jenkinsci / ansible-plugin

Jenkins Ansible plugin
https://plugins.jenkins.io/ansible/
MIT License
227 stars 117 forks source link

Ansible Plugin Invoke Playbook - add option to not conceal variables #130

Open atfrench opened 1 year ago

atfrench commented 1 year ago

What feature do you want to see added?

Please see: https://github.com/jenkinsci/ansible-plugin/issues/127 Recent security requirements has made the plugin difficult to use. We do not use any variables that need to be concealed. Our variables are filenames and paths. Re-configuration of jobs is difficult now as we cannot see what a concealed variable is set to so that we can edit a variable. A possible solution might be to add a new type of key variable that is not concealed. Or add an option to not conceal a variable.

Thanks, Adrien.

Upstream changes

No response

nikos-papantoniou commented 1 year ago

+1 We've been using the Ansible plugin to provide extra variables like hostnames, filenames, unique ids etc to reusable playbooks. With this change we are unable to troubleshoot if something is misconfigured because we cannot see the actual values of any variable. If a Jenkins job that utilizes Ansible plugin has quite a few extra variables this becomes nightmarish to reconfigure.

jonesbusy commented 1 year ago

I'm not sure if there is any way to no conceal form field if the values is stored encrypted on jenkins home. The solution is probably to (re)introduce "unsecureVars" stored as plain text.

There was some old PR https://github.com/jenkinsci/ansible-plugin/pull/22 to convert extra vars to list to work with pipeline generator.

The point is that it open again the plugin to have security advisory (https://www.jenkins.io/security/advisory/2023-05-16/) Advisories are open by Jenkins security teams, not plugin maintainers.

Feel free to contribute if a better solution is found.

NachoGomezC commented 6 months ago

Bumping this request, is very annoying when all extra variables are treated as secrets. Credentials/secrets need to me managed explicitly as such in any other part of the Ansible module, not mixed with the regular extra parameters.

IMHO, mixing all of them is the real security flaw here.