Hi,
Sometimes playbooks need sensitive information like username/password and you
may want to hide it from your log. So you can use the no_log feature and in
most cases, it works. However, using it with with_items does not.
The following simple example demonstrates it.
Ansible version 1.8.1:
*test.yml*
---
- hosts: 127.0.0.1
vars_files:
- vars.yml
tasks:
- shell: "echo {{ username }} {{ password }}"
register: result
with_items: auth
no_log: True
- fail: msg="something bad"
when: result is defined and item.rc != 0
with_items: result.results
no_log: True
*vars.yml*
---
auth:
- { username: user1, password: pass1 }
- { username: user2, password: pass2 }
- { username: user3, password: pass3 }
Command: ansible-playbook -v test.yml
Result is shown below!
Any thoughts?
If you use -vv, *no_log* will not hide anything (I know it is intent to be used
with -v only). I personally think it would be nice to have the option to
display {{ password }} instead of the real password. I could still benefit from
having more information in the log and at the same time not worrying about
displaying sensitive information. It is more useful to see something like "echo
{{ username }} {{ password }}" in the log rather than "censored": "results
hidden due to no_log parameter".
====
root@553a7fa15e9f:/opt/workspace# ansible-playbook -v test.yml
PLAY [127.0.0.1] **************************************************************
GATHERING FACTS ***************************************************************
ok: [127.0.0.1]
TASK: [shell echo {{ username }} {{ password }}] ******************************
changed: [127.0.0.1] => {"censored": "results hidden due to no_log parameter",
"changed": true, "rc": 0}
changed: [127.0.0.1] => {"censored": "results hidden due to no_log parameter",
"changed": true, "rc": 0}
changed: [127.0.0.1] => {"censored": "results hidden due to no_log parameter",
"changed": true, "rc": 0}
TASK: [fail msg="something bad"] **********************************************
skipping: [127.0.0.1] => (item={u'cmd': u'echo user4 pass4', u'end':
u'2014-11-26 03:18:53.800823', u'stderr': u'', u'stdout': u'user4 pass4',
u'changed': True, u'rc': 0, 'item': {'username': 'user1', 'password': 'pass1'},
u'warnings': [], u'delta': u'0:00:00.065612', 'invocation': {'module_name':
u'shell', 'module_args': u'echo user4 pass4'}, u'start': u'2014-11-26
03:18:53.735211'})
skipping: [127.0.0.1] => (item={u'cmd': u'echo user4 pass4', u'end':
u'2014-11-26 03:18:53.917499', u'stderr': u'', u'stdout': u'user4 pass4',
u'changed': True, u'rc': 0, 'item': {'username': 'user2', 'password': 'pass2'},
u'warnings': [], u'delta': u'0:00:00.062923', 'invocation': {'module_name':
u'shell', 'module_args': u'echo user4 pass4'}, u'start': u'2014-11-26
03:18:53.854576'})
skipping: [127.0.0.1] => (item={u'cmd': u'echo user4 pass4', u'end':
u'2014-11-26 03:18:54.030859', u'stderr': u'', u'stdout': u'user4 pass4',
u'changed': True, u'rc': 0, 'item': {'username': 'user3', 'password': 'pass3'},
u'warnings': [], u'delta': u'0:00:00.062825', 'invocation': {'module_name':
u'shell', 'module_args': u'echo user4 pass4'}, u'start': u'2014-11-26
03:18:53.968034'})
PLAY RECAP ********************************************************************
127.0.0.1 : ok=3 changed=1 unreachable=0 failed=0
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/c781f8c0-c843-4ce4-a685-0dd9ac9e9746%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
