Merge "Add an ARA_IGNORE_FACTS variable and stop saving ansible_env by default"
This commit is contained in:
commit
0774377b88
|
@ -80,6 +80,12 @@ class BaseConfig(object):
|
|||
['extra_vars'],
|
||||
value_type='list'
|
||||
)
|
||||
self.ARA_IGNORE_FACTS = ara_config(
|
||||
'ignore_facts',
|
||||
'ARA_IGNORE_FACTS',
|
||||
['ansible_env'],
|
||||
value_type='list'
|
||||
)
|
||||
|
||||
# Static generation with flask-frozen
|
||||
self.ARA_IGNORE_EMPTY_GENERATION = ara_config(
|
||||
|
|
|
@ -167,6 +167,21 @@ class CallbackModule(CallbackBase):
|
|||
if not isinstance(ignore_errors, bool):
|
||||
ignore_errors = True if ignore_errors == "yes" else False
|
||||
|
||||
if self.task.action == 'setup' and 'ansible_facts' in results:
|
||||
# Potentially sanitize some Ansible facts to prevent them from
|
||||
# being saved both in the host facts and in the task results.
|
||||
for fact in app.config['ARA_IGNORE_FACTS']:
|
||||
if fact in results['ansible_facts']:
|
||||
msg = "Not saved by ARA as configured by ARA_IGNORE_FACTS"
|
||||
results['ansible_facts'][fact] = msg
|
||||
|
||||
values = jsonutils.dumps(result._result['ansible_facts'])
|
||||
facts = models.HostFacts(values=values)
|
||||
host.facts = facts
|
||||
|
||||
db.session.add(facts)
|
||||
db.session.commit()
|
||||
|
||||
self.taskresult = models.TaskResult(
|
||||
task=self.task,
|
||||
host=host,
|
||||
|
@ -184,14 +199,6 @@ class CallbackModule(CallbackBase):
|
|||
db.session.add(self.taskresult)
|
||||
db.session.commit()
|
||||
|
||||
if self.task.action == 'setup' and 'ansible_facts' in result._result:
|
||||
values = jsonutils.dumps(result._result['ansible_facts'])
|
||||
facts = models.HostFacts(values=values)
|
||||
host.facts = facts
|
||||
|
||||
db.session.add(facts)
|
||||
db.session.commit()
|
||||
|
||||
def log_stats(self, stats):
|
||||
"""
|
||||
Logs playbook statistics to the database.
|
||||
|
@ -318,7 +325,7 @@ class CallbackModule(CallbackBase):
|
|||
# Potentially sanitize some user-specified keys
|
||||
for parameter in app.config['ARA_IGNORE_PARAMETERS']:
|
||||
if parameter in options:
|
||||
msg = "Parameter not saved by ARA due to configuration"
|
||||
msg = "Not saved by ARA as configured by ARA_IGNORE_PARAMETERS"
|
||||
options[parameter] = msg
|
||||
|
||||
log.debug('Starting playbook %s', path)
|
||||
|
|
|
@ -47,6 +47,9 @@ class TestConfig(TestAra):
|
|||
'ARA_PORT': "9191",
|
||||
'ARA_DATABASE': db,
|
||||
'ARA_IGNORE_EMPTY_GENERATION': True,
|
||||
'ARA_IGNORE_FACTS': [
|
||||
'ansible_env'
|
||||
],
|
||||
'ARA_IGNORE_PARAMETERS': [
|
||||
'extra_vars'
|
||||
],
|
||||
|
|
|
@ -127,6 +127,8 @@ Parameters and their defaults
|
|||
+-------------------------------+----------------------------+-------------------------------------------+
|
||||
| ARA_LOG_FORMAT_ | logformat | %(asctime)s - %(levelname)s - %(message)s |
|
||||
+-------------------------------+----------------------------+-------------------------------------------+
|
||||
| ARA_IGNORE_FACTS_ | ignore_facts | ansible_env |
|
||||
+-------------------------------+----------------------------+-------------------------------------------+
|
||||
| ARA_IGNORE_PARAMETERS_ | ignore_parameters | extra_vars |
|
||||
+-------------------------------+----------------------------+-------------------------------------------+
|
||||
| ARA_IGNORE_EMPTY_GENERATION_ | ignore_empty_generation | True |
|
||||
|
@ -284,6 +286,19 @@ ARA_LOG_FORMAT
|
|||
|
||||
The log format of the logs.
|
||||
|
||||
ARA_IGNORE_FACTS
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
When Ansible gathers host facts or uses the setup module, your host facts are
|
||||
recorded by ARA and are also available as part of your reports.
|
||||
|
||||
By default, only the host fact ``ansible_env`` is not saved due to the
|
||||
sensitivity of the information it could contain such as tokens, passwords or
|
||||
otherwise privileged information.
|
||||
|
||||
This configuration allows you to customize what ARA will and will not save.
|
||||
It is a list, provided by comma-separated values.
|
||||
|
||||
ARA_IGNORE_PARAMETERS
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
@ -295,7 +310,7 @@ If, for example, you use `extra_vars`_ to send a password or secret variable
|
|||
to your playbooks, it is likely you don't want this saved in ARA's database.
|
||||
|
||||
This configuration allows you to customize what ARA will and will not save.
|
||||
It is a list, provided by a comma-separated values.
|
||||
It is a list, provided by comma-separated values.
|
||||
|
||||
.. _extra_vars: https://docs.ansible.com/ansible/playbooks_variables.html#passing-variables-on-the-command-line
|
||||
|
||||
|
|
Loading…
Reference in New Issue