Json keyword admin is replaced by '*****'

[odd22]

Summary

Hi,

I wrote a playbook that use OpenDaylight rest API to collect network IP/MPLS topology information. One of them, is related to Traffic Engineering (see RFC3630 e.g.) and named 'admin-group'.

With ansible 2.9.6, I got the correct json from OpenDaylight, while with a more recent version of ansible, at least 2.9.18, the json keyword 'admin-group' is automatically replaced by '*****-group' which break my processing.

I understand that this kind of sanitize is good from a security point of view, but in some case, must be disable or bypass.

I don't find in documentation or on the web any indication about this feature.

Can you tell me if it could be disable ? if yes, how ? if not, we need a mechanism to disable it.

Regards

Olivier

Issue Type

Bug Report

Component Name

ansible-playbook

Ansible Version

$ ansible --version (Working version)
ansible 2.9.6
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/var/lib/awx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Aug 24 2020, 17:57:11) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]

$ ansible --version (Non working version)
ansible 2.9.18
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/var/lib/awx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Aug 24 2020, 17:57:11) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]

Configuration

$ ansible-config dump --only-changed
(No output)

OS / Environment

$ more /etc/redhat-release
CentOS Linux release 8.3.2011

It is the awx_task docker from a clean AWX 17.1.0 installation

Steps to Reproduce

- hosts: localhost
  tasks:
  - name: Get Topology Graph from OpenDaylight
    uri:
      url: http://172.20.0.1:8181/restconf/operational/graph:graph-topology
      user: "admin"
      password: "admin"
      method: GET
      force_basic_auth: yes
      body_format: json
      status_code: 200
    register: result
  - debug:
      msg: "{{ result.json }}"

Expected Results

Small extract of the global output with the expected json "admin-group" keyword (obtained with ansible 2.9.6):

...
                        {
                            "edge-attributes": {
                                "adj-sid": 57,
                                "admin-group": 1,
                                "delay": 10000,
                                "local-address": "10.194.77.176",
...

Actual Results

The current output with ansible 2.9.18:
...
                            "edge-attributes": {
                                "********-group": 1,
                                "adj-sid": 57,
                                "delay": 10000,
                                "local-address": "10.194.77.176",
...
Note the json keyword "admin-group" replaced by "******-group"

Code of Conduct

I agree to follow the Ansible Code of Conduct

[ansibot]

Files identified in the description:

• lib/ansible/playbook

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[kindlehl]

@odd22 this is happening because of an update to the uri module. The module tries to be smart and censor your BasicAuth password in the output (or maybe not, no_log=True is still set on v2.9.6)

For verification, I'm running python3 -m http.server that is serving a file that contains the json snippet above and changing the uri to the file.

in lib/ansible/modules/uri.py:630 no_log is set on the uri password.

[kindlehl]

Caused by #70762

[odd22]

@kindlehl Thanks for the explanation and the pointer.

So, in order to solve my problem, do I need to change the default 'admin' password or simply use the Encoded Basic Auth header instead of providing clear login/password ?

[kindlehl]

@odd22 either would work

[odd22]

I tested the Basic Auth ie.

    headers:
      Authorization: Basic xxxxxxxx

and it works fine. I would try to set no_log: False to disable the sanitize function, but, it not works. In fact, looking to the uri.py code, the no_log is force to True for the password

Don't know if this need to be documented or at least add a warning in the uri documentation regarding the password variable.

In any case, I think you could close this issue.

[samdoran]

Closing per above.