Honor explicitly marking a parameter as not sensitive. #64656
Labels
affects_2.10
This issue/PR affects Ansible v2.10
feature
This issue/PR relates to a feature request.
has_pr
This issue has an associated PR.
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
Comments
|
Files identified in the description: If these files are inaccurate, please update the |
ansibot
added
affects_2.10
samdoran
removed
the
needs_triage
samdoran
pushed a commit
that referenced
this issue
Jan 9, 2020
…rs (#64733) As AnsibleModule._log_invocation is currently implemented, any parameter with a name that matches PASSWORD_MATCH triggers the no_log warning as a precaution against parameters that may contain sensitive data, but have not been marked as sensitive by the module author. This patch would allow module authors to explicitly mark the aforementioned parameters as not sensitive thereby bypassing an erroneous warning message, while still catching parameters which have not been marked at all by the author. Adds tests for various no_log states including True, False, and None (as extracted by AnsibleModule._log_invocation) when applied to an argument with a name that matches PASSWORD_MATCH. Fixes: #49465 #64656
NehaKembalkarA10
pushed a commit
to NehaKembalkarA10/ansible
that referenced
this issue
Jan 30, 2020
…rs (ansible#64733) As AnsibleModule._log_invocation is currently implemented, any parameter with a name that matches PASSWORD_MATCH triggers the no_log warning as a precaution against parameters that may contain sensitive data, but have not been marked as sensitive by the module author. This patch would allow module authors to explicitly mark the aforementioned parameters as not sensitive thereby bypassing an erroneous warning message, while still catching parameters which have not been marked at all by the author. Adds tests for various no_log states including True, False, and None (as extracted by AnsibleModule._log_invocation) when applied to an argument with a name that matches PASSWORD_MATCH. Fixes: ansible#49465 ansible#64656
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
SUMMARY
The way that the
no_logparameter is currently implemented inAnsibleModule._log_invocationis overly simplistic, and appears to violate the principle of least astonishment due to its overly brief documentation failing to mention the corner cases for which it appears to have been written. Asno_logis currently implemented, it will:no_logis truthy.PASSWORD_MATCHand is neither aboolor enum.On the surface (as a module writer), the documentation (see: Protecting sensitive data with
no_log) states that by passingno_log=Trueyou are explicitly marking a parameter as sensitive. This makes sense. It would then follow that by passingno_log=Falseyou are explicitly marking a parameter as not sensitive. This is where the current implementation fails. There is currently no way (that I can see) for a module author that has properly developed and tested a module to avoid a warning regarding theno_logparameter if the parameter matchesPASSWORD_MATCH(at least, not that I can see in the documentation or HEAD.)I certainly understand the need to protect users from the whims of careless third party module authors (some of which may have a tenuous grasp on Python at best), but for those of us that write and maintain our own modules professionally it seems like a rather strange choice to provide no avenue for a knowledgeable module author to say, "no, pass_interval really is not a password, and no, there is no other name that would work without causing excessive end-user confusion".
The feature request is basically: can
AnsibleModule._log_invocationbe adjusted to actually honorno_log=Falseas the opposite ofno_log=True, which it currently does not. I do not believe it would be difficult to implement while maintaining the current behavior where a module author that does not specify either way would be caught byPASSWORD_MATCH.ISSUE TYPE
COMPONENT NAME
lib/ansible/module_utils/basic.py
ADDITIONAL INFORMATION
This change would not be user facing (typically) unless you're a module author. It is needed because, at the current time, there is no way to mark a parameter as explicitly not sensitive (as
no_log=Falseis not being honored effectively) and avoid erroneous messages in the logs. Some authors have been getting around this by choosing more obscure names that diverge from current documentation for their parameters, but you're basically hiding from the problem at that point, and confusing end-users.Duplicate of a proposed solution to #49465
The text was updated successfully, but these errors were encountered: