I just wrote a trivial snippet which uses ‘os_server_facts’ module to collect VM info.
Snippet itself works fine but output a bit confusing me.
It looks like this:
“openstack_servers”: [
{
“HUMAN_ID”: true,
“NAME_ATTR”: “name”,
“OS-DCF:diskConfig”: “MANUAL”,
“OS-EXT-AZ:availability_zone”: “nova”,
“OS-EXT-SRV-ATTR:host”: “node58.ostack.",
“OS-EXT-SRV-ATTR:hypervisor_hostname”: "node58.ostack.”,
…
“human_id”: “test-instance-for-",
…
“name”: "test-instance-for-”,
Real hypervisor’s name is node58.ostack.mydomain and vm test-instance-for-USER.
And openstack authentication parameters looks like:
domain: mydomain
user: USER
I mean every parts of openstack_servers dict which corresponding to openstack auth->user_domain_name and/or project_domain_name and
auth->username replaced by asterisks. As far as I can see data which os_server_facts module returns looks perfectly well so
replacements come from ansible core.
All this looks intentional, security related and idiotic at the same time.
Is this a bug or I missing something in documentation? Could anyone give a hint where to dig further?
I just wrote a trivial snippet which uses 'os_server_facts' module to
collect VM info.
Snippet itself works fine but output a bit confusing me.
It looks like this:
"openstack_servers": [
{
"HUMAN_ID": true,
"NAME_ATTR": "name",
"OS-DCF:diskConfig": "MANUAL",
"OS-EXT-AZ:availability_zone": "nova",
"OS-EXT-SRV-ATTR:host": "node58.ostack.********",
"OS-EXT-SRV-ATTR:hypervisor_hostname":
"node58.ostack.********", .................
"human_id": "test-instance-for-********",
.................
"name": "test-instance-for-********",
Real hypervisor's name is node58.ostack.mydomain and vm
test-instance-for-USER.
And openstack authentication parameters looks like:
domain: mydomain
user: USER
I mean every parts of openstack_servers dict which corresponding to
openstack auth->user_domain_name and/or project_domain_name and
auth->username replaced by asterisks. As far as I can see data which
os_server_facts module returns looks perfectly well so
replacements come from ansible core.
All this looks intentional, security related and idiotic at the same
time. Is this a bug or I missing something in documentation? Could
anyone give a hint where to dig further?
the data censored out is probably contained in one of the options
marked with no_log=True. If one of them is a dict, ansible will censor
everything in the output which appears as a value somewhere in that
dict. For the openstack modules, that's everything in the auth and key
options (see openstack_full_argument_spec in module_utils/openstack.py).
You are right, thanks for advise.
it’s here:
/usr/lib/python3.5/site-packages/ansible/module_utils/basic.py +452
def _remove_values_conditions(value, no_log_strings, deferred_removals):
…
for omit_me in no_log_strings:
native_str_value = native_str_value.replace(omit_me, ‘*’ * 8)
