Set display_args_to_stdout for secure jobs

Ansible has a config flag that is accessible from callback plugins that is an indicator for whether or not to display args in the log output. It should be noted that this can wind up being a general flag in our callback plugin that will let us know if the job being run is secure or insecure. Change-Id: Ie0b45ca533e71610cc18950edd735dc3258bd604
2017-02-20 07:06:58 -05:00 · 2017-02-20 07:06:58 -05:00 · 40728e3ef4
parent 5ac9384d90
commit 40728e3ef4
1 changed files with 8 additions and 0 deletions
--- a/zuul/launcher/server.py
+++ b/zuul/launcher/server.py
@ -799,6 +799,14 @@ class AnsibleJob(object):
                config.write('action_plugins = %s\n'
                             % self.launcher_server.action_dir)

+            # On secure jobs, we want to prevent the printing of args,
+            # since secure jobs might have access to secrets that they may
+            # need to pass to a task or a role. On the other hand, there
+            # should be no sensitive data in insecure jobs, and printing
+            # the args could be useful for debugging.
+            config.write('display_args_to_stdout = %s\n' %
+                         str(not secure))
+
            config.write('[ssh_connection]\n')
            # NB: when setting pipelining = True, keep_remote_files
            # must be False (the default).  Otherwise it apparently