executor: do not blacklist host-vars for trusted context

This change lifts the host-vars blacklist for trusted context. Change-Id: I59c2829adf2a641dc6761aed930ab28471432a9a
2020-03-03 00:23:14 +00:00 · 2020-03-03 00:23:14 +00:00 · 3acc00a30e
parent d8fab33b58
commit 3acc00a30e
2 changed files with 7 additions and 1 deletions
--- a/releasenotes/notes/trusted-blacklist-removal-14c8434d70ab99f2.yaml
+++ b/releasenotes/notes/trusted-blacklist-removal-14c8434d70ab99f2.yaml
@ -0,0 +1,5 @@
+---
+security:
+  - |
+    The add_host host-vars blacklist is no longer effective for trusted
+    playbook.
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@ -2450,7 +2450,8 @@ class AnsibleJob(object):
        if self.executor_variables_file is not None:
            cmd.extend(['-e@%s' % self.executor_variables_file])

-        cmd.extend(['-e', '@' + self.jobdir.ansible_vars_blacklist])
+        if not playbook.trusted:
+            cmd.extend(['-e', '@' + self.jobdir.ansible_vars_blacklist])

        self.emitPlaybookBanner(playbook, 'START', phase)