Secrets can be seen in UI Host details ( Hosts -> click on any host for details) -> Ansible -> Inventory

i can see passwords, serial numbers by going to UI, any host details UI → Hosts → Ansible → Inventory
Expected outcome:
all parameters that are secret remain secret

Foreman and Proxy versions:

Foreman and Proxy plugin versions:

  • katello-4.5.0-1.el8.noarch
    |foreman-tasks|The goal of this plugin is to unify the way of showing task statuses across the Foreman instance. It defines Task model for keeping the information about the tasks and Lock for assigning the tasks to resources. The locking allows dealing with preventing multiple colliding tasks to be run on the same resource. It also optionally provides Dynflow infrastructure for using it for managing the tasks.|Ivan Nečas|6.0.2|
    |foreman_acd|Foreman plugin to provide application centric deployment and self service portal|ATIX AG|0.9.3|
    |foreman_ansible|Ansible integration with Foreman|Daniel Lobato Garcia|7.1.4|
    |foreman_column_view|Displays an additional column in the Foreman Hosts view and/or additional entries in the Host show page|Greg Sutcliffe|0.4.0|
    |foreman_default_hostgroup|Adds the option to specify a default hostgroup for new hosts created from facts/reports|Greg Sutcliffe|6.0.0|
    |foreman_discovery|MaaS Discovery Plugin engine for Foreman|Aditi Puntambekar, alongoldboim, Alon Goldboim, amirfefer, Amit Karsale, Amit Upadhye, Amos Benari, Avi Sharvit, Bryan Kearney, bshuster, Daniel Lobato, Daniel Lobato Garcia, Daniel Lobato García, Danny Smit, David Davis, Djebran Lezzoum, Dominic Cleal, Dominik Matoulek, Eric D. Helms, Ewoud Kohl van Wijngaarden, Frank Wall, Greg Sutcliffe, ChairmanTubeAmp, Ido Kanner, imriz, Imri Zvik, Ivan Nečas, Jan Matusz, John Mazzie, Joseph Mitchell Magen, June Zhang, kgaikwad, Lars Berntzon, ldjebran, Leos Stejskal, Lukas Zapletal, Lukáš Zapletal, Marek Hulan, Marek Hulán, MariaAga, Martin Bačovský, Matt Jarvis, Michael Moll, Nick, odovzhenko, Ohad Levy, Ondrej Prazak, Ondřej Ezr, Ori Rabin, orrabin, Partha Aji, Petr Chalupa, Phirince Philip, Rahul Bajaj, Robert Antoni Buj Gelonch, Ron Lavi, Scubafloyd, Sean O'Keeffe, Sebastian Gräßl, Shimon Shtein, Shlomi Zadok, Stephen Benjamin, Swapnil Abnave, Thomas Gelf, Timo Goebel, Tomas Strych, Tom Caspy, Tomer Brisker, and Yann Cézard|21.0.1|
    |foreman_expire_hosts|A Foreman plugin that allows hosts to expire at a configurable date. Hosts will be shut down and automatically deleted after a grace period.|Nagarjuna Rachaneni and Timo Goebel|7.0.4|
    |foreman_hooks|Plugin engine for Foreman that enables running custom hook scripts on Foreman events|Dominic Cleal|0.3.17|
    |foreman_host_reports|Fast and efficient reporting capabilities|Lukas Zapletal|1.0.2|
    |foreman_ipam|Plugin for IPAM integration with various IPAM providers|Christopher Smith|0.1.0|
    |foreman_monitoring|Foreman plugin for monitoring system integration.|Timo Goebel|2.1.0|
    |foreman_openscap|Foreman plug-in for managing security compliance reports||5.2.2|
    |foreman_remote_execution|A plugin bringing remote execution to the Foreman, completing the config management functionality with remote management functionality.|Foreman Remote Execution team|7.1.1|
    |foreman_snapshot_management|Foreman-plugin to manage snapshots in a virtual-hardware environments.|ATIX AG|2.0.1|
    |foreman_statistics|Statistics and Trends for Foreman gives users overview of their infrastructure.|Ondrej Ezr|2.0.1|
    |foreman_templates|Engine to synchronise provisioning templates from GitHub|Greg Sutcliffe|9.3.0|
    |foreman_webhooks|Plugin for Foreman that allows to configure Webhooks.|Timo Goebel|3.0.5|
    |katello|Katello adds Content and Subscription Management to Foreman. For this it relies on Candlepin and Pulp.|N/A|4.5.0|

Distribution and version:

Other relevant data:
I believe this issue comes from ansible plugin

when i drill open the _meta, i get to see all secrets we configured (ansible users etc)

I dont even know where to ask, haoppy to provide data etc

AFAIK we don’t have feature for filtering inventory items in UI / API.

pinging @nofaralfasi We should add it to our backlog, having setting to filter which inventory items are (not) displayed by default would be useful for users. What do you think?

You’re not the only one asking about this.

I’m thinking about how we could implement it.
Will it be enough to create a user role to determine whether to display the entire inventory tab?
Or do we need to hide only specific values? (I’m not sure how complicated this implementation would be).

Hi Nofaralfasi,
@nofaralfasi Yes, as long as the inventory tab in ansible tab on host edit page can be hidden, it is good.
Just dont know which filter in roles filter we should use? Could you please help with identifying the correct filter to use? Thank you

Hey Tom,

Currently there is no filter for that purpose. We need to implement a new permission for that.
I opened a new issue for it here: Bug #36193: Secrets can be seen in UI Host details - Ansible - Foreman.

1 Like

I will be happy to get a solution. :slight_smile:
To me this is really a security breach.
I saw sensitive information in this tab.

Could you confirm these values come from parameters? Do you have parameters set as hidden value? I’m sure this is not the only place where these values can be seen, e.g. host edit form would reveal the values too. What is the permission set that your users, who shouldn’t see this, typically have? Do they also see the Foreman tasks? Where do you use these sensitive information if not in the ansible inventory? Perhaps provisioning templates? Do your users have access to editting any kind of template?

I think it would be great to hide the values in the inventory preview in case the parameter is defined as hidden. However if the user has access to the host object via view_hosts permission, I’d say they should be able to see all related information. The inherited parameters though need to be in the real inventory in the plain form. At the end, users could run ansible playbook that would just store the inventory content somewhere where they could read it.

Hi @Marek_Hulan,
The parameters are hidden. So far the inventory tab of ansible is the only place disclosing the values. host edit also hide the values from our users. The users see foreman task. Users cannot edit template

The user roles include:
Compute resource >> view_compute_resources
Location >> view_locations
Ansible variable >> edit_ansible_variables, create_ansible_variables, import_ansible_variables
Host Group view_hostgroups, play_roles_on_hostgroup
Job invocation create_job_invocations, cancel_job_invocations
Job template create_job_templates, edit_job_templates
Template invocation create_template_invocations, filter_autocompletion_for_template_invocation
(Miscellaneous) view_statuses
Ansible role view_ansible_roles
Ansible variable view_ansible_variables
Audit view_audit_logs
Foreman tasks/recurring logic view_recurring_logics
Foreman tasks/task view_foreman_tasks
Host cockpit_hosts, create_hosts, edit_hosts, destroy_hosts, build_hosts, power_hosts, forget_status_hosts, play_roles_on_host, edit_host_expiry, manage_downtime_hosts, create_snapshots, edit_snapshots, destroy_snapshots, revert_snapshots, console_hosts
Job invocation view_job_invocations
Job template view_job_templates
Smart proxy view_smart_proxies
Template invocation view_template_invocations
Domain view_domains

Ok, the fact they can view the task, they may actually find the same data (if dynflow console is available). Your users can edit job templates, therefore they can create a job that saves all host parameters into a file they then cat. Also they can write ERB in the template like <%= @host.params %> and click preview. I agree these are less obvious places to get to the values, but hiding the inventory preview does not really solve the problem. Perhaps we could respect the hidden values in the inventory preview to make it less obvious. The same way we mask it elsewhere. The logic would be, if the host parameter is hidden, use asterisk for the value. @nofaralfasi is this something we could do easily?

Thank you Marek.
I didn’t get into all of the implementation details, but I think it should not be overly complex.
Are we talking only about the host parameters? What about the remote_execution_ssh values?

Hi @nofaralfasi & @Marek_Hulan,
It is very excited that foreman3.6 is published. I just checked the release note and don’t see the ticket of this case (Bug #36193: Secrets can be seen in UI Host details - Ansible - Foreman). I wonder if there is a chance that this bug is covered by other tickets, so bother to ask. Many thanks.

Hi @tom, unfortunately we don’t have an update regarding this ticket yet.

1 Like

hey - just wanted to see if there’s any updates
if this is not critical to foreman team that critical infrastructure passwords are visible to all users that use foreman with ansible, then maybe we’re doing something wrong in the configuration. I do not see a way to hide those secrets?

thank you!


Hi @nofaralfasi

Since we are waiting for this patch to go public, we are looking for a potential workaround.

As my understanding, foreman ansible doesn’t use inventory file which records anible_user, ansible_password, target IP in regular ansible script. Insteand, Foreman ansible read those info in the form of parameters from foreman UI.

Therefore, is it possible that foreman ansbile read the ansible_password in ansible script since there is no inventory file?

If it is possible, then we can use ansible vault to encrpy ansible_password in ansible script; then no need to use a parameter of ansible_password in froeman UI. Therefore, host dashboard will not expose ansible_password.

Thank you.

Hi Tom, I’ll take a closer look at this and let you know as soon as I have more information.

Can you please specify which version of foreman_ansible you are using?
Additionally, is ansible_password a variable present in your local setup?
Using Ansible Vault for data encryption seems like an excellent solution. If you could give it a try and inform us of the results, that would be greatly appreciated.

Here’s an example of how my inventory looks:

Could you specify which parameters would you hide here?

HI @nofaralfasi,
Please see below feedback:

  1. rubygem-foreman_ansible-7.1.4-1.fm3_3.el8.noarch
  2. ansible_passsword is a parameter
  3. Because Foreman doens’t read any file at inventory level; so no need to encrpt. I tried in group_var and a new created host file. Both Failed, foreman ignore these inventory file. I think it is reasonable because foreman get target IP, ansible_password and ansible_user from foreman UI. Therefore, foreman has to ignore inventory files from ansible script.
  4. The highlighted 4 variable are parameters. Inventory disclose their values even they are hidden in parameters.

Thanks for the update.
As you can see, the inventory looks different in the latest foreman_ansible version. However, in both versions, all parameters are viewable within the inventory, including those that are hidden.

Currently, I don’t have any easy fix that we can apply.
However, I can guide you to the specific location within the code where these parameters are displayed. By removing the last part of the line, you can prevent the parameters from being shown in the UI. It’s important to mention that I haven’t thoroughly tested this approach. Additionally, if you choose to upgrade to a newer version of foreman_ansible, this change would be reverted.

Hi @nofaralfasi, Yes, it is great if you can teach how to remove the parameter from code. If email is better for you to provide with the instruction, please feel free to send via email. Thank you very much.

My email:

1 Like

Hi @nofaralfasi
we are so excited that our foreman is almost ready to go online. The last piece is this ticket to hide the key value od ansible. Foreman is an outstanding automation platform that all of us are so looking forward to embracing foreman. very very appreciate your help. ^^