kolla_passwords: add no_log for password overrides

The kolla_passwords module overrides parameter may contain sensitive data, including passwords and SSH keys. It should be protected via no_log. Without this, the parameter value may be exposed in Ansible logs, or if level 3 verbosity is used, Ansible output. This change adds no_log to the parameter. Change-Id: I3f499d63d19ba7f7372b401bd2da23ce627f18e5
2022-04-12 11:37:55 +01:00 · 2022-04-12 11:37:55 +01:00 · 51a57394be
commit 51a57394be
parent 5ede87656c
2 changed files with 12 additions and 1 deletions
--- a/ansible/roles/kolla-ansible/library/kolla_passwords.py
+++ b/ansible/roles/kolla-ansible/library/kolla_passwords.py
@ -181,7 +181,7 @@ def main():
    module = AnsibleModule(
        argument_spec = dict(
            dest=dict(default='/etc/kolla/passwords.yml', type='str'),
-            overrides=dict(default={}, type='dict'),
+            overrides=dict(default={}, type='dict', no_log=True),
            sample=dict(default='/usr/share/kolla-ansible/etc_examples/kolla/passwords.yml', type='str'),
            src=dict(default='/etc/kolla/passwords.yml', type='str'),
            vault_password=dict(type='str', no_log=True),
--- a/releasenotes/notes/kolla-passwords-overrides-no-log-57054ce64fae8143.yaml
+++ b/releasenotes/notes/kolla-passwords-overrides-no-log-57054ce64fae8143.yaml
@ -0,0 +1,11 @@
+---
+security:
+  - |
+    Fixes an issue where any passwords in ``kolla_ansible_custom_passwords``
+    were exposed in Ansible logs. When using verbosity level 3 (``-vvv``), they
+    were also exposed in Ansible output.
+fixes:
+  - |
+    Fixes an issue where any passwords in ``kolla_ansible_custom_passwords``
+    were exposed in Ansible logs. When using verbosity level 3 (``-vvv``), they
+    were also exposed in Ansible output.