Remove task loop item from output

[Thom Seddon]

When you use a loop in an ansible task, e.g. with_items or with_dict, a dump of the item is included in the output. Sometimes these items contain secure infomation which it is undesirable to have output on screen, for example:

---
- name: Test
  hosts: 127.0.0.1
  vars:
    dbs:
      prod:
        port: 3306
        password: secret
      dev:
        port: 3307
        password: notsosecret
  tasks:
    - command: echo {{ item.value.port }}
      with_dict: dbs

outputs:

[thom@ThomComp test]$ ansible-playbook ansible/test.yml


PLAY [Test] *******************************************************************


GATHERING FACTS ***************************************************************
ok: [127.0.0.1]


TASK: [command echo {{item.value.port}}] **************************************
changed: [127.0.0.1] => (item={'value': {'password': 'secret', 'port': 3306}, 'key': 'prod'})
changed: [127.0.0.1] => (item={'value': {'password': 'notsosecret', 'port': 3307}, 'key': 'dev'})


PLAY RECAP ********************************************************************
127.0.0.1                  : ok=2    changed=1    unreachable=0    failed=0
   

At best, I think there should be a way to choose what is output (in this case I would choose the dict.key), at least I think there should be a way to suppress this output.

Opinions/ideas?

Thanks

[Nadir Lloret]

I was facing some similar problem.

Mine is just that the dictionary being included in the output has too many values that it makes output messy and I would prefer just to include dict.key at the item=() output.

It would be really nice to be able to decide if all the item or just a part of it is printed to the output.

[Scott Sturdivant]

This is something I'd be quite interested in as well.  All of our private data is stored via ansible-vault, but then it winds up being displayed in plain text as the playbook executes.  In a slightly contrived example, I've got an encrypted users.yml file that has user passwords.  In my playbook, I pass the variable to the users module as "with_items: users", and wind up seeing all of the passwords, exactly like Thom pasted above.

Certainly the argument can be made that since I knew the vault password, I could go look up that information anyway, but I'm more concerned with someone looking over my shoulder, or the output being some where I don't control (Jenkins, for instance).

So nothing valuable to add to this discussion, only hoping to see what others have done to work around this!

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/35cc2483-54d2-40db-99ef-172bd0b970d5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Petros Moisiadis]

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAPcsqxnEn_wLyAsVHaEGtQuaHVb9i0X1qiczfCp1ob7h%2BSJnBA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

This is indeed a security weakness (unnecessary exposure of sensitive data).
So, I propose the introduction of a new playbook directive called 'sensitive_keys' with a list of keys that are considered to hold sensitive data. Then, at output (logs / console output), all variables would be recursively checked if they contain a key that is included in the 'sensitive_keys' list. If a key is matched, its value would be replaced with a 'hidden' version. For example:

sensitive_keys:
  - password
  - key

So, the following var:

users:
  - name: Alice
    password: somesecret
  - name: Bob
    password: anothersecret
    api:
      url: http://example.org/api/
      key: someapikey

would have this 'hidden' version at logs / console output:

users:
  - name: Alice
    password: xxxxxxx
  - name: Bob
    password: xxxxxxx
    api:
      url: http://example.org/api/
      key: xxxxxxx

As a proactive measure, if 'sensitive_keys' is not explicitly set, it could include 'password' by default. Also, for debugging purposes or to speed up things if users are not interested in that measure, a configuration option that disables all this could be introduced.

What do you think?

[Michael DeHaan]

We're not going to be adding anything called "sensitive_keys", especially as filtering is not just about sensitivity.

Tasks take a "no_log: True" attribute to prevent their output from hitting syslog, easiest is to also make this automatically dock the verbosity in the callback.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/53981BA1.7040205%40yahoo.gr.

[Petros Moisiadis]

On 06/12/14 01:38, Michael DeHaan wrote:

Tasks take a "no_log: True" attribute to prevent their output from hitting syslog, easiest is to also make this automatically dock the verbosity in the callback.

Ok, this would surely be a fine solution to the problem of being able to protect from over the shoulder watchers.

I was about to open a new github issue but it seems there are at least 3 open issues for this. :)

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyE%3DhWC49vjWS7Ua_SOYejZgWUdza-96-ka69Hq1YjqaQ%40mail.gmail.com.