Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

brocade_facts: Credential user name is redacted from brocade_security_user_config facts #140

Open
mamoep opened this issue Sep 15, 2023 · 7 comments
Open

brocade_facts: Credential user name is redacted from brocade_security_user_config facts #140

mamoep opened this issue Sep 15, 2023 · 7 comments

Comments

@mamoep
Copy link

mamoep commented Sep 15, 2023

When collecting switch information with the brocade_facts module, the name of the user that is used for login is replaced by "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER". I am using Ansible Galaxy collection version 1.3.3.

Task:

  - name: gather Brocade facts
    brocade.fos.brocade_facts:
      credential:
        fos_ip_addr: "{{ switch }}"
        fos_user_name: "{{ username }}"
        fos_password: "{{ password }}"
        https: true
      vfid: -1
      gather_subset:
        - brocade_security_user_config

Output

{
    "name": "admin",
    "role": "admin",
    "account_description": "Administrator",
    "account_enabled": true,
    "default_password_configured": false,
    "password_change_enforced": false,
    "account_locked": false,
    "access_start_time": null,
    "access_end_time": null,
    "auth_token_present": false
},
{
    "name": "user",
    "role": "user",
    "account_description": "User",
    "account_enabled": true,
    "default_password_configured": false,
    "password_change_enforced": false,
    "account_locked": false,
    "access_start_time": null,
    "access_end_time": null,
    "auth_token_present": false
},
{
    "name": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
    "role": "admin",
    "account_description": "Ansible User",
    "account_enabled": true,
    "default_password_configured": false,
    "password_change_enforced": false,
    "account_locked": false,
    "access_start_time": null,
    "access_end_time": null,
    "auth_token_present": false
},
@prasad-valmeti-broadcom
Copy link
Collaborator

These security logging parameters are masked by Ansible itself during the facts, nothing is done in the modules.
I see you mentioned Ansible FOS 1.3.3 as the version.
As per my understanding, it is the same behavior in older Ansible FOS releases as well.
This behavior can be overridden with the no_log option in yml or ansible.cfg to show sensitive parameters as well in ansible logging. Did you try no_log option?

What is the FOS Switch release?
what is the actual name that should be shown instead of VALUE_SPECIFIED_IN_NO_LOG_PARAMETER?

@mamoep
Copy link
Author

mamoep commented Sep 25, 2023

I tried to set "no_log: false" in the playbook but it didn't make any difference. I don't think that setting can override "secured" variables from the module code.

Tested with FOS 8.2.3d and 9.1.1c

The actual name is the one used infos_user_name: "{{ username }}" variable. So whichever user I choose as login credential.

@prasad-valmeti-broadcom
Copy link
Collaborator

Taking our fos_user_name out of the credentials and treating it as different is working fine. Please let us know if it works for you with these changes:
--> In the playbook *.yml file(s), remove the fos_user_name from the credential group.
--> In the tasks of facts.yml, add fos_user_name as shown below:
brocade_facts:
credential: "{{credential}}"
fos_user_name: "{{fos_user_name}}"
--> In the brocade_facts.py, have the following changes
argument_spec = dict(
credential=dict(required=True, type='dict', no_log=True),

  •    fos_user_name=dict(required=True, type='str'),

 ...
-    fos_user_name = input_params['credential']['fos_user_name']
  • fos_user_name = input_params['fos_user_name']

Please let us know if it resolves this issue.

@mamoep
Copy link
Author

mamoep commented Oct 24, 2023

The proposed fix works.

@mamoep
Copy link
Author

mamoep commented Oct 24, 2023

I suggest to following change to keep the current structure of the credential object intact, while still be able to mute the password.

    argument_spec = dict(
        credential=dict(
            required=True,
            type='dict',
            options=dict(
                fos_ip_addr=dict(required=True, type='str'),
                fos_user_name=dict(required=True, type='str'),
                fos_password=dict(required=True, type='str', no_log=True),
                https=dict(required=True, type='bool'),
                ssh_hostkeymust=dict(required=False, type='bool')
            )
        ),

@prasad-valmeti-broadcom
Copy link
Collaborator

Thanks for the confirmation and suggestion. Sure, we will handle it in the proposed way so that no need to change existing playbooks. This will be handled in the next release.

@prasad-valmeti-broadcom
Copy link
Collaborator

This approach proposed here is implemented in FOSAnsible release 2.0.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mamoep @prasad-valmeti-broadcom