Open bioinfornatics opened 1 year ago
I think a more granular way to do this will appear with the data tagging framework, which is planned for 2.16 currently: https://github.com/ansible/ansible-documentation/blob/devel/docs/docsite/rst/roadmap/ROADMAP_2_16.rst#planned-work (it has been planned earlier - https://github.com/ansible/ansible-documentation/blob/devel/docs/docsite/rst/roadmap/ROADMAP_2_13.rst#delayed-work -, but was delayed since then).
Looks like this was delayed in .16 and .17. Currently planned in the .18 roadmap though ::fingerscrossed::
didn't make it to 2.18 ...so 2.19 now
Issue Description:
Currently, when sensitive information such as passwords are used in Ansible tasks, the only option to prevent their exposure in logs is to use the
no_log: true
directive. However, this approach hides all logs from the task, making troubleshooting and maintenance challenging.This issue proposes adding a new feature to Ansible that allows for native support of secret masking in logs, providing a more granular control over log visibility while maintaining security.
In 2021 @bcoca put such feature to the ansible kanban board But it seems that now you use another way to manage the project and some features to be implemented was lost.
Proposal:
Introduce a new configuration option or filter that allows users to specify sensitive variables or patterns to be automatically masked in task logs. This masking could be done using asterisks or other user-configurable characters. Here's how the feature could work:
Configuration Option:
Add a new configuration option, such as
log_mask
, in Ansible configuration files (ansible.cfg) or playbook headers. Users can define a list of variables or patterns that should be masked in logs.Example:
Introduce a new Jinja2 filter or modifier that can be applied to task output. This filter would automatically replace sensitive variable values in the log with masked characters.
Example:
In this example,
mask_sensitive
is the proposed modifier that replaces occurrences of sensitive variable values in the log.Benefits:
Enhanced Security: Users will have more control over masking sensitive data in logs, providing a balance between security and maintainability.
Improved Troubleshooting: This feature will facilitate troubleshooting by allowing users to view relevant task logs while still protecting sensitive information.
Granular Control: Users can choose which variables or patterns to mask, tailoring the masking behavior to their needs.
Additional Notes:
While this feature would provide a convenient way to mask sensitive data in logs, it's important to emphasize that it doesn't replace best practices for securing sensitive information, such as using Ansible Vault for encryption.
References: