Cannot create a custom notification message with {{ job.extra_vars }} in message

[unlikelyzero]

ISSUE TYPE

• Bug Report

SUMMARY

Cannot create a custom notification message with {{ job.extra_vars }} in message

STEPS TO REPRODUCE

1. Attempt to create a custom notification Start Message with {{ job.extra_vars }} in the body

EXPECTED RESULTS

Can save and use NT

ACTUAL RESULTS

400 Error on Save

ADDITIONAL INFORMATION

[unlikelyzero]

[jladdjr]

@wenottingham - any concerns about extra_vars potentially including sensitive data? If not, we can add this back in

[wenottingham]

Extra vars includes password survey types. As long as we are returning the API-view where these have been replaced by "$encrypted$", then it should be OK.

[ryanpetrello]

Using job.extra_vars will likely contain things like $encrypted$UTF8$AESCBC$<nonsense>.

[jladdjr]

While being able to show survey values sounds interesting, I've been trying to stay away from anything that would surface sensitive information (even an encrypted or hashed version). I'd vote to not surface this unless we've got some strong reasons / interest in doing so. We could try to strip out sensitive info, but I think it'd be hard to come up with a filter that was guaranteed to catch everything, which makes me nervous.

TLDR: Vote to close b/c of potential to surface sensitive info.

[ryanpetrello]

https://github.com/ansible/awx/issues/4539#issuecomment-523321867

I agree with this on the first pass. If we want to do this at some point, I'd rather treat this as an additional enhancement (after all, we never promised the templated notification feature would give you access to every field on a job, just many of the useful ones so you can craft a meaningful custom message), and not a requirement to merge https://github.com/ansible/awx/pull/4291

I'd also consider this a low-ish priority in relation to other open issues in the current release.

[unlikelyzero]

@ryanpetrello i think we should have a more descriptive error in that case

[ryanpetrello]

@unlikelyzero I do agree with that, I think this relates to this comment I made on the PR:

cc @jladdjr @keithjgrant @jakemcdermott

Maybe we didn't get this quite right?

https://github.com/ansible/awx/pull/4291/files#r314498337

[unlikelyzero]

@ryanpetrello filed https://github.com/ansible/awx/issues/4546

[jladdjr]

So, what's the verdict for this issue? @ryanpetrello @unlikelyzero et al, should we close?

[jladdjr]

Added state:needs_review - not sure if I'm using that label correctly

[ryanpetrello]

I think we should treat this an additional enhancement in case at some point we want to support actually specifying extra_vars. I'm happy w/ the PR as it is for now.

[faroukellouze]

Hello, I'm currently sending the hole {{ job_metadata }} in the notification (type rocket.chat) and I can see the field extra vars.

But when I send {{ job_metadata.extra_vars }} the AWX UI give me this error Failed to update notifier. Field 'extra_vars' unavailable.. So as a workaround I v changed it to {{ job_metadata.extra_vars | default('') }} but now it just sends me an empty string. I will use the script feature of rocket chat integrations for the moment to format the message, but I would like to know if this issue will be fixed so I can change back to use the notifier.

Note:

1. AWX version: 15.0.1
2. Ansible 2.9.14

[jamesregis]

@faroukellouze Can you show us a rocketchat'script example to parse extra_vars coming from AWX ?

[faroukellouze]

@faroukellouze Can you show us a rocketchat'script example to parse extra_vars coming from AWX ?

@jamesregis Here is an example

class Script {

    process_incoming_request({
        request
    }) {
        // request.url.hash
        // request.url.search
        // request.url.query
        // request.url.pathname
        // request.url.path
        // request.url_raw
        // request.url_params
        // request.headers
        // request.user._id
        // request.user.name
        // request.user.username
        // request.content_raw
        // request.content this will contain payload sent by awx.

        // console is a global helper to improve debug

        var extra_vars = JSON.parse(request.content.extra_vars);

        var text =  '- _Service name: ' + extra_vars.foo + '\n' +
                    '- _Target image: ' + extra_vars.bar + ' \n';

        return {
            content: {
                text: text

            }
        };

    }
}

[mcappadonna]

Any news on this? We've the same issue here with AWX 11.1.0. I trying to create a custom notification message for Email with this template as the "Error Message Body":

Playbook: {{ job_metadata.playbook }}
Inventory: {{ job_metadata.inventory }}
URL: {{ url }}

Failed hosts:
{% for key, value in job_metadata.hosts.items() -%}
{%- if value.failed == true -%}
  - {{ key }}
{% endif -%}
{%- endfor %}

results in the GUI error "Failed to update notifier. Field 'inventory' unavailable".

So it seems not related especially to the extra_vars field, but to any fields from the job_metadata json.

I also uploaded on pastebin a little python script I use to validate the jinja2 syntax, so I can exclude any issue on that.

[jladdjr]

I'm currently sending the hole {{ job_metadata }} in the notification (type rocket.chat) and I can see the field extra vars.

https://github.com/ansible/awx/pull/9668 ensures that the data that is included in job_metadata is surfaced under job.extra_vars as well.

[jladdjr]

If we decide to merge ^, we should update the list of supported NT fields to include extra_vars: https://docs.ansible.com/ansible-tower/3.8.2/html/installandreference/notification_parameters_supported.html#ir-notifications-reference

[faroukellouze]

If the merge is not done yet why it's already mentioned here?

[rpurcelldesj]

As @faroukellouze stated it's already in the documentation, how can we fix the doc while this get fixed in the code so other people won't loose time trying to understand why extra_vars isn't usable ?

[emulanob]

Endorsing the two previous comments. The docs make you think it's possible to use {{ job.extra_vars }} but after some struggle and research I ended up here. And while I understand the concerns with sensitive data expressed in this issue and https://github.com/ansible/awx/issues/2024, the fact that job_metadata contains the extra_vars is very confusing to me.

As a workaround I've been trying to use Jinja2 filters to extract the extra_vars from job_metadata but I'm doing something wrong. Any ideas?

# this approach is not accepted in the customized messages - any ideas?
{{ job_metadata|from_json|json_query("[].extra_vars") }}

[williamoliveira]

Endorsing the two previous comments. The docs make you think it's possible to use {{ job.extra_vars }} but after some struggle and research I ended up here. And while I understand the concerns with sensitive data expressed in this issue and #2024, the fact that job_metadata contains the extra_vars is very confusing to me.

As a workaround I've been trying to use Jinja2 filters to extract the extra_vars from job_metadata but I'm doing something wrong. Any ideas?

# this approach is not accepted in the customized messages - any ideas?
{{ job_metadata|from_json|json_query("[].extra_vars") }}

Exactly, the allegedly security concern makes no sense, the default notification altready comes with extra_vars in job_metadata.

Also your approach do not works because filters arent allowed, if you check server logs you will se jinja2.exceptions.TemplateAssertionError: No filter named 'from_json'.

[cidrbl0ck]

Hoping this hasn't gone totally stale.. anyone know the current status? I'm also trying to include more detailed/helpful information in Slack notifications. I'd also like to access data in extra_vars, and specific parts of job_metadata.

[jalbright015]

Still no movement? I am struggling to figure out how to get Event Driven Ansible to run jobs when a host fails. As of right now I can't find a way to target just the failed host with EDA. I would have thought it would be easier to use EDA with AAP controller.