openstack/kolla-ansible
Code Issues Proposed changes

security: hide sensitive auth_password in kolla_container module logs

Browse Source 
Added no_log=True to the 'common_options' argument in generate_module()
to prevent the auth_password and other sensitive data from being printed
in Ansible logs during container operations. This improves security by
hiding credentials from logs.

This change addresses the issue where auth_password was visible in logs
despite already having no_log=True on the auth_password parameter itself,
because it was nested inside common_options dict without no_log protection.

Closes-Bug: #2120302

Change-Id: I2064f822bda1c2618605ecfb9bf26ad820ccbbf2
Signed-off-by: Piotr Milewski <vurmil@gmail.com>
This commit is contained in:
Piotr Milewski
2025-08-11 16:29:04 +02:00
committed by Michal Nasiadka
parent f5d6bf6e61
commit 9e8b2c4661
3 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ansible/library/kolla_container.py
View File

@@ -268,7 +268,8 @@ def generate_module():
# NOTE(r-krcek): arguments_spec should also be reflected in the list of # NOTE(r-krcek): arguments_spec should also be reflected in the list of
# arguments in service-check-containers role # arguments in service-check-containers role
argument_spec = dict( argument_spec = dict(
common_options=dict(required=False, type='dict', default=dict()), common_options=dict(required=False, type='dict',
default=dict(), no_log=True),
action=dict(required=True, type='str', action=dict(required=True, type='str',
choices=['compare_container', choices=['compare_container',
'compare_image', 'compare_image',

13
releasenotes/notes/bug-2120302-824ede145936a6eb.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
security:
- |
Added no_log=True to the ``common_options`` argument in generate_module()
to prevent the auth_password and other sensitive data from being printed
in Ansible logs during container operations when
``docker_registry_password`` was set. This improves security by hiding
credentials from logs.
This change addresses the issue where auth_password was visible in log
despite already having no_log=True on the auth_password parameter itself,
because it was nested inside common_options dict without no_log protection.
`LP#2120302 <https://launchpad.net/bugs/2120302>`__

3
tests/test_kolla_container.py
View File

@@ -36,7 +36,8 @@ class ModuleArgsTest(base.BaseTestCase):
def test_module_args(self): def test_module_args(self):
argument_spec = dict( argument_spec = dict(
common_options=dict(required=False, type='dict', default=dict()), common_options=dict(required=False, type='dict', default=dict(),
no_log=True),
action=dict( action=dict(
required=True, type='str', required=True, type='str',
choices=['compare_container', choices=['compare_container',