Bug 1540225 - 2_ovirt_logger.py can't filter vars passed on the command line
Summary: 2_ovirt_logger.py can't filter vars passed on the command line
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: ovirt-hosted-engine-setup
Classification: oVirt
Component: General
Version: 2.2.1
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: ---
Assignee: Simone Tiraboschi
QA Contact: Lukas Svaty
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-30 14:01 UTC by Yedidyah Bar David
Modified: 2022-02-25 11:12 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-25 07:54:29 UTC
oVirt Team: Integration
Embargoed:
sbonazzo: ovirt-4.3-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1571117 0 urgent CLOSED HE-VM appliance and admin password saved in the setup log file as clear text executing from cockpit 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker RHV-44942 0 None None None 2022-02-25 11:12:36 UTC
oVirt gerrit 87016 0 master MERGED ansible: Filter secret keys 2018-09-03 09:36:06 UTC

Internal Links: 1571117

Description Yedidyah Bar David 2018-01-30 14:01:19 UTC 
Description of problem:

Current version of [1] allows setting he_filtered_tokens_vars in the playbook to a list and adding to it variables that we want to filter out their content in the generated log. But if we want to allow passing such a variable on the command line, this does not work:

OTOPI_CALLBACK_OF=logs/otopi-$(date +%s).log ANSIBLE_STDOUT_CALLBACK=2_ovirt_logger HE_ANSIBLE_LOG_PATH=logs/ans$(date +%s).log ansible-playbook --module-path=/usr/share/ovirt-hosted-engine-setup/ansible --inventory=./inventory -e somevar=somevalue -e secret_var_cli1=secret_data_1 -e '{"he_filtered_tokens_vars":["secret_var_cli1"]}' test_filtering.yml

This is because if he_filtered_tokens_vars it has a higher precedence than set_fact, so the following code will not be able to change it.

Not sure it's important to fix. A possible solution is probably to have a different way to pass such things in the command line, such as a new environment variable or a different ansible variable.

[1] https://gerrit.ovirt.org/86238
Comment 1 Yedidyah Bar David 2018-02-01 14:42:39 UTC 
87016 is not fixing this bug, it only mentions it. Our bot is too greedy...
Comment 2 Yedidyah Bar David 2018-02-05 09:09:08 UTC 
The linked patch do not fix current bug, it only mentions it. Some hook is too greedy and linked it.

I discussed with Simone how to handle current bug but didn't try anything yet. For now, we simply add all filtered keys by passing on the command line, so should be safe. The drawback is that we can't _also_ add keys in the middle (inside the playbook), due to the way ansible vars work. But this isn't a problem for now.
Comment 3 Sandro Bonazzola 2018-02-20 17:37:15 UTC 
(In reply to Yedidyah Bar David from comment #2)
> The linked patch do not fix current bug, it only mentions it. Some hook is
> too greedy and linked it.
> 
> I discussed with Simone how to handle current bug but didn't try anything
> yet. For now, we simply add all filtered keys by passing on the command
> line, so should be safe. The drawback is that we can't _also_ add keys in
> the middle (inside the playbook), due to the way ansible vars work. But this
> isn't a problem for now.

re targeting to 4.3 accordingly
Comment 4 Yaniv Lavi 2018-06-25 07:54:29 UTC 
Closing old bugs.
Please reopen if still relevant.
Patches are welcomed.
Note You need to log in before you can comment on or make changes to this bug.