search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
14.06k stars 3.42k forks source link

hide job_template_data from response #4602

Closed sinu closed 5 years ago

sinu commented 5 years ago
ISSUE TYPE

we are using awx for sum automation and consuming awx api as endpoint. everything is working as expected,But awx response contains all the extra vars. is there any way to hide this or limit?

SUMMARY

we are using awx for sum automation and consuming awx api as endpoint. everything is working as expected,But awx response contains all the extra vars. is there any way to hide this or limit? please see the api response

{"job":676,"ignored_fields":{},"id":676,"type":"job","url":"/api/v2/jobs/676/","related":{"created_by":"/api/v2/users/1/","modified_by":"/api/v2/users/1/","labels":"/api/v2/jobs/676/labels/","inventory":"/api/v2/inventories/3/","project":"/api/v2/projects/6/","extra_credentials":"/api/v2/jobs/676/extra_credentials/","credentials":"/api/v2/jobs/676/credentials/","unified_job_template":"/api/v2/job_templates/8/","stdout":"/api/v2/jobs/676/stdout/","job_events":"/api/v2/jobs/676/job_events/","job_host_summaries":"/api/v2/jobs/676/job_host_summaries/","activity_stream":"/api/v2/jobs/676/activity_stream/","notifications":"/api/v2/jobs/676/notifications/","job_template":"/api/v2/job_templates/8/","cancel":"/api/v2/jobs/676/cancel/","create_schedule":"/api/v2/jobs/676/create_schedule/","relaunch":"/api/v2/jobs/676/relaunch/"},"summary_fields":{"inventory":{"id":3,"name":"RM-FM-Inventory","description":"","has_active_failures":false,"total_hosts":1,"hosts_with_active_failures":0,"total_groups":0,"groups_with_active_failures":0,"has_inventory_sources":false,"total_inventory_sources":0,"inventory_sources_with_failures":0,"organization_id":1,"kind":""},"project":{"id":6,"name":"RM","description":"","status":"ok","scm_type":""},"job_template":{"id":8,"name":"RM-FM","description":""},"unified_job_template":{"id":8,"name":"RM-FM","description":"","unified_job_type":"job"},"created_by":{"id":1,"username":"admin","first_name":"","last_name":""},"modified_by":{"id":1,"username":"admin","first_name":"","last_name":""},"user_capabilities":{"delete":true,"start":true},"labels":{"count":0,"results":[]},"extra_credentials":[],"credentials":[]},"created":"2019-08-27T08:18:46.651270Z","modified":"2019-08-27T08:18:46.784205Z","name":"RM-FM","description":"","job_type":"run","inventory":3,"project":6,"playbook":"fm.yml","forks":0,"limit":"","verbosity":3,"extra_vars":"{\"ansible_host\": \"172.16.32.32\", \"ansible_httpapi_timeout\": 300, \"ansible_httpapi_use_ssl\": true, \"ansible_httpapi_validate_certs\": false, \"ansible_network_os\": \"fortimanager\", \"ansible_user\": \"admin\", \"objects\": [{\"item\": {\"ipv4\": \"ipmask\", \"ipv4addr\": \"192.168.10.10/32\", \"name\": \"IP_192.168.10.10\", \"comment\": \"12345678\", \"color\": \"6\", \"adom\": \"addm-01\"}}, {\"item\": {\"ipv4\": \"ipmask\", \"ipv4addr\": \"0.0.0.0/0.0.0.0\", \"name\": \"ALL\", \"comment\": \"12345678\", \"color\": \"6\", \"adom\": \"addm-01\"}}], \"adom\": \"addm-01\", \"vdom\": \"\", \"srcaddr\": \"IP_192.168.10.10\", \"dstaddr\": \"ALL\", \"comment\": \"12345678\", \"action\": \"deny\", \"protocol\": \"TCP\", \"port\": \"3306\", \"targets\": [\"IN-FG-03\"], \"ansible_password\": \"admin123\"}","job_tags":"","force_handlers":false,"skip_tags":"","start_at_task":"","timeout":0,"use_fact_cache":false,"unified_job_template":8,"launch_type":"manual","status":"pending","failed":false,"started":null,"finished":null,"elapsed":0.0,"job_args":"","job_cwd":"","job_env":{},"job_explanation":"","execution_node":"","controller_node":"","result_traceback":"","event_processing_finished":false,"job_template":8,"passwords_needed_to_start":[],"ask_diff_mode_on_launch":false,"ask_variables_on_launch":true,"ask_limit_on_launch":false,"ask_tags_on_launch":false,"ask_skip_tags_on_launch":false,"ask_job_type_on_launch":false,"ask_verbosity_on_launch":false,"ask_inventory_on_launch":false,"ask_credential_on_launch":false,"allow_simultaneous":false,"artifacts":{},"scm_revision":"","instance_group":null,"diff_mode":false,"job_slice_number":0,"job_slice_count":1,"credential":null,"vault_credential":null}

ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS

{"job":676,"ignored_fields":{},"id":676,"type":"job","url":"/api/v2/jobs/676/","related":{"created_by":"/api/v2/users/1/","modified_by":"/api/v2/users/1/","labels":"/api/v2/jobs/676/labels/","inventory":"/api/v2/inventories/3/","project":"/api/v2/projects/6/","extra_credentials":"/api/v2/jobs/676/extra_credentials/","credentials":"/api/v2/jobs/676/credentials/","unified_job_template":"/api/v2/job_templates/8/","stdout":"/api/v2/jobs/676/stdout/","job_events":"/api/v2/jobs/676/job_events/","job_host_summaries":"/api/v2/jobs/676/job_host_summaries/","activity_stream":"/api/v2/jobs/676/activity_stream/","notifications":"/api/v2/jobs/676/notifications/","job_template":"/api/v2/job_templates/8/","cancel":"/api/v2/jobs/676/cancel/","create_schedule":"/api/v2/jobs/676/create_schedule/","relaunch":"/api/v2/jobs/676/relaunch/"},"summary_fields":{"inventory":{"id":3,"name":"RM-FM-Inventory","description":"","has_active_failures":false,"total_hosts":1,"hosts_with_active_failures":0,"total_groups":0,"groups_with_active_failures":0,"has_inventory_sources":false,"total_inventory_sources":0,"inventory_sources_with_failures":0,"organization_id":1,"kind":""},"project":{"id":6,"name":"RM","description":"","status":"ok","scm_type":""},"job_template":{"id":8,"name":"RM-FM","description":""},"unified_job_template":{"id":8,"name":"RM-FM","description":"","unified_job_type":"job"},"created_by":{"id":1,"username":"admin","first_name":"","last_name":""},"modified_by":{"id":1,"username":"admin","first_name":"","last_name":""},"user_capabilities":{"delete":true,"start":true},"labels":{"count":0,"results":[]},"extra_credentials":[],"credentials":[]},"created":"2019-08-27T08:18:46.651270Z","modified":"2019-08-27T08:18:46.784205Z","name":"RM-FM","description":"","job_type":"run","inventory":3,"project":6,"playbook":"fm.yml","forks":0,"limit":"","verbosity":3,"extra_vars":"{\"ansible_host\": \"172.16.32.32\", \"ansible_httpapi_timeout\": 300, \"ansible_httpapi_use_ssl\": true, \"ansible_httpapi_validate_certs\": false, \"ansible_network_os\": \"fortimanager\", \"ansible_user\": \"admin\", \"objects\": [{\"item\": {\"ipv4\": \"ipmask\", \"ipv4addr\": \"192.168.10.10/32\", \"name\": \"IP_192.168.10.10\", \"comment\": \"12345678\", \"color\": \"6\", \"adom\": \"addm-01\"}}, {\"item\": {\"ipv4\": \"ipmask\", \"ipv4addr\": \"0.0.0.0/0.0.0.0\", \"name\": \"ALL\", \"comment\": \"12345678\", \"color\": \"6\", \"adom\": \"addm-01\"}}], \"adom\": \"addm-01\", \"vdom\": \"\", \"srcaddr\": \"IP_192.168.10.10\", \"dstaddr\": \"ALL\", \"comment\": \"12345678\", \"action\": \"deny\", \"protocol\": \"TCP\", \"port\": \"3306\", \"targets\": [\"IN-FG-03\"], \"ansible_password\": \"admin123\"}","job_tags":"","force_handlers":false,"skip_tags":"","start_at_task":"","timeout":0,"use_fact_cache":false,"unified_job_template":8,"launch_type":"manual","status":"pending","failed":false,"started":null,"finished":null,"elapsed":0.0,"job_args":"","job_cwd":"","job_env":{},"job_explanation":"","execution_node":"","controller_node":"","result_traceback":"","event_processing_finished":false,"job_template":8,"passwords_needed_to_start":[],"ask_diff_mode_on_launch":false,"ask_variables_on_launch":true,"ask_limit_on_launch":false,"ask_tags_on_launch":false,"ask_skip_tags_on_launch":false,"ask_job_type_on_launch":false,"ask_verbosity_on_launch":false,"ask_inventory_on_launch":false,"ask_credential_on_launch":false,"allow_simultaneous":false,"artifacts":{},"scm_revision":"","instance_group":null,"diff_mode":false,"job_slice_number":0,"job_slice_count":1,"credential":null,"vault_credential":null}

ADDITIONAL INFORMATION
ryanpetrello commented 5 years ago

@sinu,

Can you give more context on what HTTP request you're making here?

sinu commented 5 years ago

@sinu,

Can you give more context on what HTTP request you're making here?

the request is to trigger awx job templates and including the extra var which playbook required

ryanpetrello commented 5 years ago

@sinu can you give an example of an actual HTTP request (with e.g., curl) you're running, and what you expect (i.e., the "EXPECTED RESULTS" we ask for in the issue filing template) to see in the HTTP response? I'm guessing what you're seeing here is just what we return in the response (and it's not configurable).

sinu commented 5 years ago

@ryanpetrello

Please see the request and response. wanted to hide the response because it is sending one of the execution password.

Request:

curl -H "Content-Type: application/json" -X POST -s -u admom:password -d '{ "extra_vars": {"objects":[{"item":{"ipv4":"ipmask","ipv4addr":"192.168.10.10/32","name":"IP_192.168.10.10","comment": "12345678","color":"6","addm":"om-addm-02"}},{"item":{"ipv4":"ipmask","ipv4addr":"0.0.0.0/0.0.0.0","name":"ALL","comment":"12345678","color":"6","addm":"om-addm-02"}}], "addm": "om-addm-02", "vdom": "", "srcaddr": "IP_192.168.10.10", "dstaddr": "ALL","comment": "12345678","action": "deny", "protocol": "TCP", "port": "3306", "targets": ["FG-03"], "ansible_password": "admom123" }}' -k http://172.16.32.16/api/v2/job_templates/8/launch/

Response:

{"job":676,"ignored_fields":{},"id":676,"type":"job","url":"/api/v2/jobs/676/","related":{"created_by":"/api/v2/users/1/","modified_by":"/api/v2/users/1/","labels":"/api/v2/jobs/676/labels/","omventory":"/api/v2/omventories/3/","project":"/api/v2/projects/6/","extra_credentials":"/api/v2/jobs/676/extra_credentials/","credentials":"/api/v2/jobs/676/credentials/","unified_job_template":"/api/v2/job_templates/8/","stdout":"/api/v2/jobs/676/stdout/","job_events":"/api/v2/jobs/676/job_events/","job_host_summaries":"/api/v2/jobs/676/job_host_summaries/","activity_stream":"/api/v2/jobs/676/activity_stream/","notifications":"/api/v2/jobs/676/notifications/","job_template":"/api/v2/job_templates/8/","cancel":"/api/v2/jobs/676/cancel/","create_schedule":"/api/v2/jobs/676/create_schedule/","relaunch":"/api/v2/jobs/676/relaunch/"},"summary_fields":{"omventory":{"id":3,"name":"addm-FM-omventory","description":"","has_active_failures":false,"total_hosts":1,"hosts_with_active_failures":0,"total_groups":0,"groups_with_active_failures":0,"has_omventory_sources":false,"total_omventory_sources":0,"omventory_sources_with_failures":0,"organization_id":1,"komd":""},"project":{"id":6,"name":"addm","description":"","status":"ok","scm_type":""},"job_template":{"id":8,"name":"addm-FM","description":""},"unified_job_template":{"id":8,"name":"addm-FM","description":"","unified_job_type":"job"},"created_by":{"id":1,"username":"admom","first_name":"","last_name":""},"modified_by":{"id":1,"username":"admom","first_name":"","last_name":""},"user_capabilities":{"delete":true,"start":true},"labels":{"count":0,"results":[]},"extra_credentials":[],"credentials":[]},"created":"2019-08-27T08:18:46.651270Z","modified":"2019-08-27T08:18:46.784205Z","name":"addm-","description":"","job_type":"run","omventory":3,"project":6,"playbook":"fm.yml","forks":0,"limit":"","verbosity":3,"extra_vars":"{\"ansible_host\": \"53.244.251.101\", \"ansible_httpapi_timeout\": 300, \"ansible_httpapi_use_ssl\": true, \"ansible_httpapi_validate_certs\": false, \"ansible_network_os\": \"fortimanager\", \"ansible_user\": \"admom\", \"objects\": [{\"item\": {\"ipv4\": \"ipmask\", \"ipv4addr\": \"192.168.10.10/32\", \"name\": \"IP_192.168.10.10\", \"comment\": \"12345678\", \"color\": \"6\", \"addm\": \"om-addm-02\"}}, {\"item\": {\"ipv4\": \"ipmask\", \"ipv4addr\": \"0.0.0.0/0.0.0.0\", \"name\": \"ALL\", \"comment\": \"12345678\", \"color\": \"6\", \"addm\": \"om-addm-02\"}}], \"addm\": \"om-addm-02\", \"vdom\": \"\", \"srcaddr\": \"IP_192.168.10.10\", \"dstaddr\": \"ALL\", \"comment\": \"12345678\", \"action\": \"deny\", \"protocol\": \"TCP\", \"port\": \"3306\", \"targets\": [\"om-FG-03\"], \"ansible_password\": \"admom123\"}","job_tags":"","force_handlers":false,"skip_tags":"","start_at_task":"","timeout":0,"use_fact_cache":false,"unified_job_template":8,"launch_type":"manual","status":"pendomg","failed":false,"started":null,"fomished":null,"elapsed":0.0,"job_args":"","job_cwd":"","job_env":{},"job_explanation":"","execution_node":"","controller_node":"","result_traceback":"","event_processomg_fomished":false,"job_template":8,"passwords_needed_to_start":[],"ask_diff_mode_on_launch":false,"ask_variables_on_launch":true,"ask_limit_on_launch":false,"ask_tags_on_launch":false,"ask_skip_tags_on_launch":false,"ask_job_type_on_launch":false,"ask_verbosity_on_launch":false,"ask_omventory_on_launch":false,"ask_credential_on_launch":false,"allow_simultaneous":false,"artifacts":{},"scm_revision":"","omstance_group":null,"diff_mode":false,"job_slice_number":0,"job_slice_count":1,"credential":null,"vault_credential":null}

ryanpetrello commented 5 years ago

@sinu,

AWX doesn't automatically encrypt extra_vars that you define on resources like Job Templates. If you want encrypted secrets that are injected as extra vars (which won't be exposed in API responses), check out Custom Credential Types:

https://docs.ansible.com/ansible-tower/latest/html/userguide/credential_types.html

...or add your secrets like this to .yml files in your source control.

sinu commented 5 years ago

@ryanpetrello I agreed that we can use custom credentials when you are storing credentials in AWX/Tower but as per our security requirement we cannot store the password anywhere(as encrypted) that is the reason why password is passing in api request as variable . user is inputting the password every time while executing trigger from servicenow. but here awx returning the same in response as well.

ryanpetrello commented 5 years ago

but as per our security requirement we cannot store the password anywhere(as encrypted) that is the reason why password is passing in api request as variable

...then I've got some bad news for you about how AWX works at a foundational level. AWX must store these extra vars (and other secrets, like API tokens, SSH private keys, etc...) in some (albeit, encrypted) way so that it can invoke the ansible-playbook process on your behalf. This is arguably the entire point of what AWX does, and this entire process relies on storing provided extra vars in the AWX (postgres) database.