Uploaded image for project: 'Ansible Strategy'
  1. Ansible Strategy
  2. ANSTRAT-1114

Sensitive Variables such as passwords not written to logs without having to no_log entire blocks of code

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • controller
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      There is a risk if writing sensitive information to logs causing a security leak. Also using no_log causes problems to troubleshoot playbooks and tasks since none of the actions or details are written to log.

      Show
      There is a risk if writing sensitive information to logs causing a security leak. Also using no_log causes problems to troubleshoot playbooks and tasks since none of the actions or details are written to log.

      In order to prevent passwords or keys being written to logs I have to use no_log, which means that all actions taken in that module/play aren't logged. Which if it fails becomes a nightmare to troubleshoot.
      It would be beneficial to tag or provide a list of sensitive variables and have Ansible simply not write those values to log, possibly write the name of the variable or just write SENSITIVE to the logs.
      This would allow us to log and troubleshoot complex actions, and be sure that the expected values aren't going to be written to disk or logs.

              Unassigned Unassigned
              rhn-support-seokim kevin kim
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: