Hi,
I am setting up a playbook to set passwords in /etc/shadow on some machines.
I have set up a task in roles/common/main.yml:
So Ansible is already smart and doesn’t log parameters to modules named “password” remotely.
I’m not sure why we should think a field named foobarpassword is a password intelligently, and there’s not a good way to mark this up otherwise.
However, I am ALMOST fine with a change the callback code to not print password arguments in callbacks for fields named ‘password’, or ‘login_password’, to match what is done in the rest of Ansible.
Can I ask where you are worried about the password text showing up?
If you are trying to make a turnkey solution where the user deploying something doesn’t see the password, this might be a good case for using AWX.
You could kick the job via the AWX API and then selectively display only partial job status.
Alternatively you could build another kind of OS wrapper on your own.
Hi,
I am not sure what you mean with 'log to modules named password'. Should
I change my parameter naming? I already changed md5password to password
but that did not help. Using ansible-1.3.2 btw.
Currently I am using the ansible-playbook command-line only, and this
shows up on stdout, if logging is enabled (log_path in ansible.cfg) it
is also logged there. AWX is not an option for me yet.
Maybe lowering the verbosity of ansible-playbook could help to not show
item values all together.
“I already changed md5password to password
but that did not help. Using ansible-1.3.2 btw.”
I was referring to remote syslog.
Michael,
Maybe a patch clearifies what I had in mind. This patch looks for a key
'_display' in the item dict and if present uses this to report rather
than all key/values:
--- callbacks.py.org 2013-11-07 17:07:58.471906565 +0100
+++ callbacks.py 2013-11-07 18:10:13.350664352 +0100
@@ -430,7 +430,9 @@
item = None
if type(results) == dict:
item = results.get('item', None)
- if item:
+ if type(item) == dict and '_display' in item:
+ msg = "fatal: [%s] => (item=%s)" % (host, item['_display'])
+ elif item:
msg = "fatal: [%s] => (item=%s) => %s" % (host, item, results)
else:
msg = "fatal: [%s] => %s" % (host, results)
@@ -452,7 +454,9 @@
stdout = results2.pop('stdout', None)
returned_msg = results2.pop('msg', None)
- if item:
+ if type(item) == dict and '_display' in item:
+ msg = "failed: [%s] => (item=%s)" % (host, item['_display'])
+ elif item:
msg = "failed: [%s] => (item=%s) => %s" % (host, item, utils.jsonify(results2))
else:
msg = "failed: [%s] => %s" % (host, utils.jsonify(results2))
@@ -486,7 +490,9 @@
msg = ''
if (not self.verbose or host_result2.get("verbose_override",None) is not
None) and verbose_always is None:
- if item:
+ if type(item) == dict and '_display' in item:
+ msg = "%s: [%s] => (item=%s)" % (ok_or_changed, host, item['_display'])
+ elif item:
msg = "%s: [%s] => (item=%s)" % (ok_or_changed, host, item)
else:
if 'ansible_job_id' not in host_result or 'finished' in host_result:
So if I would set:
roles/X/vars/main.yml:
passwords:
- { _display: 'alice', name: 'alice', password: '$1$xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.' }
It would just say 'alice'.
Something like this seems quite reasonable.
I would expect “_display” to be a list, and probably rather than being in the hash explicitly when calling module.fail_json and module.exit_json, it should be set in the module constructor
and automatically added by the exit_json and fail_json functions.