Closed shoriminimoe closed 11 months ago
Yes, this is all true.
However the problem occurs only when passwords are weak - short and/or common words. If you password is complex or something like "at-least-a-string-unlikely-to-be-present-in-some-other-text", the problem will not happen. So this problem does happen in testing environments, but should never in production environments. It is more nasty annoyance than real problem.
The demo task name: "Delete created email"
is a really nasty one, because after you get used to your password being replaced by ***
in terminal output, you (or at least I) was really surprised when I figure out that the password value is being replaced also in values in registered variables. Note this is done be the core ansible. The only thing collection can do is to mark variables as being a password or not (the nolog
flag).
Also again the problem should never happen in production environments.
@shoriminimoe I thing we should only document this behaviour in documentation. Likely also include an example (it is already above :)), to make whole story easy to understood.
Documentation fixed in https://github.com/ScaleComputing/HyperCoreAnsibleCollection/pull/272
I hesitate to make general statements about when this type of issue can occur without analysis. I agree that it is more likely to occur with weak passwords. I also agree that it should never happen in production environments, but it can, and we are not doing anything to prevent it.
I recognize the challenge to resolve this given the way ansible handles no_log
parameters and output. I am confident there is a way to solve this. Although documenting the issue is a good thing, I don't believe it solves the problem.
@ddemlow does the documentation change resolve this issue for you?
Regarding
it should never happen in production environments, but it can
If password is not a common string (like it should be) - could this happen then? I would say no. So with production grade password, production environment will not have a problem.
Describe the bug
If the password of the user running a playbook appears in an alert email address, VM name, etc. the portion of output that contains the password is masked.
To Reproduce Steps to reproduce the behavior:
Expected behavior
The collection should not be masking passwords in unrelated content.
Screenshots
Here is an example playbook. The screenshot below has example output
System Info (please complete the following information):
Additional context
This is concerning for a few reasons: