Client: Add ignored_results option #585
Conversation
|
Build failed. ✔️ ara-tox-py3 SUCCESS in 2m 15s |
|
Hi and thanks for the PR. I need to think a little bit about this one. There's a big regex that hides somewhere in Ansible that tries to have an heuristic like this to try and prevent tokens, passwords and such from being displayed. I'll look into it. Thanks. |
|
Hi, Therefore many secrets, passwords, api-keys, etc. are passed from and to tasks, sometimes also in ansible_facts. |
|
Yeah, that makes sense. Thanks for the context. Someone helped me find that heuristic in Ansible again: https://github.com/ansible/ansible/blob/e6adddcaf8d4cf46185a90be89a574ba01cc6b84/lib/ansible/module_utils/basic.py#L164 That regex tries to prevent sensitive things from being displayed in the console but it's... imperfect. It will never catch 100% of the sensitive things. I feel like taking a similar approach in ara would be similarly imperfect. I wouldn't let that be the enemy of "good enough" but I am putting that out there as part of the thought process. I mean to say that ara records ansible, so if the data makes it in to ara, it could perhaps leak in your console/terminal/job as well. Making it so ara won't record them is only half the story, and making sure that Ansible doesn't send that data to ara at all in the first place would be best. There is I am not declining this PR for now, I just need to think a little bit more about this, and ponder on what a feature like this might look like in upstream Ansible such that the sensitive data doesn't make it into ara in the first place. |
|
Data tagging is coming (any year now) and one of the things it will do (in theory, there's no public implementation available yet) is provide a more comprehensive approach to dealing with sensitive values. |
jadyndev
force-pushed
the
jadyn/ignored_results
branch
from
00f74dc to
9a85a93
Compare
|
Build failed. ✔️ ara-tox-py3 SUCCESS in 2m 15s |
jadyndev
force-pushed
the
jadyn/ignored_results
branch
3 times, most recently
from
400b1c9 to
afc3c91
Compare
|
Build failed. ✔️ ara-tox-py3 SUCCESS in 2m 14s |
|
Build failed. ✔️ ara-tox-py3 SUCCESS in 2m 18s |
Yes, this appears to be the takeaway from briefly discussing it in the Ansible Social channel today. Sivel mentioned they would like to include it in ansible-core 2.19. |
|
@flowerysong I won't link to it directly here (because I see no need to have github set up a link with this issue) but there is a new PR about data tagging: https://github.com/ansible/ansible/pulls?q=is%3Apr+is%3Aopen+%5BWIP%5D+Templating+overhaul%2C+implement+Data+Tagging |
This adds the option to ignore any results returned by an ansible task based on user supplied regexes.
This way you can customize which data passed from and to ansible tasks gets forwarded to ara.
The variables are filtered based on their path: Which consists of the tasks action and the dot-notated path to the variable inside the
resultsdict:ansible.builtin.user:invocation.passwordAdding
ignored_results = .*password.*would be enough to filter all variables containingpasswordin their path, due to the flexibility given by regex, everything from just filtering specific variables, modules/plugins to whole collections is now possible.