openstack/kayobe
Code Issues Proposed changes

kolla_passwords: add no_log for password overrides

Browse Source 
The kolla_passwords module overrides parameter may contain sensitive
data, including passwords and SSH keys. It should be protected via
no_log. Without this, the parameter value may be exposed in Ansible
logs, or if level 3 verbosity is used, Ansible output.

This change adds no_log to the parameter.

Change-Id: I3f499d63d19ba7f7372b401bd2da23ce627f18e5
This commit is contained in:
Mark Goddard 2022-04-12 11:37:55 +01:00
parent 5ede87656c
commit 51a57394be
2 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible/roles/kolla-ansible/library/kolla_passwords.py
View File

@ -181,7 +181,7 @@ def main():
module = AnsibleModule( module = AnsibleModule(
argument_spec = dict( argument_spec = dict(
dest=dict(default='/etc/kolla/passwords.yml', type='str'), dest=dict(default='/etc/kolla/passwords.yml', type='str'),
overrides=dict(default={}, type='dict'), overrides=dict(default={}, type='dict', no_log=True),
sample=dict(default='/usr/share/kolla-ansible/etc_examples/kolla/passwords.yml', type='str'), sample=dict(default='/usr/share/kolla-ansible/etc_examples/kolla/passwords.yml', type='str'),
src=dict(default='/etc/kolla/passwords.yml', type='str'), src=dict(default='/etc/kolla/passwords.yml', type='str'),
vault_password=dict(type='str', no_log=True), vault_password=dict(type='str', no_log=True),

11
releasenotes/notes/kolla-passwords-overrides-no-log-57054ce64fae8143.yaml Normal file
View File

@ -0,0 +1,11 @@
---
security:
- |
Fixes an issue where any passwords in ``kolla_ansible_custom_passwords``
were exposed in Ansible logs. When using verbosity level 3 (``-vvv``), they
were also exposed in Ansible output.
fixes:
- |
Fixes an issue where any passwords in ``kolla_ansible_custom_passwords``
were exposed in Ansible logs. When using verbosity level 3 (``-vvv``), they
were also exposed in Ansible output.