Hi everyone,
we were having a discussion whether it makes sense to implement a password filter for Ansible commands running via remote execution. In the end, you can see all reports as plain text in Foreman. We came to the conclusion that it is a security glitch, but it would be hard to capture all kind of passwords from arbitrary Ansible code.
Any opinions on adding a feature that would try to filter passwords either as Ansible callback plugin or as filter for reports?
Thanks everyone 
Ansible has a no_log parameter, which you should set when you want things not to be logged (like passwords). And then I would expect every logger/callback to honour this.
Or is this set, and you still get passwords in the logs?
I guess no_log solves the problem by (as the name suggests) providing no log for the relevant task whatsoever. I think what we built was a callback plugin that tried to filter out just the things it identified as passwords, replacing them with ****** or something.
Of course there probably is no inherently reliable way of identifying passwords in a bunch of string output.
Ansible modules mark some params as no_log, and you can mark whole tasks as no_log.
I don’t see Foreman being in the position to guess what is a password or what not.
I think that there is chance of capturing passwords if you run specific roles on a system. But as you can use remote execution to run arbitrary code, this becomes impossible.
Are you saying that if you have a role testrole, and pass (secret) variables to it from foreman those leak?
I am saying that you need to be careful about your Ansible role design if you do not want any passwords to leak accidentally.