Bypassing no_log for a specific output (dumps of zabbix modules)
17 views
Skip to first unread message
Dušan Matejka
Aug 9, 2019, 10:13:21 AM8/9/19
to Ansible Development
Hi,
I've been searching for ways to bypass no_log option for specific module output, but with no luck so far. To my understanding, providing no_log for at least one argument in argument_spec makes every module output containing value of such argument to be altered.
This makes trouble for people that are testing zabbix modules and/or are too lazy to change its default Admin password -> "zabbix". This is what happens when missing dependency error is thrown (it is only a cosmetic issue):
fatal: [zbx-dev-node002]: FAILED! => changed=false
msg: 'Missing required ********-api module (check docs or install with: pip install ********-api)'
But it gets worse when some content is returned by a module and there is a word 'zabbix' present in it. For example, dumping zabbix template into string:
- hosts: localhost
tasks:
- name: test export
zabbix_template:
server_url: http://127.0.0.1/zabbix
login_user: admin
login_password: zabbix
template_name: "Template OS Linux"
state: dump
dump_format: xml
With the following result:
<?xml version="1.0" ?>
<********_export>
<version>4.2</version>
...
</********_export>
Full problem is described in this issue comment and followed by my response, which is explaining why it is probably happening -> no_log=True. This issue doesn't seem to occur when user dumps template into JSON, I believe because module returns dump in an actual JSON format and not as a string (this is unfortunately not doable with XML output).
Is there any other way than describing this behaviour in module documentation? Any help would be greatly appreciated,
Dusan
Brian Coca
Aug 14, 2019, 8:55:41 AM8/14/19
to Dušan Matejka, Ansible Development
if no_log could be bypassed and runtime, it would trigger a CVE ... so
the way to test the modules is to disable no_log in the module code
itself.
--
----------
Brian Coca
the way to test the modules is to disable no_log in the module code
itself.
--
----------
Brian Coca
Dušan Matejka
Aug 15, 2019, 8:41:36 AM8/15/19
to Ansible Development
Thanks for replying, I guess I will add
`notes:` section to zabbix documentation fragment stating that using default Admin password is not recommended and to expect weird output. Brian Coca
Aug 27, 2019, 10:19:14 AM8/27/19
to Dušan Matejka, Ansible Development
i don't think that is exclusive to zabbix and those using 'admin' as a
password deserve 'some weirdness' imho.
--
----------
Brian Coca
password deserve 'some weirdness' imho.
--
----------
Brian Coca
Reply all
Reply to author
Forward
0 new messages