Merge pull request #532 from ptomas-adacis/master

Hide passwords during execution
geerlingguy · Dec 6, 2023 · 8c87b67 · 8c87b67
2 parents 8f0eef9 + b04a0ca
commit 8c87b67
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -166,6 +166,12 @@ Replication settings. Set `mysql_server_id` and `mysql_replication_role` by serv
 
 If the replication master has different IP addresses where you are running ansible and where the mysql replica is running, you can *optionally* specify a `mysql_replication_master_inventory_host` to access the machine (e.g. you run ansible on your local machine, but the mysql master and replica need to communicate on a different network)
 
+```yaml
+mysql_hide_passwords: false
+```
+
+Do you need to hide tasks' output which contain passwords during the execution ?
+
 ### Later versions of MySQL on CentOS 7
 
 If you want to install MySQL from the official repository instead of installing the system default MariaDB equivalents, you can add the following `pre_tasks` task in your playbook:

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -132,3 +132,5 @@ mysql_replication_master_inventory_host: "{{ mysql_replication_master }}"
 
 # Same keys as `mysql_users` above.
 mysql_replication_user: []
+
+mysql_hide_passwords: false
diff --git a/tasks/replication.yml b/tasks/replication.yml
@@ -6,6 +6,7 @@
     password: "{{ mysql_replication_user.password }}"
     priv: "{{ mysql_replication_user.priv | default('*.*:REPLICATION SLAVE,REPLICATION CLIENT') }}"
     state: present
+  no_log: "{{ mysql_hide_passwords }}"
   when:
     - mysql_replication_role == 'master'
     - mysql_replication_user.name is defined
@@ -17,17 +18,19 @@
     mode: getreplica
     login_user: "{{ mysql_root_username }}"
     login_password: "{{ mysql_root_password }}"
+  no_log: "{{ mysql_hide_passwords }}"
   ignore_errors: true
   register: slave
   when:
     - mysql_replication_role == 'slave'
     - (mysql_replication_master | length) > 0
   tags: ['skip_ansible_galaxy']
 
+# https://github.com/ansible/ansible/issues/82264
 - name: Check master replication status.
   mysql_replication:
     mode: getprimary
-  delegate_to: "{{ mysql_replication_master_inventory_host }}"
+  delegate_to: "{{ mysql_replication_master_inventory_host | default(omit, true) }}"
   register: master
   when:
     - (slave.Is_Slave is defined and not slave.Is_Slave) or (slave.Is_Replica is defined and not slave.Is_Replica) or (slave.Is_Slave is not defined and slave.Is_Replica is not defined and slave is failed)
@@ -43,6 +46,7 @@
     master_password: "{{ mysql_replication_user.password }}"
     master_log_file: "{{ master.File }}"
     master_log_pos: "{{ master.Position }}"
+  no_log: "{{ mysql_hide_passwords }}"
   ignore_errors: true
   when:
     - (slave.Is_Slave is defined and not slave.Is_Slave) or (slave.Is_Replica is defined and not slave.Is_Replica) or (slave.Is_Slave is not defined and slave.Is_Replica is not defined and slave is failed)

diff --git a/tasks/secure-installation.yml b/tasks/secure-installation.yml
@@ -6,6 +6,7 @@
     password: "{{ mysql_user_password }}"
     priv: '*.*:ALL,GRANT'
     state: present
+  no_log: "{{ mysql_hide_passwords }}"
   when: mysql_user_name != mysql_root_username
 
 # Has to be after the password assignment, for idempotency.
@@ -15,6 +16,7 @@
     dest: "{{ mysql_user_home }}/.my.cnf"
     owner: "{{ mysql_user_name }}"
     mode: 0600
+  no_log: "{{ mysql_hide_passwords }}"
   when: >
     mysql_user_name != mysql_root_username
     and (mysql_install_packages | bool or mysql_user_password_update)
@@ -44,6 +46,7 @@
     mysql -u root -NBe
     "ALTER USER '{{ mysql_root_username }}'@'{{ item }}'
      IDENTIFIED WITH mysql_native_password BY '{{ mysql_root_password }}'; FLUSH PRIVILEGES;"
+  no_log: "{{ mysql_hide_passwords }}"
   with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
   when: >
     ((mysql_install_packages | bool) or mysql_root_password_update)
@@ -54,6 +57,7 @@
   ansible.builtin.shell: >
     mysql -NBe
     'SET PASSWORD FOR "{{ mysql_root_username }}"@"{{ item }}" = PASSWORD("{{ mysql_root_password }}"); FLUSH PRIVILEGES;'
+  no_log: "{{ mysql_hide_passwords }}"
   with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
   when: >
     ((mysql_install_packages | bool) or mysql_root_password_update)
@@ -67,6 +71,7 @@
     owner: root
     group: root
     mode: 0600
+  no_log: "{{ mysql_hide_passwords }}"
   when: mysql_install_packages | bool or mysql_root_password_update
 
 - name: Get list of hosts for the anonymous user.

diff --git a/tasks/users.yml b/tasks/users.yml
@@ -9,4 +9,4 @@
     append_privs: "{{ item.append_privs | default('no') }}"
     encrypted: "{{ item.encrypted | default('no') }}"
   with_items: "{{ mysql_users }}"
-  no_log: true
+  no_log: "{{ mysql_hide_passwords }}"