Ansible question

Toshio Kuratomi a.badger at gmail.com
Thu Jan 29 16:30:06 UTC 2015 

I just took a look at the keystone code.  Unfortunately, I don't think
this is coming from the module.  It's being logged because they're in
with_items  here's a simpler playbook that shows that happening:

$ cat test.yml                     *[devel]  (08:12:25)
---
- hosts: localhost
  gather_facts: False
  tasks:
    - name: test
      ping:
        data: "{{ item.name }}"
      with_items:
        - { name: kevin, password: example }
        - { name: laxathom, password: two }

$ ansible-playbook test.yml        *[devel]  (08:14:30)

PLAY [localhost] **************************************************************

TASK: [test] ******************************************************************
ok: [localhost] => (item={'password': 'example', 'name': 'kevin'})
ok: [localhost] => (item={'password': 'two', 'name': 'laxathom'})

PLAY RECAP ********************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0


There is a way to fix this though: no_log
http://docs.ansible.com/faq.html#how-do-i-keep-secret-data-in-my-playbook

no_log gives you the ability to make sure that tasks with passwords
aren't logging their output rather than relying on the module to do
the right thing.  You are also able to turn no_log on and off -- for
instance if you need to debug why a task isn't working and actually
need to see what password is being substituted in for that.  I would
use no_log for any task that contains a secret value.


Here's what the task looks like with no_log:

---
- hosts: localhost
  gather_facts: no
  tasks:
    - name: test
      ping:
        data: "{{ item.name }}"
      no_log: True
      with_items:
        - { name: kevin, password: example }
        - { name: laxathom, password: two }


And here's the task output with no_log:

$ ansible-playbook test.yml        *[devel]  (08:17:01)

PLAY [localhost] **************************************************************

TASK: [test] ******************************************************************
ok: [localhost]
ok: [localhost]

PLAY RECAP ********************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0


-Toshio

On Thu, Jan 29, 2015 at 7:12 AM, Bill Nottingham <notting at splat.cc> wrote:
> Kevin Fenzi (kevin at scrye.com) said:
>> On Wed, 28 Jan 2015 16:57:56 +0100
>> Miroslav Suchý <msuchy at redhat.com> wrote:
>>
>> ...snip...
>>
>> > Is there way to mask the output (using -name or something) so the
>> > password is not print to console?
>>
>>
>> Sadly, I don't know of any way to do that. ;(
>>
>> It does sound like something that would be a nice feature...
>> Perhaps it could be done in a handler?
>
> It's generally up to the modules to mask sensitive output (the user module
> does this, as an example). File an issue in github against ansible-modules-core?
>
> Bill
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure

More information about the infrastructure mailing list