Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.4k views
in Technique[技术] by (71.8m points)

automation - Ansible 'no_log' for specific values in debug output, not entire module

I am studying for the RedHat Certified Specialist in Ansible Automation (EX407) and I'm playing around with the no_log module parameter. I have a sample playbook structured as so;

---
- hosts: webservers
  tasks:
  - name: Query vCenter
    vmware_guest:
      hostname: "{{ vcenter['host'] }}"
      username: "{{ vcenter['username'] }}"
      password: "{{ vcenter['password'] }}"
      name: "{{ inventory_hostname }}"
      validate_certs: no
    delegate_to: localhost
    no_log: yes
...

When no_log is disabled, I get a lot of helpful debug information about my VM, but when no_log is disabled I obviously can't protect my playbooks vaulted data (in this case that is the vcenter['username'] and vcenter['password'] values). Enabling no_log cripples my playbooks debug output to just;

"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result",

I would like to know how it is possible to censor only some of the debug output. I know this is possible because vcenter['password'] is protected in it's output regardless of my no_log state. I see this in the verbose output when no_log is disabled;

"invocation": {
        "module_args": {
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "username": "[email protected]"
        }
}

What are your thoughts?

question from:https://stackoverflow.com/questions/65947327/ansible-no-log-for-specific-values-in-debug-output-not-entire-module

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

So I went digging through the VMWare module source code and this is what I found.

password=dict(type='str',
              aliases=['pass', 'pwd'],
              required=False,
              no_log=True,
              fallback=(env_fallback, ['VMWARE_PASSWORD'])),

Looks like Playbooks just aren't exposing this feature. The VMWare modules themselves are enabling no_log on specific attributes in Python. For my part, this is just another functionality Playbooks are hiding. I really wish it was standard to suppress specific attributes, rather than a whole module, but this is where it stands as of Ansible 2.10.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...