search

ansible / proposals

Repository for sharing and tracking progress on enhancement proposals for Ansible.
Creative Commons Zero v1.0 Universal
93 stars 19 forks source link

Hide Credentials from Log #94

Open gtowsey opened 6 years ago

gtowsey commented 6 years ago

Proposal: Hide Credentials from Log

Author: Glen Towsey

Date: 2018/01/11

Motivation

When using winshell to execute a command such as a powershell script any credentials that are passed down using lookup eg '{{ lookup('env', 'abc_username') }}' . Passwords and usernames are shown in plain text in the log files.

Using no_log:True does hide this information but also hides any log information from ansible. This makes ansible tower difficult to use in a secure environment

Problems

What problems exist that this proposal will solve?

Solution proposal

Allow the use of a tag similar to the !unsafe tag to censor a variable from the log. the end result would be a variable declared similar to the below:

win_shell: D:\Scripts\something.ps1 !hidden'{{ lookup('env', 'Script_User') }}' !hidden'{{ lookup('env', 'Script_Password') }}'

Mataris commented 6 years ago

I would like a solution to this exact issue!

agowa commented 5 years ago

Same for rest API requests. And API Keys. I would propose to have a "logfilter", where you could just globaly specify a list of things that should be stripped from the logs.

logfilter:
   - {{ api_key }}
   - {{ password001 }}
   - {{ username }}

And than ansible should do:

  1. Fetch the logs from the client
  2. pass it through the filter %s/api_key/SECRET_001/gm
  3. Show the resulting log.