-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
no_log on individual loop items #489
Comments
Hey @nlvw, Thanks for the issue and apologies for the delay, I've been away. I understand what you'd like to achieve and I know troubleshooting with no_log can be tricky. I must point out that getting ansible callbacks to reliably discard sensitive data has been a challenging topic and the result of security concerns (like ansible/ansible#22505 and https://bugzilla.redhat.com/show_bug.cgi?id=1440912). If you'd like to experiment with what this looks like from the perspective of the callback interface the current sanitization occurs here I believe: ara/ara/plugins/callback/ara_default.py Lines 767 to 777 in 94a7a4f
dump_results until dce9f3a)
I think the main challenge regarding your use case is that ara doesn't granularly store results for each item of a task and so wouldn't individually consider the value of In other words, when a task runs on a host, it will be stored as a single result whether there is a loop or not. I do not have a good suggestion at this time but let me know if you have any ideas. |
@dmsimard Thanks for looking into this. I thought to point this out as the behavior was different compared to the stdout_callback ansible implementation. This is not critical just a nice to have as it may be pretty niche. For loop tasks semaphore seems to store things as a single task but it has each loop seperately recorded inside that task. You would just need to implement the no_log censorship at the item/loop level instead of the overall task level. Keyword 'just' :). Feel free to close this unless it's something you want to implement. |
There is no need to close it, it's something we could do one day. |
A cool, but probably unknown feature, of looping in Ansible is that you can set
no_log
on a per item basis. Unfortunately ARA doesn't recognize this and discards the entire tasks output instead of just the loop/item marked withno_log
.The benefit of the below is you get logs for loops where no password is specified or a locked/empty password */! is specified. This helps troubleshooting or viewing things like AD user home creations, local accounts without passwords, and so on.
It would be nice if ARA could selective hide loop output based on
no_log
value the same as ansible.Ansible Task
Console Output (red marked out names displayed correctly and 'None' denotes a
no_log
item)ARA Task Result:
The text was updated successfully, but these errors were encountered: