ansible-community/ara

Allowing ignoring specific task parameters/output

Opened this issue · 4 comments

What is the idea ?

In extending our ansible workflow across users, we need a way to audit and keep track of what was run when by whom, ARA fills this gap very neatly but the recorded plays contain a lot of secrets (vault tokens, ldap passwords, certificates) because either the module developer didn't mark the input as nolog, it's a raw input (dict) or because it's just part of the output.

We have seen so far: community.general.ldap_attrs used to set userPassword, hashi_vault tasks used to generate certificates or tokens.

A solution is to set no_log everywhere in the playbooks, but we found that this greatly increases maintenance (you have to disable no_log when there is an actual error, run the playbook again...).

Would a way to list ignored input/output fields globally per module be considered?

Hi @bendem and thanks for the issue.

Sorry for the delay, I've been sidetracked for a while.

Your understanding of what is going on is correct, as is your description of the drawback of using no_log.

ara has a couple features to try and prevent things from being leaked (in addition to no_log and optimistic ansible heuristics), like ignoring files, host facts or CLI arguments but it doesn't have something like you suggest, yet.

I think it would be useful to provide support for some form of filtering but I wonder what the implementation should look like.
I would expect a performance cost because the ara callback would need to iterate through every tasks' results and it adds up quickly when you have hundreds/thousands of tasks and hosts.

I'll leave this open and think about it, in the meantime I am open to ideas.

I meant to add but forgot: although it is not a perfect solution, the high potential for leaking sensitive information is why we recommend to set up authentication in front of ara.

Not unlike you'd leave something like a Jenkins instance open to the public without authentication because there is bound to be something private exposed in the console at one point or another.

I meant to add but forgot: although it is not a perfect solution, the high potential for leaking sensitive information is why we recommend to set up authentication in front of ara.

Of course, I wouldn't deploy ara without protecting it.

In my case, I'm still worried about some generated secrets (vault tokens, key pairs and database passwords) that no one should really ever remember, not even myself or people running playbooks.

In looking into quick wins for this, I found a bug in the pause action plugin: ansible/ansible#78371