New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove no_log: True from openshift_version calls #7288
Remove no_log: True from openshift_version calls #7288
Conversation
https://github.com/openshift/openshift-ansible/blob/master/playbooks/init/basic_facts.yml#L18 also adds |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Hmm, this does present a dilemma. I don't want to obscure the debugging logs either. Unfortunately, the secrets are revealed at the play level, during
I double-checked and thankfully only the S3 creds are revealed here. So it's probably an acceptable level of risk. I will run it by our security lead to be sure, but I'll give this PR a +1. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@sdodson @dak1n1 IMO, this is a potential security concern; we shouldn't be storing secrets in openshift_facts for exactly this reason. We should prioritize the removal of these variables from openshift_facts |
@michaelgugino I agree. Let's get this tracked somehow. Should I make a bz bug? Or github issue? |
@dak1n1 Let's put it on BZ, sometimes issues don't always get the attention they deserve and this should be a high priority. |
Thanks, added. https://bugzilla.redhat.com/show_bug.cgi?id=1549313 |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. |
@sdodson: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
#6519 set
no_log: True
on several plays and tasks in order to prevent logging credentials that come over from the inventory. However that's led to openshift_version role being invoked in a manner that it omits required debugging information like the following. I think we need to be very careful not to applyno_log: True
at the playbook level and instead only use it on specific tasks that are known to emit sensitive information.I think it's also worth considering that the ansible logs simply need to be treated as sensitive data and handled appropriately rather than omitting potentially useful debugging data.