On 06/12/14 01:38, Michael DeHaan wrote: > Tasks take a "no_log: True" attribute to prevent their output from > hitting syslog, easiest is to also make this automatically dock the > verbosity in the callback.
Ok, this would surely be a fine solution to the problem of being able to protect from over the shoulder watchers. I was about to open a new github issue but it seems there are at least 3 open issues for this. :) > > > On Wed, Jun 11, 2014 at 5:04 AM, 'Petros Moisiadis' via Ansible > Project <[email protected] > <mailto:[email protected]>> wrote: > > On 06/10/2014 08:28 PM, Scott Sturdivant wrote: >> This is something I'd be quite interested in as well. All of our >> private data is stored via ansible-vault, but then it winds up >> being displayed in plain text as the playbook executes. In a >> slightly contrived example, I've got an encrypted users.yml file >> that has user passwords. In my playbook, I pass the variable to >> the users module as "with_items: users", and wind up seeing all >> of the passwords, exactly like Thom pasted above. >> >> Certainly the argument can be made that since I knew the vault >> password, I could go look up that information anyway, but I'm >> more concerned with someone looking over my shoulder, or the >> output being some where I don't control (Jenkins, for instance). >> >> So nothing valuable to add to this discussion, only hoping to see >> what others have done to work around this! >> >> >> On Tue, Jun 10, 2014 at 7:46 AM, Nadir Lloret >> <[email protected] <mailto:[email protected]>> wrote: >> >> I was facing some similar problem. >> Mine is just that the dictionary being included in the output >> has too many values that it makes output messy and I would >> prefer just to include dict.key at the item=() output. >> >> It would be really nice to be able to decide if all the item >> or just a part of it is printed to the output. >> >> El jueves, 5 de junio de 2014 20:15:48 UTC+2, Thom Seddon >> escribió: >> >> >> When you use a loop in an ansible task, e.g. with_items >> or with_dict, a dump of the item is included in the >> output. Sometimes these items contain secure infomation >> which it is undesirable to have output on screen, for >> example: >> >> | >> --- >> -name:Test >> hosts:127.0.0.1 >> vars: >> dbs: >> prod: >> port:3306 >> password:secret >> dev: >> port:3307 >> password:notsosecret >> tasks: >> -command:echo {{item.value.port }} >> with_dict:dbs >> >> | >> >> outputs: >> >> | >> [thom@ThomComp test]$ ansible-playbook ansible/test.yml >> >> >> PLAY >> >> [Test]******************************************************************* >> >> >> GATHERING FACTS >> *************************************************************** >> ok:[127.0.0.1] >> >> >> TASK:[command echo >> {{item.value.port}}]************************************** >> >> changed:[127.0.0.1]=>(item={'value':{'password':'secret','port':3306},'key':'prod'}) >> >> changed:[127.0.0.1]=>(item={'value':{'password':'notsosecret','port':3307},'key':'dev'}) >> >> >> PLAY RECAP >> >> ******************************************************************** >> 127.0.0.1 :ok=2 changed=1 >> unreachable=0 failed=0 >> >> | >> >> At best, I think there should be a way to choose what is >> output (in this case I would choose the dict.key), at >> least I think there should be a way to suppress this output. >> >> Opinions/ideas? >> >> Thanks >> >> -- >> You received this message because you are subscribed to the >> Google Groups "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from >> it, send an email to >> [email protected] >> <mailto:[email protected]>. >> To post to this group, send email to >> [email protected] >> <mailto:[email protected]>. >> To view this discussion on the web visit >> >> https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com?utm_medium=email&utm_source=footer>. >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> You received this message because you are subscribed to the >> Google Groups "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] >> <mailto:[email protected]>. >> To post to this group, send email to >> [email protected] >> <mailto:[email protected]>. >> To view this discussion on the web visit >> >> https://groups.google.com/d/msgid/ansible-project/CAPcsqxnEn_wLyAsVHaEGtQuaHVb9i0X1qiczfCp1ob7h%2BSJnBA%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/ansible-project/CAPcsqxnEn_wLyAsVHaEGtQuaHVb9i0X1qiczfCp1ob7h%2BSJnBA%40mail.gmail.com?utm_medium=email&utm_source=footer>. >> For more options, visit https://groups.google.com/d/optout. > > This is indeed a security weakness (unnecessary exposure of > sensitive data). > So, I propose the introduction of a new playbook directive called > 'sensitive_keys' with a list of keys that are considered to hold > sensitive data. Then, at output (logs / console output), all > variables would be recursively checked if they contain a key that > is included in the 'sensitive_keys' list. If a key is matched, its > value would be replaced with a 'hidden' version. For example: > > sensitive_keys: > - password > - key > > So, the following var: > > users: > - name: Alice > password: somesecret > - name: Bob > password: anothersecret > api: > url: http://example.org/api/ > key: someapikey > > would have this 'hidden' version at logs / console output: > > users: > - name: Alice > password: xxxxxxx > - name: Bob > password: xxxxxxx > api: > url: http://example.org/api/ > key: xxxxxxx > > As a proactive measure, if 'sensitive_keys' is not explicitly set, > it could include 'password' by default. Also, for debugging > purposes or to speed up things if users are not interested in that > measure, a configuration option that disables all this could be > introduced. > > What do you think? > -- > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to > [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > > https://groups.google.com/d/msgid/ansible-project/53981BA1.7040205%40yahoo.gr > > <https://groups.google.com/d/msgid/ansible-project/53981BA1.7040205%40yahoo.gr?utm_medium=email&utm_source=footer>. > > > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyE%3DhWC49vjWS7Ua_SOYejZgWUdza-96-ka69Hq1YjqaQ%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyE%3DhWC49vjWS7Ua_SOYejZgWUdza-96-ka69Hq1YjqaQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/539981C1.3050600%40yahoo.gr. For more options, visit https://groups.google.com/d/optout.
