This has been discussed a few times in prior threads.
Ultimately the proposal was that we would consider making certain flags
automatically removable using something like a token value of {{ omit }}
and the system could prune those values that used this magic variable.
priv={% if x %}{{y}}{% else %}{{ omit }}{% endif %}
Though in the above, it seems you're trying to abstract a module around a
very general purpose role in a slightly non-conventional way. In your
particular usage, it might be better to just have defaults for most of
those settings.
{{ item.flags | default(default_value) }}
etc
On Wed, Jul 30, 2014 at 7:26 PM, Miks Kalniņš <mikskaln...@maikumori.com>
wrote:
> I have similar problem and can't really use the workaround.
>
> - name: Create PostgreSQL users
> sudo: yes
> sudo_user: postgres
> postgresql_user: >
> name={{ item.name }}
> {% if item.password is defined %} password={{item.password}}{% endif %}
> {% if item.db is defined %} db={{item.db}}{% endif %}
> {% if item.priv is defined %} priv={{item.priv}}{% endif %}
> {% if item.flags is defined %} role_attr_flags={{item.flags}}{% endif
> %}
> with_items: postgresql_users
> tags: [ 'postgresql' ]
>
>
> On Tuesday, 29 July 2014 03:30:42 UTC+3, Victor Lin wrote:
>>
>> I noticed that since the new ansible with security patched is released,
>> many our roles and playbooks are broken. For example, our role depends on
>> this, it is also broken
>>
>> https://github.com/Ansibles/generic-users/blob/master/
>> tasks/main.yml#L3-L5
>>
>> since it uses if else statements to generate optional arguments like gid.
>> In the latest version of Ansible, it adds new arguments, so it fails to
>> pass security check, an error like
>>
>> A variable inserted a new parameter into the module args. Be sure to
>> quote variables if they contain equal signs (for example: "{{var}}").
>>
>> is raised.
>>
>> I tried to modify the way arguments are passed by leveraging default
>> filter
>>
>> - name: generic-users | Make sure all groups are present
>> group: >
>> name="{{ item.name }}"
>> system="{{ item.system|default('no') }}"
>> gid="{{ item.gid|default(None) }}"
>> state=present
>> with_items: genericusers_groups
>>
>>
>> For argument "system", there is a value "no" I can use as a default
>> value, no problem at all. But for "gid", I tried to feed it with
>> "default(None)", the value will be rendered as string first anyway, so that
>> would be gid=None, ValueError be raised. As a result, unavoidable, I need
>> to pass a valid value to gid.
>>
>> I saw some discuss in this issue report: https://github.com/
>> ansible/ansible/issues/8233
>>
>> I understand that for security reason, if-else statements in playbook are
>> not welcomed, but the problem is without if-else statements, I have no idea
>> how to omit arguments without "do not set anything for this" value. The
>> problem is a little bit like Python's not set default value, we usually
>> create an object stands for not_set value like this
>>
>> NOT_SET = object()
>>
>> def foobar(value=NOT_SET):
>> pass
>>
>> But in ansible, I didn't see anything like that. Or did I miss something?
>> I think it would be helpful if there is some kind of special filter like
>>
>> - name: generic-users | Make sure all groups are present
>> group: >
>> name="{{ item.name }}"
>> system="{{ item.system|default('no') }}"
>> gid="{{ item.gid|default_omit) }}"
>> state=present
>> with_items: genericusers_groups
>>
>> The default_omit filter here omits "gid" argument if it is not defined.
>> Just an idea. However, since modifying context in a jinja2 template would
>> be difficult to implement, I think maybe it's better to encourage YAML
>> style arguments like this:
>>
>> - name: generic-users | Make sure all groups are present
>> group:
>> name: "{{ item.name }}"
>> system: "{{ item.system|default('no') }}"
>> gid: "{{ item.gid|default_omit) }}"
>> state=present
>> with_items: genericusers_groups
>>
>> And for the default_omit, maybe it can return a random nonce generated by
>> system (so that attacker cannot inject this value to remove argument), like
>> this
>>
>> __omit_place_holder_8843d7f92416211de9ebb963ff4ce28125932878__
>>
>> And when ansible sees this value for a argument, it simply remove the key
>> from arguments instead of passing it down to module.
>>
>> But anyway, these are just some thinkings, the more important thing is, I
>> would like to know, at this moment, how can I solve that "gid" cannot be
>> omit issue? Is there any workaround? There are so many modules there, if
>> you give an argument there, it means you want to change that thing, and
>> there is no not_set value.
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/bd0bf141-b33a-4f65-b6fd-3c2066be3c2e%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/bd0bf141-b33a-4f65-b6fd-3c2066be3c2e%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzX9sjcKiQyO7oAazyCcj60yjfxeQ7i%2B372jvTsjYDFtg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
