --- >>> - name: Test >>> hosts: 127.0.0.1 >>> vars: >>> dbs: >>> prod: >>> port: 3306 >>> password: secret >>> dev: >>> port: 3307 >>> password: notsosecret >>> tasks: >>> - command: echo {{ item.value.port }} >>> with_dict: dbs >>> >>> >>> outputs: >>> >>> [thom@ThomComp test]$ ansible-playbook ansible/test.yml >>> >>> >>> PLAY [Test] >>> ******************************************************************* >>> >>> >>> GATHERING FACTS >>> *************************************************************** >>> ok: [127.0.0.1] >>> >>> >>> TASK: [command echo {{item.value.port}}] >>> ************************************** >>> changed: [127.0.0.1] => (item={'value': {'password': 'secret', 'port': >>> 3306}, 'key': 'prod'}) >>> changed: [127.0.0.1] => (item={'value': {'password': 'notsosecret', >>> 'port': 3307}, 'key': 'dev'}) >>> >>> >>> PLAY RECAP >>> ******************************************************************** >>> 127.0.0.1 : ok=2 changed=1 unreachable=0 >>> failed=0 >>> >>> >>> At best, I think there should be a way to choose what is output (in >>> this case I would choose the dict.key), at least I think there should be a >>> way to suppress this output. >>> >>> Opinions/ideas? >>> >>> Thanks >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com >> <https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com?utm_medium=email&utm_source=footer>. >> >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CAPcsqxnEn_wLyAsVHaEGtQuaHVb9i0X1qiczfCp1ob7h%2BSJnBA%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CAPcsqxnEn_wLyAsVHaEGtQuaHVb9i0X1qiczfCp1ob7h%2BSJnBA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > This is indeed a security weakness (unnecessary exposure of sensitive > data). > So, I propose the introduction of a new playbook directive called > 'sensitive_keys' with a list of keys that are considered to hold sensitive > data. Then, at output (logs / console output), all variables would be > recursively checked if they contain a key that is included in the > 'sensitive_keys' list. If a key is matched, its value would be replaced > with a 'hidden' version. For example: > > sensitive_keys: > - password > - key > > So, the following var: > > users: > - name: Alice > password: somesecret > - name: Bob > password: anothersecret > api: > url: http://example.org/api/ > key: someapikey > > would have this 'hidden' version at logs / console output: > > users: > - name: Alice > password: xxxxxxx > - name: Bob > password: xxxxxxx > api: > url: http://example.org/api/ > key: xxxxxxx > > As a proactive measure, if 'sensitive_keys' is not explicitly set, it > could include 'password' by default. Also, for debugging purposes or to > speed up things if users are not interested in that measure, a > configuration option that disables all this could be introduced. > > What do you think? > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/53981BA1.7040205%40yahoo.gr > <https://groups.google.com/d/msgid/ansible-project/53981BA1.7040205%40yahoo.gr?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyE%3DhWC49vjWS7Ua_SOYejZgWUdza-96-ka69Hq1YjqaQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
