search

ansible-collections / community.postgresql

Manage PostgreSQL with Ansible
https://galaxy.ansible.com/ui/repo/published/community/postgresql/
Other
108 stars 88 forks source link

Mandatory no_log of the login_password variable works unexpected #710

Closed HimuraKrd closed 3 months ago

HimuraKrd commented 3 months ago
SUMMARY

Mandatory settings no_log=True in ansible_collections/community/postgresql/plugins/module_utils/postgres.py could cause unexpected results during playbook runs

ISSUE TYPE
COMPONENT NAME

postgresql_query

ANSIBLE VERSION
ansible [core 2.16.6]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ubuntu/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ubuntu/.local/lib/python3.12/site-packages/ansible
  ansible collection location = /home/ubuntu/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ubuntu/.local/bin/ansible
  python version = 3.12.0 (main, May  8 2024, 16:47:59) [GCC 9.4.0] (/usr/local/bin/python3.12)
  jinja version = 3.1.4
  libyaml = True
COLLECTION VERSION
ansible-galaxy collection list community.general
# /home/ubuntu/.local/lib/python3.12/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 8.6.0  

ansible-galaxy collection list community.postgresql
# /home/ubuntu/.local/lib/python3.12/site-packages/ansible_collections
Collection           Version
-------------------- -------
community.postgresql 3.4.0
CONFIGURATION
ansible-config dump --only-changed
CONFIG_FILE() = /etc/ansible/ansible.cfg
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PERSISTENT_COMMAND_TIMEOUT(/etc/ansible/ansible.cfg) = 60
OS / ENVIRONMENT

Ubuntu 20.04.6 LTS (Focal Fossa) at host where ansible runs Astra Linux 1.7.3 (Debian-like OS) at remote hosts

STEPS TO REPRODUCE

Configure variables using group_vars file:

database_user: "postgres"
database_password: "postgres"
database_name: "postgres"

Run the following tasks to get pg_hba.conf while in -vvv mode

- name: Find path of pg_hba.conf (without local trust connection)
  community.postgresql.postgresql_query:
    db: "{{ database_name }}"
    query: SHOW hba_file;
    login_host: localhost
    login_user: "{{ database_user }}"
    login_password: "{{ database_password }}"
  no_log: false
  become: true
  become_user: postgres
  changed_when: false
  register: pg_hba_file_path

- name: Show postgresql_conf_path variable
  ansible.builtin.debug:
    msg: "pg_hba.conf is located at {{ pg_hba_file_path.query_result[0].hba_file }}"
EXPECTED RESULTS

I'm expecting to see real path to the pg_hba.conf file (also tested with postgresql.conf) and use it in further tasks.

TASK [my_role: Show postgresql_conf_path variable] *********************************************************
task path: <some_tech_info_is_here>
ok: [hostname-001] => {
    "msg": "pg_hba.conf is located at /etc/postgresql/11/main/pg_hba.conf"
}
ACTUAL RESULTS
TASK [my_role: Show postgresql_conf_path variable] *********************************************************
task path: <some_tech_info_is_here>
ok: [hostname-001] => {
    "msg": "pg_hba.conf is located at /etc/********ql/11/main/pg_hba.conf"
}
IS THAT A PROBLEM OR IT'S MADE BY DESIGN

After installing the collection using ansible-galaxy I'm able to find the source of the "issue" - file 

/home/ubuntu/.local/lib/python3.12/site-packages/ansible_collections/community/postgresql/plugins/module_utils/postgres.py

There's a the following line in it:

# some code above
...
login_password=dict(default='', no_log=True),
...
# some code below

It masks the variable that is set as login_password of the module. In case if the login_password contains same string that is used in system (e.g. login_password contains postgres and the system path to pg_hba.conf also contains postgres) - it masks it with * symbol as well.

If the code is changed to

login_password=dict(default='', no_log=False),

Module works as expected from my point of view.

N.B.: I'm really sorry if I did something wrong during bug submit. This is my 1st try ever to do so. Kindly asking for understanding.

Andersson007 commented 3 months ago

@HimuraKrd hello, no worries, everything is fine with the bug report:) I believe masking the login_password is a good thing from the security perspective and it's a common practice and even a code-sanity requirement. On the other hand, I think masking its every appearance in output doesn't make sense in every case though. The issue is that all that output generated by modules goes through ansible-core and it's where that transformation takes place, i.e. outside the scope of the module and its repository respectively. Maybe it's justified anyhow there, i don't know.

HimuraKrd commented 3 months ago

Dear @Andersson007 , thanks a lot for joining the topic and reply.

Do I understand you correctly: the problem is not in the community.postgresql module itself, but in the way ansible.core interprets the result and further uses it in operation? Please correct me if I have misunderstood your words.

If you, as a contributor of the project, consider the current behavior as normal and it is not a bug of community.postgresql module at all - I think the topic can be closed.

Andersson007 commented 3 months ago

Dear @Andersson007 , thanks a lot for joining the topic and reply.

Do I understand you correctly: the problem is not in the community.postgresql module itself, but in the way ansible.core interprets the result and further uses it in operation? Please correct me if I have misunderstood your words.

If you, as a contributor of the project, consider the current behavior as normal and it is not a bug of community.postgresql module at all - I think the topic can be closed.

@HimuraKrd yep, I think so (as one of this collection developers)