search

ansible / proposals

Repository for sharing and tracking progress on enhancement proposals for Ansible.
Creative Commons Zero v1.0 Universal
92 stars 19 forks source link

Feature Request: Native Support for Secret Masking in Logs #209

Open bioinfornatics opened 11 months ago

bioinfornatics commented 11 months ago

Issue Description:

Currently, when sensitive information such as passwords are used in Ansible tasks, the only option to prevent their exposure in logs is to use the no_log: true directive. However, this approach hides all logs from the task, making troubleshooting and maintenance challenging.

This issue proposes adding a new feature to Ansible that allows for native support of secret masking in logs, providing a more granular control over log visibility while maintaining security.

In 2021 @bcoca put such feature to the ansible kanban board But it seems that now you use another way to manage the project and some features to be implemented was lost.

Proposal:

Introduce a new configuration option or filter that allows users to specify sensitive variables or patterns to be automatically masked in task logs. This masking could be done using asterisks or other user-configurable characters. Here's how the feature could work:

  1. Configuration Option:

    Add a new configuration option, such as log_mask, in Ansible configuration files (ansible.cfg) or playbook headers. Users can define a list of variables or patterns that should be masked in logs.

Example:


[defaults]
log_mask = sensitive_variable, password_.*
  1. Filter or Modifier:

Introduce a new Jinja2 filter or modifier that can be applied to task output. This filter would automatically replace sensitive variable values in the log with masked characters.

Example:

    - name: Task with sensitive information
      shell: echo  "This is a secret: {{ sensitive_variable | mask_sensitive }}"
      register: task_result

    - name: Display logs with masked secrets
      debug:
        msg: "{{ task_result.stdout }}"

In this example, mask_sensitive is the proposed modifier that replaces occurrences of sensitive variable values in the log.

TASK [Task with sensitive information]********************************************
This is a secret: ****

TASK Display logs with masked secrets]*******************************************
This is a secret: ****

Benefits:

  1. Enhanced Security: Users will have more control over masking sensitive data in logs, providing a balance between security and maintainability.

  2. Improved Troubleshooting: This feature will facilitate troubleshooting by allowing users to view relevant task logs while still protecting sensitive information.

  3. Granular Control: Users can choose which variables or patterns to mask, tailoring the masking behavior to their needs.

Additional Notes:

While this feature would provide a convenient way to mask sensitive data in logs, it's important to emphasize that it doesn't replace best practices for securing sensitive information, such as using Ansible Vault for encryption.

References:

felixfontein commented 11 months ago

I think a more granular way to do this will appear with the data tagging framework, which is planned for 2.16 currently: https://github.com/ansible/ansible-documentation/blob/devel/docs/docsite/rst/roadmap/ROADMAP_2_16.rst#planned-work (it has been planned earlier - https://github.com/ansible/ansible-documentation/blob/devel/docs/docsite/rst/roadmap/ROADMAP_2_13.rst#delayed-work -, but was delayed since then).