Bug: ansible json cache not always invalidated when switching between non/privileged plays

[Budding Mechanic]

I found an issue in ansible 2.4.2.0.  This may have existed in previous versions.

[defaults]

callback_whitelist = timer

fact_caching = jsonfile

fact_caching_connection = ./.fact_cache

gathering = smart

host_key_checking = False

inventory = ./inventories

log_path = /tmp/ansible.${USER}.log

roles_path = ./roles

The issue revolves around the cache file not being invalidated when different parameters are used to fetch the facts.

In the example below, the root_fact will not be printed and an error is raised.

- hosts: example_host

  gather_facts: true

  tasks:

  - debug:

      msg: "user_fact:  {{ user_fact }}"

- hosts: example_host

  gather_facts: true

  become: true      # fetch privileged facts

  tasks:

  - debug:

      msg: "root_fact:  {{ root_fact }}"

The reason is the first play fetched the facts and primed the cache with non-privileged results.  Subsequent privileged fact lookups will use the cache file, but the privileged facts aren't in the cache.

I consider this a bug.

And the inverse is also true; if privileged facts are obtained first then subsequent plays will use the cache results and those subsequent plays will have access to privileged facts.  In the example below, "root_fact_nonpriv" will be printed.

- hosts: example_host

  gather_facts: true

  become: true      # fetch privileged facts

  tasks:

  - debug:

      msg: "root_fact:  {{ root_fact }}"

- hosts: example_host

  gather_facts: true

  tasks:

  - debug:

      msg: "root_fact_nonpriv:  {{ root_fact }}"

I don't know whether I consider this a security bug, but it smells.

In both cases, subtle bugs can be introduced that can be hard to track down.

It seems to me the cache file needs to store the conditions in which it was retrieved.  A simple approach would be appending 'privileged' to the cache file and using the appropriate cache file based on whether 'become=true' is set.  Example:

.fact_cache/example_host             # non-privileged facts

.fact_cache/example_host.privileged  # privileged facts

In summary, a fact cache file obviously needs to continue to check whether it's stale or not by comparing age of the file to the cache timeout.

In addition, I would argue that ansible also needs to know whether the cache file is privileged or not when considering whether it's stale or not.

BTW, using meta: clear_facts is a workaround not really a solution.

Thoughts?