Closed HimuraKrd closed 3 months ago
@HimuraKrd hello, no worries, everything is fine with the bug report:) I believe masking the login_password is a good thing from the security perspective and it's a common practice and even a code-sanity requirement. On the other hand, I think masking its every appearance in output doesn't make sense in every case though. The issue is that all that output generated by modules goes through ansible-core and it's where that transformation takes place, i.e. outside the scope of the module and its repository respectively. Maybe it's justified anyhow there, i don't know.
Dear @Andersson007 , thanks a lot for joining the topic and reply.
Do I understand you correctly: the problem is not in the community.postgresql
module itself, but in the way ansible.core
interprets the result and further uses it in operation? Please correct me if I have misunderstood your words.
If you, as a contributor of the project, consider the current behavior as normal and it is not a bug of community.postgresql
module at all - I think the topic can be closed.
Dear @Andersson007 , thanks a lot for joining the topic and reply.
Do I understand you correctly: the problem is not in the
community.postgresql
module itself, but in the wayansible.core
interprets the result and further uses it in operation? Please correct me if I have misunderstood your words.If you, as a contributor of the project, consider the current behavior as normal and it is not a bug of
community.postgresql
module at all - I think the topic can be closed.
@HimuraKrd yep, I think so (as one of this collection developers)
SUMMARY
Mandatory settings no_log=True in ansible_collections/community/postgresql/plugins/module_utils/postgres.py could cause unexpected results during playbook runs
ISSUE TYPE
COMPONENT NAME
postgresql_query
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
Ubuntu 20.04.6 LTS (Focal Fossa) at host where ansible runs Astra Linux 1.7.3 (Debian-like OS) at remote hosts
STEPS TO REPRODUCE
Configure variables using group_vars file:
Run the following tasks to get pg_hba.conf while in -vvv mode
EXPECTED RESULTS
I'm expecting to see real path to the pg_hba.conf file (also tested with postgresql.conf) and use it in further tasks.
ACTUAL RESULTS
IS THAT A PROBLEM OR IT'S MADE BY DESIGN
After installing the collection using ansible-galaxy I'm able to find the source of the "issue" - file
There's a the following line in it:
It masks the variable that is set as
login_password
of the module. In case if thelogin_password
contains same string that is used in system (e.g.login_password
containspostgres
and the system path to pg_hba.conf also containspostgres
) - it masks it with*
symbol as well.If the code is changed to
Module works as expected
from my point of view.N.B.: I'm really sorry if I did something wrong during bug submit. This is my 1st try ever to do so. Kindly asking for understanding.