On 06/10/2014 08:28 PM, Scott Sturdivant wrote:
> This is something I'd be quite interested in as well. All of our
> private data is stored via ansible-vault, but then it winds up being
> displayed in plain text as the playbook executes. In a slightly
> contrived example, I've got an encrypted users.yml file that has user
> passwords. In my playbook, I pass the variable to the users module as
> "with_items: users", and wind up seeing all of the passwords, exactly
> like Thom pasted above.
>
> Certainly the argument can be made that since I knew the vault
> password, I could go look up that information anyway, but I'm more
> concerned with someone looking over my shoulder, or the output being
> some where I don't control (Jenkins, for instance).
>
> So nothing valuable to add to this discussion, only hoping to see what
> others have done to work around this!
>
>
> On Tue, Jun 10, 2014 at 7:46 AM, Nadir Lloret <nadir.llo...@gmail.com
> <mailto:nadir.llo...@gmail.com>> wrote:
>
> I was facing some similar problem.
> Mine is just that the dictionary being included in the output has
> too many values that it makes output messy and I would prefer just
> to include dict.key at the item=() output.
>
> It would be really nice to be able to decide if all the item or
> just a part of it is printed to the output.
>
> El jueves, 5 de junio de 2014 20:15:48 UTC+2, Thom Seddon escribió:
>
>
> When you use a loop in an ansible task, e.g. with_items or
> with_dict, a dump of the item is included in the output.
> Sometimes these items contain secure infomation which it is
> undesirable to have output on screen, for example:
>
> |
> ---
> -name:Test
> hosts:127.0.0.1
> vars:
> dbs:
> prod:
> port:3306
> password:secret
> dev:
> port:3307
> password:notsosecret
> tasks:
> -command:echo {{item.value.port }}
> with_dict:dbs
>
> |
>
> outputs:
>
> |
> [thom@ThomComp test]$ ansible-playbook ansible/test.yml
>
>
> PLAY
>
> [Test]*******************************************************************
>
>
> GATHERING FACTS
> ***************************************************************
> ok:[127.0.0.1]
>
>
> TASK:[command echo
> {{item.value.port}}]**************************************
>
> changed:[127.0.0.1]=>(item={'value':{'password':'secret','port':3306},'key':'prod'})
>
> changed:[127.0.0.1]=>(item={'value':{'password':'notsosecret','port':3307},'key':'dev'})
>
>
> PLAY RECAP
> ********************************************************************
> 127.0.0.1 :ok=2 changed=1 unreachable=0
> failed=0
>
> |
>
> At best, I think there should be a way to choose what is
> output (in this case I would choose the dict.key), at least I
> think there should be a way to suppress this output.
>
> Opinions/ideas?
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to ansible-project+unsubscr...@googlegroups.com
> <mailto:ansible-project+unsubscr...@googlegroups.com>.
> To post to this group, send email to
> ansible-project@googlegroups.com
> <mailto:ansible-project@googlegroups.com>.
> To view this discussion on the web visit
>
> https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com
>
> <https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
>
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-project+unsubscr...@googlegroups.com
> <mailto:ansible-project+unsubscr...@googlegroups.com>.
> To post to this group, send email to ansible-project@googlegroups.com
> <mailto:ansible-project@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CAPcsqxnEn_wLyAsVHaEGtQuaHVb9i0X1qiczfCp1ob7h%2BSJnBA%40mail.gmail.com
> <https://groups.google.com/d/msgid/ansible-project/CAPcsqxnEn_wLyAsVHaEGtQuaHVb9i0X1qiczfCp1ob7h%2BSJnBA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
This is indeed a security weakness (unnecessary exposure of sensitive data).
So, I propose the introduction of a new playbook directive called
'sensitive_keys' with a list of keys that are considered to hold
sensitive data. Then, at output (logs / console output), all variables
would be recursively checked if they contain a key that is included in
the 'sensitive_keys' list. If a key is matched, its value would be
replaced with a 'hidden' version. For example:
sensitive_keys:
- password
- key
So, the following var:
users:
- name: Alice
password: somesecret
- name: Bob
password: anothersecret
api:
url: http://example.org/api/
key: someapikey
would have this 'hidden' version at logs / console output:
users:
- name: Alice
password: xxxxxxx
- name: Bob
password: xxxxxxx
api:
url: http://example.org/api/
key: xxxxxxx
As a proactive measure, if 'sensitive_keys' is not explicitly set, it
could include 'password' by default. Also, for debugging purposes or to
speed up things if users are not interested in that measure, a
configuration option that disables all this could be introduced.
What do you think?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/53981BA1.7040205%40yahoo.gr.
For more options, visit https://groups.google.com/d/optout.
