Skip to content

Sumologic callback plugin logging sensitive data #63522

Closed
@poblahblahblah

Description

@poblahblahblah
SUMMARY

The sumologic plugin logs sensitive data because no_log is not respected for arguments/vars passed to modules via the ansible_task object

ISSUE TYPE
  • Bug Report
COMPONENT NAME

code where ansible_task is defined: https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/callback/sumologic.py#L107

ANSIBLE VERSION
ansible 2.7.11
  config file = /Users/pobrien/src/ttd/ansible/ansible.cfg
  configured module search path = [u'/Users/pobrien/src/ttd/ansible/library']
  ansible python module location = /Users/pobrien/.pyenv/versions/2.7.15/lib/python2.7/site-packages/ansible
  executable location = /Users/pobrien/.pyenv/versions/2.7.15/bin/ansible
  python version = 2.7.15 (default, Mar 14 2019, 16:12:40) [GCC 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.10.44.4)]
CONFIGURATION
[defaults]
callback_plugins = ./plugins/callback
callback_whitelist = sumologic
display_skipped_hosts = no

[callback_sumologic]
url = https://sumourl
OS / ENVIRONMENT

MacOS 10.14.6

STEPS TO REPRODUCE

Configure a SumoLogic endpoint and add configuration to ansible.cfg - you can find an example of our callback configs above.

Below we are using a custom module, but this also happens with every other module we've tested. The module we wrote, inventory_node, has no_log: True specified on the api_key argument.

This also happens if no_log: true is passed to any task.

- name: create node in inventory via inventory_node module
  delegate_to: localhost
  connection: local

  inventory_node:
    node_name: "{{ inventory_hostname }}"
    internal_ip: "{{ internal_ip }}"
    role_id: "{{ role_id }}"
    datacenter_id: "{{ datacenter_id }}"
    cluster: "{{ cluster | default(omit) }}"
    instance_id: "{{ instance_id | default(omit) }}"

    api_key: "{{ inventory_api_key }}"
    state: present
EXPECTED RESULTS

I would expect that we not see the api key show up in SumoLogic.

ACTUAL RESULTS

We see the api key show up in our SumoLogic logs. Below is the full JSON payload that is sent and received.

The ansible_result object correctly removes the sensitive field, but ansible_task object does not.

{
  "ansible_check_mode": true,
  "ansible_host": "10.0.0.10",
  "ansible_playbook": "bootstrap.yaml",
  "ansible_result": {
    "_ansible_delegated_vars": {
      "ansible_delegated_host": "localhost",
      "ansible_host": "localhost"
    },
    "_ansible_no_log": false,
    "_ansible_parsed": true,
    "changed": true,
    "debug": {
      "Cluster": 1,
      "CrudStatus": {
        "Description": null,
        "Message": null,
        "Status": true,
        "Target": null,
        "Type": 0
      },
      "DatacenterId": 14,
      "Hostname": "TestClientInstance3KWSRVFUN1423",
      "InstanceId": "i-00000000",
      "InternalIp": "10.0.0.10",
      "ManagementIp": "10.0.0.10",
      "Name": "TestClientInstance3KWSRVFUN1423",
      "NodeId": 0,
      "Password": null,
      "RoleId": 218
    },
    "invocation": {
      "module_args": {
        "api_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", # API KEY HIDDEN HERE
        "cluster": 1,
        "datacenter_id": 14,
        "instance_id": "i-00000000",
        "internal_ip": "10.0.0.10",
        "management_ip": "10.0.0.10",
        "node_name": "TestClientInstance3KWSRVFUN1423",
        "role_id": 218,
        "state": "present"
      }
    },
    "msg": "node absent, desired present, and create was successful."
  },
  "ansible_role": "infraflow/inventory_node_create",
  "ansible_task": {
    "action": "inventory_node",
    "any_errors_fatal": false,
    "args": {
      "_ansible_check_mode": false,
      "_ansible_debug": false,
      "_ansible_diff": false,
      "_ansible_keep_remote_files": false,
      "_ansible_module_name": "inventory_node",
      "_ansible_no_log": false,
      "_ansible_remote_tmp": "~/.ansible/tmp",
      "_ansible_selinux_special_fs": [
        "fuse",
        "nfs",
        "vboxsf",
        "ramfs",
        "9p"
      ],
      "_ansible_shell_executable": "/bin/sh",
      "_ansible_socket": null,
      "_ansible_syslog_facility": "LOG_USER",
      "_ansible_tmpdir": null,
      "_ansible_verbosity": 3,
      "_ansible_version": "2.7.7",
      "api_key": "0000-0000-0000-00000000-000000000000", # API KEY IN PLAIN TEXT IS HERE
      "cluster": "1",
      "datacenter_id": "14",
      "instance_id": "i-00000000",
      "internal_ip": "10.0.0.10",
      "management_ip": "10.0.0.10",
      "node_name": "TestClientInstance3KWSRVFUN1423",
      "role_id": "218",
      "state": "present"
    },
    "async": 0,
    "async_val": 0,
    "become": null,
    "become_flags": null,
    "become_method": null,
    "become_user": null,
    "changed_when": [],
    "check_mode": null,
    "connection": "local",
    "debugger": null,
    "delay": 5,
    "delegate_facts": false,
    "delegate_to": "localhost",
    "diff": null,
    "environment": [
      {
        "bootstrap_status": "running",
        "hostname": "TestClientInstance3KWSRVFUN1423"
      }
    ],
    "failed_when": [],
    "ignore_errors": null,
    "ignore_unreachable": null,
    "loop": null,
    "loop_control": null,
    "loop_with": null,
    "module_defaults": [],
    "name": "create node in inventory via inventory api",
    "no_log": null,
    "notify": null,
    "poll": 10,
    "port": null,
    "register": null,
    "remote_user": null,
    "retries": 3,
    "run_once": null,
    "tags": [],
    "until": [],
    "vars": {},
    "when": []
  },
  "ansible_version": "2.7.7",
  "host": "awx",
  "ip_address": "172.17.0.4",
  "runtime": 1.7737,
  "session": "a7d38e86-fc5e-4ab9-a17b-6f6284563afd",
  "status": "OK",
  "timestamp": "2019-10-15 00:00:22 +0000",
  "user": "root",
  "uuid": "0242ac11-0004-ef6c-d1cc-0000000002fe"
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    affects_2.7This issue/PR affects Ansible v2.7bugThis issue/PR relates to a bug.has_prThis issue has an associated PR.support:coreThis issue/PR relates to code supported by the Ansible Engineering Team.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions