On 06/12/14 01:38, Michael DeHaan wrote: > Tasks take a "no_log: True" attribute to prevent their output from > hitting syslog, easiest is to also make this automatically dock the > verbosity in the callback.
Ok, this would surely be a fine solution to the problem of being able to protect from over the shoulder watchers. I was about to open a new github issue but it seems there are at least 3 open issues for this. :) > > > On Wed, Jun 11, 2014 at 5:04 AM, 'Petros Moisiadis' via Ansible > Project <ansible-project@googlegroups.com > <mailto:ansible-project@googlegroups.com>> wrote: > > On 06/10/2014 08:28 PM, Scott Sturdivant wrote: >> This is something I'd be quite interested in as well. All of our >> private data is stored via ansible-vault, but then it winds up >> being displayed in plain text as the playbook executes. In a >> slightly contrived example, I've got an encrypted users.yml file >> that has user passwords. In my playbook, I pass the variable to >> the users module as "with_items: users", and wind up seeing all >> of the passwords, exactly like Thom pasted above. >> >> Certainly the argument can be made that since I knew the vault >> password, I could go look up that information anyway, but I'm >> more concerned with someone looking over my shoulder, or the >> output being some where I don't control (Jenkins, for instance). >> >> So nothing valuable to add to this discussion, only hoping to see >> what others have done to work around this! >> >> >> On Tue, Jun 10, 2014 at 7:46 AM, Nadir Lloret >> <nadir.llo...@gmail.com <mailto:nadir.llo...@gmail.com>> wrote: >> >> I was facing some similar problem. >> Mine is just that the dictionary being included in the output >> has too many values that it makes output messy and I would >> prefer just to include dict.key at the item=() output. >> >> It would be really nice to be able to decide if all the item >> or just a part of it is printed to the output. >> >> El jueves, 5 de junio de 2014 20:15:48 UTC+2, Thom Seddon >> escribió: >> >> >> When you use a loop in an ansible task, e.g. with_items >> or with_dict, a dump of the item is included in the >> output. Sometimes these items contain secure infomation >> which it is undesirable to have output on screen, for >> example: >> >> | >> --- >> -name:Test >> hosts:127.0.0.1 >> vars: >> dbs: >> prod: >> port:3306 >> password:secret >> dev: >> port:3307 >> password:notsosecret >> tasks: >> -command:echo {{item.value.port }} >> with_dict:dbs >> >> | >> >> outputs: >> >> | >> [thom@ThomComp test]$ ansible-playbook ansible/test.yml >> >> >> PLAY >> >> [Test]******************************************************************* >> >> >> GATHERING FACTS >> *************************************************************** >> ok:[127.0.0.1] >> >> >> TASK:[command echo >> {{item.value.port}}]************************************** >> >> changed:[127.0.0.1]=>(item={'value':{'password':'secret','port':3306},'key':'prod'}) >> >> changed:[127.0.0.1]=>(item={'value':{'password':'notsosecret','port':3307},'key':'dev'}) >> >> >> PLAY RECAP >> >> ******************************************************************** >> 127.0.0.1 :ok=2 changed=1 >> unreachable=0 failed=0 >> >> | >> >> At best, I think there should be a way to choose what is >> output (in this case I would choose the dict.key), at >> least I think there should be a way to suppress this output. >> >> Opinions/ideas? >> >> Thanks >> >> -- >> You received this message because you are subscribed to the >> Google Groups "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from >> it, send an email to >> ansible-project+unsubscr...@googlegroups.com >> <mailto:ansible-project+unsubscr...@googlegroups.com>. >> To post to this group, send email to >> ansible-project@googlegroups.com >> <mailto:ansible-project@googlegroups.com>. >> To view this discussion on the web visit >> >> https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com?utm_medium=email&utm_source=footer>. >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> You received this message because you are subscribed to the >> Google Groups "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to ansible-project+unsubscr...@googlegroups.com >> <mailto:ansible-project+unsubscr...@googlegroups.com>. >> To post to this group, send email to >> ansible-project@googlegroups.com >> <mailto:ansible-project@googlegroups.com>. >> To view this discussion on the web visit >> >> https://groups.google.com/d/msgid/ansible-project/CAPcsqxnEn_wLyAsVHaEGtQuaHVb9i0X1qiczfCp1ob7h%2BSJnBA%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/ansible-project/CAPcsqxnEn_wLyAsVHaEGtQuaHVb9i0X1qiczfCp1ob7h%2BSJnBA%40mail.gmail.com?utm_medium=email&utm_source=footer>. >> For more options, visit https://groups.google.com/d/optout. > > This is indeed a security weakness (unnecessary exposure of > sensitive data). > So, I propose the introduction of a new playbook directive called > 'sensitive_keys' with a list of keys that are considered to hold > sensitive data. Then, at output (logs / console output), all > variables would be recursively checked if they contain a key that > is included in the 'sensitive_keys' list. If a key is matched, its > value would be replaced with a 'hidden' version. For example: > > sensitive_keys: > - password > - key > > So, the following var: > > users: > - name: Alice > password: somesecret > - name: Bob > password: anothersecret > api: > url: http://example.org/api/ > key: someapikey > > would have this 'hidden' version at logs / console output: > > users: > - name: Alice > password: xxxxxxx > - name: Bob > password: xxxxxxx > api: > url: http://example.org/api/ > key: xxxxxxx > > As a proactive measure, if 'sensitive_keys' is not explicitly set, > it could include 'password' by default. Also, for debugging > purposes or to speed up things if users are not interested in that > measure, a configuration option that disables all this could be > introduced. > > What do you think? > -- > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to ansible-project+unsubscr...@googlegroups.com > <mailto:ansible-project+unsubscr...@googlegroups.com>. > To post to this group, send email to > ansible-project@googlegroups.com > <mailto:ansible-project@googlegroups.com>. > To view this discussion on the web visit > > https://groups.google.com/d/msgid/ansible-project/53981BA1.7040205%40yahoo.gr > > <https://groups.google.com/d/msgid/ansible-project/53981BA1.7040205%40yahoo.gr?utm_medium=email&utm_source=footer>. > > > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ansible-project+unsubscr...@googlegroups.com > <mailto:ansible-project+unsubscr...@googlegroups.com>. > To post to this group, send email to ansible-project@googlegroups.com > <mailto:ansible-project@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyE%3DhWC49vjWS7Ua_SOYejZgWUdza-96-ka69Hq1YjqaQ%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyE%3DhWC49vjWS7Ua_SOYejZgWUdza-96-ka69Hq1YjqaQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/539981C1.3050600%40yahoo.gr. For more options, visit https://groups.google.com/d/optout.
