Hide output which can contain password strings

The change I68a89e413b7c3eecb747386998bd36314250384b introduced the task to check whether the password is valid but this task dumps a raw password string in case password authentication failed for some reason (eg. the user is not yet created). This change ensures the output is hidden, unless users explicitly enable sensitive logs. Closes-Bug: #1998158 Change-Id: I3214109f4f75620abc25d48db86179a8a411ccc7
2022-11-29 10:55:08 +09:00 · 2022-11-29 10:55:08 +09:00 · fc758a2fbd
parent 61d3a6c023
commit fc758a2fbd
1 changed files with 2 additions and 0 deletions
--- a/tripleo_ansible/roles/tripleo_keystone_resources/tasks/users.yml
+++ b/tripleo_ansible/roles/tripleo_keystone_resources/tasks/users.yml
@ -15,6 +15,8 @@
 # under the License.

 - name: "Check password of Keystone user"
+  # needed because the module dumps the raw output in case auth fails
+  no_log: "{{ tripleo_keystone_resources_hide_sensitive_logs | bool }}"
  openstack.cloud.identity_user_info:
    name: "{{ lookup('dict', tripleo_keystone_resources_data).value.name | default(lookup('dict', tripleo_keystone_resources_data).key) }}"
    auth_type: "v3password"