Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] docker_swarm: mark join_token as no_log #103

Merged
merged 2 commits into from
Mar 12, 2021

Conversation

felixfontein
Copy link
Collaborator

SUMMARY

The join_token parameter of docker_swarm is currently not marked as no_log, which causes its value to be written to syslog during module invocation. This PR changes that.

An unfortunate side-effect is that if join_token is specified, the value there will be censored from the return values (i.e. replaced by VALUE_SPECIFIED_IN_NO_LOG_PARAMETER). This can potentially break playbooks/roles which store the return value.

This only affects the situation when join_token is provided; I think that usually in that case, the return values are not used, so it should break relatively few things (if any).

CC @WojciechowskiPiotr @relrod

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

docker_swarm

Copy link
Collaborator

@WojciechowskiPiotr WojciechowskiPiotr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What options we have to get the tokens now? Maybe we should also add the comment to get the tokens you have to use docker_swarm_info module? As far as I see it is not censored there in output.

plugins/modules/docker_swarm.py Outdated Show resolved Hide resolved
plugins/modules/docker_swarm.py Outdated Show resolved Hide resolved
@felixfontein
Copy link
Collaborator Author

What options we have to get the tokens now? Maybe we should also add the comment to get the tokens you have to use docker_swarm_info module? As far as I see it is not censored there in output.

Exactly the same as before - except if you call the module with join_token, which you only do if you already have a token. Then you won't get the same token back in the result.

Co-authored-by: Piotr Wojciechowski <[email protected]>
@WojciechowskiPiotr
Copy link
Collaborator

What options we have to get the tokens now? Maybe we should also add the comment to get the tokens you have to use docker_swarm_info module? As far as I see it is not censored there in output.

Exactly the same as before - except if you call the module with join_token, which you only do if you already have a token. Then you won't get the same token back in the result.

So tokens are hidden in the results when you create the cluster?

@felixfontein
Copy link
Collaborator Author

What options we have to get the tokens now? Maybe we should also add the comment to get the tokens you have to use docker_swarm_info module? As far as I see it is not censored there in output.

Exactly the same as before - except if you call the module with join_token, which you only do if you already have a token. Then you won't get the same token back in the result.

So tokens are hidden in the results when you create the cluster?

When you create a cluster, you do not specify join_token (since you are not joining), right? In that case the tokens will be returned.

@WojciechowskiPiotr WojciechowskiPiotr merged commit b42b76f into ansible-collections:main Mar 12, 2021
@felixfontein felixfontein deleted the secrets2 branch March 13, 2021 08:10
@felixfontein
Copy link
Collaborator Author

@WojciechowskiPiotr thanks for reviewing and merging! I'll work on backports later today.

felixfontein added a commit to felixfontein/community.general that referenced this pull request Mar 13, 2021
felixfontein added a commit to felixfontein/ansible that referenced this pull request Mar 13, 2021
felixfontein added a commit to ansible-collections/community.general that referenced this pull request Mar 13, 2021
felixfontein added a commit to felixfontein/ansible that referenced this pull request Mar 15, 2021
relrod pushed a commit to ansible/ansible that referenced this pull request Apr 3, 2021
relrod pushed a commit to ansible/ansible that referenced this pull request Apr 3, 2021
clrpackages pushed a commit to clearlinux-pkgs/ansible that referenced this pull request Apr 15, 2021
…2.9.20

Alina Buzachis (1):
      New AWS module mod_defaults - rds_option_group (_info) modules (#74098)

Carlos Camacho (1):
      [stable-2.9] Fix: nmcli bridge-slave fails with error (#74125)

Felix Fontein (4):
      Backport of ansible-collections/community.docker#103. (#73890)
      Backport of ansible-collections/community.aws#475. (#73894)
      Backport of ansible-collections/community.general#2018. (#73893)
      Backport of ansible-collections/community.network#223. (#73909)

Jill R (1):
      New AWS module mod_defaults - wafv2 modules (#73975)

Mark Chappell (3):
      Ensure unit test paths for connection and inventory plugins are based on the context (#73877)
      Partial backport of community.aws/471 - no_log=True for aws_secret (#73874)
      [backport/2.9] module_defaults: Add rds_snapshot (#74113)

Matt Clay (1):
      [stable-2.9] Fix ansible-test coverage exporting.

Matt Martz (1):
      [stable-2.9] Ensure task from the worker is finalized/squashed (#73881) (#73929)

Rick Elrod (5):
      Update Ansible release version to v2.9.19.post0.
      [security] Add more missing no_logs (#74115)
      New release v2.9.20rc1
      Update Ansible release version to v2.9.20rc1.post0.
      New release v2.9.20

Sam Doran (2):
      Move file needed by cs_volume test to S3
      [stable-2.9] find - set proper default based on use_regex (#73961) (#73966)

Xabier Napal (1):
      Fix wrong backup directory var name in apt module (#73840) (#74003)

nitzmahone (1):
      add optional module_utils import support (#73832) (#73916)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants