I just took a look at the keystone code. Unfortunately, I don't think
this is coming from the module. It's being logged because they're in
with_items here's a simpler playbook that shows that happening:
$ cat test.yml *[devel] (08:12:25)
---
- hosts: localhost
gather_facts: False
tasks:
- name: test
ping:
data: "{{ item.name }}"
with_items:
- { name: kevin, password: example }
- { name: laxathom, password: two }
$ ansible-playbook test.yml *[devel] (08:14:30)
PLAY [localhost] **************************************************************
TASK: [test] ******************************************************************
ok: [localhost] => (item={'password': 'example', 'name':
'kevin'})
ok: [localhost] => (item={'password': 'two', 'name':
'laxathom'})
PLAY RECAP ********************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=0
There is a way to fix this though: no_log
http://docs.ansible.com/faq.html#how-do-i-keep-secret-data-in-my-playbook
no_log gives you the ability to make sure that tasks with passwords
aren't logging their output rather than relying on the module to do
the right thing. You are also able to turn no_log on and off -- for
instance if you need to debug why a task isn't working and actually
need to see what password is being substituted in for that. I would
use no_log for any task that contains a secret value.
Here's what the task looks like with no_log:
---
- hosts: localhost
gather_facts: no
tasks:
- name: test
ping:
data: "{{ item.name }}"
no_log: True
with_items:
- { name: kevin, password: example }
- { name: laxathom, password: two }
And here's the task output with no_log:
$ ansible-playbook test.yml *[devel] (08:17:01)
PLAY [localhost] **************************************************************
TASK: [test] ******************************************************************
ok: [localhost]
ok: [localhost]
PLAY RECAP ********************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=0
-Toshio
On Thu, Jan 29, 2015 at 7:12 AM, Bill Nottingham <notting(a)splat.cc> wrote:
Kevin Fenzi (kevin(a)scrye.com) said:
> On Wed, 28 Jan 2015 16:57:56 +0100
> Miroslav Suchý <msuchy(a)redhat.com> wrote:
>
> ...snip...
>
> > Is there way to mask the output (using -name or something) so the
> > password is not print to console?
>
>
> Sadly, I don't know of any way to do that. ;(
>
> It does sound like something that would be a nice feature...
> Perhaps it could be done in a handler?
It's generally up to the modules to mask sensitive output (the user module
does this, as an example). File an issue in github against ansible-modules-core?
Bill
_______________________________________________
infrastructure mailing list
infrastructure(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure