diff options
| author | kaorihinata <kaori.hinata@gmail.com> | 2020-02-24 17:54:29 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-02-24 16:54:29 -0600 |
| commit | 39cfb63be6513e0f1ec68f687beed5d81dc904e6 (patch) | |
| tree | 2bd4d91bd54256be295eaf4ab107ec9f9d963402 /docs | |
| parent | 1bab4c99f3efe792f5e0067be7e59fd8bb0cf6e0 (diff) | |
| download | ansible-39cfb63be6513e0f1ec68f687beed5d81dc904e6.tar.gz | |
Allow no_log=False to silence the no_log warnings for module parameters (#64733) (#67439)
As AnsibleModule._log_invocation is currently implemented, any parameter
with a name that matches PASSWORD_MATCH triggers the no_log warning as a
precaution against parameters that may contain sensitive data, but have not
been marked as sensitive by the module author.
This patch would allow module authors to explicitly mark the aforementioned
parameters as not sensitive thereby bypassing an erroneous warning message,
while still catching parameters which have not been marked at all by the
author.
Adds tests for various no_log states including True, False, and None (as
extracted by AnsibleModule._log_invocation) when applied to an argument with
a name that matches PASSWORD_MATCH.
Fixes: #49465 #64656
(cherry picked from commit 3ca4580cb4e2a24597c6c5108bf76bbcd48069f8)
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/docsite/rst/dev_guide/developing_modules_documenting.rst | 3 | ||||
| -rw-r--r-- | docs/docsite/rst/dev_guide/developing_program_flow_modules.rst | 5 |
2 files changed, 6 insertions, 2 deletions
diff --git a/docs/docsite/rst/dev_guide/developing_modules_documenting.rst b/docs/docsite/rst/dev_guide/developing_modules_documenting.rst index 9fdd53b50a..64a198d436 100644 --- a/docs/docsite/rst/dev_guide/developing_modules_documenting.rst +++ b/docs/docsite/rst/dev_guide/developing_modules_documenting.rst @@ -119,7 +119,8 @@ After the shebang, the UTF-8 coding, the copyright line, the license, and the `` Module documentation should briefly and accurately define what each module and option does, and how it works with others in the underlying system. Documentation should be written for broad audience--readable both by experts and non-experts. * Descriptions should always start with a capital letter and end with a full stop. Consistency always helps. * Verify that arguments in doc and module spec dict are identical. - * For password / secret arguments no_log=True should be set. + * For password / secret arguments ``no_log=True`` should be set. + * For arguments that seem to contain sensitive information but **do not** contain secrets, such as "password_length", set ``no_log=False`` to disable the warning message. * If an option is only sometimes required, describe the conditions. For example, "Required when I(state=present)." * If your module allows ``check_mode``, reflect this fact in the documentation. diff --git a/docs/docsite/rst/dev_guide/developing_program_flow_modules.rst b/docs/docsite/rst/dev_guide/developing_program_flow_modules.rst index 2560007648..5849fb3af5 100644 --- a/docs/docsite/rst/dev_guide/developing_program_flow_modules.rst +++ b/docs/docsite/rst/dev_guide/developing_program_flow_modules.rst @@ -615,7 +615,10 @@ required no_log """""" -``no_log`` indicates that the value of the argument should not be logged or displayed. +``no_log`` accepts a boolean, either ``True`` or ``False``, that indicates explicitly whether or not the argument value should be masked in logs and output. + +.. note:: + In the absence of ``no_log``, if the parameter name appears to indicate that the argument value is a password or passphrase (such as "admin_password"), a warning will be shown and the value will be masked in logs but **not** output. To disable the warning and masking for parameters that do not contain sensitive information, set ``no_log`` to ``False``. aliases """"""" |