Sheldon Hearn
2015-07-15 08:55:06 UTC
HI there,
I have a task in my playbook that uses the expect module to feed sensitive
data into an interactive command on the remote host.
The module does its job, but my request for "no_log: True" is not
respected. When changed, the task emits output like this:
{u'changed': True, u'end': u'2015-07-15 08:40:57.814994', u'stdout': u'',
u'cmd': u'/opt/vault/bin/vault unseal -address=http://127.0.0.1:8200',
u'start': u'2015-07-15 08:40:57.699369', u'delta': u'0:00:00.115625',
'item': u'{{ unseal_key_3 }}', u'rc': 0, 'invocation': {'module_name':
u'expect', 'module_args': {u'command': u'/opt/vault/bin/vault unseal
-address=http://127.0.0.1:8200', u'responses': {u': ': u'856...503'},
u'timeout': 5, '_ansible_no_log': True}}, 'stdout_lines': [u'']}
Note that module_args has exposed the sensitive data (represented here as
'856...503').
I tried marking the responses dict as no_log in the AnsibleModule
definition in lib/ansible/modules/extras/commands/expect.py, but this
didn't change the behaviour.
Where is the code that produces this output, so that I can dig into why it
exposes my sensitive information and figure out how best to deal with that?
Thanks,
Sheldon.
I have a task in my playbook that uses the expect module to feed sensitive
data into an interactive command on the remote host.
The module does its job, but my request for "no_log: True" is not
respected. When changed, the task emits output like this:
{u'changed': True, u'end': u'2015-07-15 08:40:57.814994', u'stdout': u'',
u'cmd': u'/opt/vault/bin/vault unseal -address=http://127.0.0.1:8200',
u'start': u'2015-07-15 08:40:57.699369', u'delta': u'0:00:00.115625',
'item': u'{{ unseal_key_3 }}', u'rc': 0, 'invocation': {'module_name':
u'expect', 'module_args': {u'command': u'/opt/vault/bin/vault unseal
-address=http://127.0.0.1:8200', u'responses': {u': ': u'856...503'},
u'timeout': 5, '_ansible_no_log': True}}, 'stdout_lines': [u'']}
Note that module_args has exposed the sensitive data (represented here as
'856...503').
I tried marking the responses dict as no_log in the AnsibleModule
definition in lib/ansible/modules/extras/commands/expect.py, but this
didn't change the behaviour.
Where is the code that produces this output, so that I can dig into why it
exposes my sensitive information and figure out how best to deal with that?
Thanks,
Sheldon.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0866e29f-3c2d-4925-b966-5a5bc13b82fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0866e29f-3c2d-4925-b966-5a5bc13b82fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.