no_log will not always hide sensitive data

2,415 views
Skip to first unread message

Frederic Lemay

unread,
Dec 4, 2014, 6:54:04 PM12/4/14
to ansible...@googlegroups.com
Hi,

Sometimes playbooks need sensitive information like username/password and you may want to hide it from your log. So you can use the no_log feature and in most cases, it works. However, using it with with_items does not.

The following simple example demonstrates it.

Ansible version 1.8.1:

test.yml
---

- hosts: 127.0.0.1

  vars_files:

    - vars.yml

  tasks:

    - shell: "echo {{ username }} {{ password }}"
      register: result

      with_items: auth

      no_log: True

 

    - fail: msg="something bad"

      when: result is defined and item.rc != 0

      with_items: result.results

      no_log: True

vars.yml
---
auth:
  - { username: user1, password: pass1 }

  - { username: user2, password: pass2 }

  - { username: user3, password: pass3 }

Command: ansible-playbook -v test.yml

Result is shown below!

Any thoughts?

If you use -vv, no_log will not hide anything (I know it is intent to be used with -v only). I personally think it would be nice to have the option to display {{ password }} instead of the real password. I could still benefit from having more information in the log and at the same time not worrying about displaying sensitive information. It is more useful to see something like "echo {{ username }} {{ password }}" in the log rather than "censored": "results hidden due to no_log parameter".


====

root@553a7fa15e9f:/opt/workspace# ansible-playbook -v test.yml

PLAY [127.0.0.1] **************************************************************

GATHERING FACTS ***************************************************************
ok: [127.0.0.1]

TASK: [shell echo {{ username }} {{ password }}] ******************************
changed: [127.0.0.1] => {"censored": "results hidden due to no_log parameter", "changed": true, "rc": 0}
changed: [127.0.0.1] => {"censored": "results hidden due to no_log parameter", "changed": true, "rc": 0}
changed: [127.0.0.1] => {"censored": "results hidden due to no_log parameter", "changed": true, "rc": 0}

TASK: [fail msg="something bad"] **********************************************
skipping: [127.0.0.1] => (item={u'cmd': u'echo user4 pass4', u'end': u'2014-11-26 03:18:53.800823', u'stderr': u'', u'stdout': u'user4 pass4', u'changed': True, u'rc': 0, 'item': {'username': 'user1', 'password': 'pass1'}, u'warnings': [], u'delta': u'0:00:00.065612', 'invocation': {'module_name': u'shell', 'module_args': u'echo user4 pass4'}, u'start': u'2014-11-26 03:18:53.735211'})
skipping: [127.0.0.1] => (item={u'cmd': u'echo user4 pass4', u'end': u'2014-11-26 03:18:53.917499', u'stderr': u'', u'stdout': u'user4 pass4', u'changed': True, u'rc': 0, 'item': {'username': 'user2', 'password': 'pass2'}, u'warnings': [], u'delta': u'0:00:00.062923', 'invocation': {'module_name': u'shell', 'module_args': u'echo user4 pass4'}, u'start': u'2014-11-26 03:18:53.854576'})
skipping: [127.0.0.1] => (item={u'cmd': u'echo user4 pass4', u'end': u'2014-11-26 03:18:54.030859', u'stderr': u'', u'stdout': u'user4 pass4', u'changed': True, u'rc': 0, 'item': {'username': 'user3', 'password': 'pass3'}, u'warnings': [], u'delta': u'0:00:00.062825', 'invocation': {'module_name': u'shell', 'module_args': u'echo user4 pass4'}, u'start': u'2014-11-26 03:18:53.968034'})

PLAY RECAP ********************************************************************
127.0.0.1                  : ok=3    changed=1    unreachable=0    failed=0

Michael DeHaan

unread,
Dec 4, 2014, 7:35:54 PM12/4/14
to ansible...@googlegroups.com
yeah it's important for debug that we show the loop counter of the item, so we don't hide that with no_log.  I think most times people would want to see what task is exec'ing in the loop - there could be hundreds.

Now, here's the trick I was alluding to on Twitter:

in group_vars/foo or wherever, assume a vault-encrypted file:

user_details:
    timmy:
       username: timmy
       password: foo
    jimmy: 
       username: jimmy
       password: bar

And in your playbook:

 - shell: some task ... {{ user_details[item][password] }} ...
   with_items: user_names
   no_log: True

And this way it will print the name on each loop indicator, but not the details that you don't want to show
    
There are a couple of other ways to do this, the main trick is just don't loop over the sensitive items.   I believe we have a keys() filter to use or there's one in stock Jinja that makes this easier as well.





--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c781f8c0-c843-4ce4-a685-0dd9ac9e9746%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Vikas Kumar

unread,
Mar 10, 2016, 1:06:12 AM3/10/16
to Ansible Project
Looks like this has been fixed in v2.0, I can use with_item with no_log: True
Reply all
Reply to author
Forward
0 new messages