Add an ARA_IGNORE_FACTS variable and stop saving ansible_env by default
The ansible_env fact is no longer saved by default as env variables are often used to carry passwords, tokens or otherwise privileged information that might not be relevant or suitable to save in ARA. This is done through a new ARA_IGNORE_FACTS configuration parameter which allows users to define a list of facts that they might not be comfortable saving. This prevents facts configured in this list from being saved to host facts and task results. Change-Id: I69c110706198b9fb6dd0324e2157859fe01e5b34
This commit is contained in:
parent
c41dc6f28d
commit
93e3ef2a46
|
@ -80,6 +80,12 @@ class BaseConfig(object):
|
|||
['extra_vars'],
|
||||
value_type='list'
|
||||
)
|
||||
self.ARA_IGNORE_FACTS = ara_config(
|
||||
'ignore_facts',
|
||||
'ARA_IGNORE_FACTS',
|
||||
['ansible_env'],
|
||||
value_type='list'
|
||||
)
|
||||
|
||||
# Static generation with flask-frozen
|
||||
self.ARA_IGNORE_EMPTY_GENERATION = ara_config(
|
||||
|
|
|
@ -167,6 +167,21 @@ class CallbackModule(CallbackBase):
|
|||
if not isinstance(ignore_errors, bool):
|
||||
ignore_errors = True if ignore_errors == "yes" else False
|
||||
|
||||
if self.task.action == 'setup' and 'ansible_facts' in results:
|
||||
# Potentially sanitize some Ansible facts to prevent them from
|
||||
# being saved both in the host facts and in the task results.
|
||||
for fact in app.config['ARA_IGNORE_FACTS']:
|
||||
if fact in results['ansible_facts']:
|
||||
msg = "Not saved by ARA as configured by ARA_IGNORE_FACTS"
|
||||
results['ansible_facts'][fact] = msg
|
||||
|
||||
values = jsonutils.dumps(result._result['ansible_facts'])
|
||||
facts = models.HostFacts(values=values)
|
||||
host.facts = facts
|
||||
|
||||
db.session.add(facts)
|
||||
db.session.commit()
|
||||
|
||||
self.taskresult = models.TaskResult(
|
||||
task=self.task,
|
||||
host=host,
|
||||
|
@ -184,14 +199,6 @@ class CallbackModule(CallbackBase):
|
|||
db.session.add(self.taskresult)
|
||||
db.session.commit()
|
||||
|
||||
if self.task.action == 'setup' and 'ansible_facts' in result._result:
|
||||
values = jsonutils.dumps(result._result['ansible_facts'])
|
||||
facts = models.HostFacts(values=values)
|
||||
host.facts = facts
|
||||
|
||||
db.session.add(facts)
|
||||
db.session.commit()
|
||||
|
||||
def log_stats(self, stats):
|
||||
"""
|
||||
Logs playbook statistics to the database.
|
||||
|
@ -318,7 +325,7 @@ class CallbackModule(CallbackBase):
|
|||
# Potentially sanitize some user-specified keys
|
||||
for parameter in app.config['ARA_IGNORE_PARAMETERS']:
|
||||
if parameter in options:
|
||||
msg = "Parameter not saved by ARA due to configuration"
|
||||
msg = "Not saved by ARA as configured by ARA_IGNORE_PARAMETERS"
|
||||
options[parameter] = msg
|
||||
|
||||
log.debug('Starting playbook %s', path)
|
||||
|
|
|
@ -47,6 +47,9 @@ class TestConfig(TestAra):
|
|||
'ARA_PORT': "9191",
|
||||
'ARA_DATABASE': db,
|
||||
'ARA_IGNORE_EMPTY_GENERATION': True,
|
||||
'ARA_IGNORE_FACTS': [
|
||||
'ansible_env'
|
||||
],
|
||||
'ARA_IGNORE_PARAMETERS': [
|
||||
'extra_vars'
|
||||
],
|
||||
|
|
|
@ -127,6 +127,8 @@ Parameters and their defaults
|
|||
+-------------------------------+----------------------------+-------------------------------------------+
|
||||
| ARA_LOG_FORMAT_ | logformat | %(asctime)s - %(levelname)s - %(message)s |
|
||||
+-------------------------------+----------------------------+-------------------------------------------+
|
||||
| ARA_IGNORE_FACTS_ | ignore_facts | ansible_env |
|
||||
+-------------------------------+----------------------------+-------------------------------------------+
|
||||
| ARA_IGNORE_PARAMETERS_ | ignore_parameters | extra_vars |
|
||||
+-------------------------------+----------------------------+-------------------------------------------+
|
||||
| ARA_IGNORE_EMPTY_GENERATION_ | ignore_empty_generation | True |
|
||||
|
@ -284,6 +286,19 @@ ARA_LOG_FORMAT
|
|||
|
||||
The log format of the logs.
|
||||
|
||||
ARA_IGNORE_FACTS
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
When Ansible gathers host facts or uses the setup module, your host facts are
|
||||
recorded by ARA and are also available as part of your reports.
|
||||
|
||||
By default, only the host fact ``ansible_env`` is not saved due to the
|
||||
sensitivity of the information it could contain such as tokens, passwords or
|
||||
otherwise privileged information.
|
||||
|
||||
This configuration allows you to customize what ARA will and will not save.
|
||||
It is a list, provided by comma-separated values.
|
||||
|
||||
ARA_IGNORE_PARAMETERS
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
@ -295,7 +310,7 @@ If, for example, you use `extra_vars`_ to send a password or secret variable
|
|||
to your playbooks, it is likely you don't want this saved in ARA's database.
|
||||
|
||||
This configuration allows you to customize what ARA will and will not save.
|
||||
It is a list, provided by a comma-separated values.
|
||||
It is a list, provided by comma-separated values.
|
||||
|
||||
.. _extra_vars: https://docs.ansible.com/ansible/playbooks_variables.html#passing-variables-on-the-command-line
|
||||
|
||||
|
|
Loading…
Reference in New Issue