I have similar problem and can't really use the workaround.
- name: Create PostgreSQL users
sudo: yes
sudo_user: postgres
postgresql_user: >
name={{ item.name }}
{% if item.password is defined %} password={{item.password}}{% endif %}
{% if item.db is defined %} db={{item.db}}{% endif %}
{% if item.priv is defined %} priv={{item.priv}}{% endif %}
{% if item.flags is defined %} role_attr_flags={{item.flags}}{% endif %}
with_items: postgresql_users
tags: [ 'postgresql' ]
On Tuesday, 29 July 2014 03:30:42 UTC+3, Victor Lin wrote:
>
> I noticed that since the new ansible with security patched is released,
> many our roles and playbooks are broken. For example, our role depends on
> this, it is also broken
>
> https://github.com/Ansibles/generic-users/blob/master/tasks/main.yml#L3-L5
>
> since it uses if else statements to generate optional arguments like gid.
> In the latest version of Ansible, it adds new arguments, so it fails to
> pass security check, an error like
>
> A variable inserted a new parameter into the module args. Be sure to
> quote variables if they contain equal signs (for example: "{{var}}").
>
> is raised.
>
> I tried to modify the way arguments are passed by leveraging default filter
>
> - name: generic-users | Make sure all groups are present
> group: >
> name="{{ item.name }}"
> system="{{ item.system|default('no') }}"
> gid="{{ item.gid|default(None) }}"
> state=present
> with_items: genericusers_groups
>
>
> For argument "system", there is a value "no" I can use as a default value,
> no problem at all. But for "gid", I tried to feed it with "default(None)",
> the value will be rendered as string first anyway, so that would be
> gid=None, ValueError be raised. As a result, unavoidable, I need to pass a
> valid value to gid.
>
> I saw some discuss in this issue report:
> https://github.com/ansible/ansible/issues/8233
>
> I understand that for security reason, if-else statements in playbook are
> not welcomed, but the problem is without if-else statements, I have no idea
> how to omit arguments without "do not set anything for this" value. The
> problem is a little bit like Python's not set default value, we usually
> create an object stands for not_set value like this
>
> NOT_SET = object()
>
> def foobar(value=NOT_SET):
> pass
>
> But in ansible, I didn't see anything like that. Or did I miss something?
> I think it would be helpful if there is some kind of special filter like
>
> - name: generic-users | Make sure all groups are present
> group: >
> name="{{ item.name }}"
> system="{{ item.system|default('no') }}"
> gid="{{ item.gid|default_omit) }}"
> state=present
> with_items: genericusers_groups
>
> The default_omit filter here omits "gid" argument if it is not defined.
> Just an idea. However, since modifying context in a jinja2 template would
> be difficult to implement, I think maybe it's better to encourage YAML
> style arguments like this:
>
> - name: generic-users | Make sure all groups are present
> group:
> name: "{{ item.name }}"
> system: "{{ item.system|default('no') }}"
> gid: "{{ item.gid|default_omit) }}"
> state=present
> with_items: genericusers_groups
>
> And for the default_omit, maybe it can return a random nonce generated by
> system (so that attacker cannot inject this value to remove argument), like
> this
>
> __omit_place_holder_8843d7f92416211de9ebb963ff4ce28125932878__
>
> And when ansible sees this value for a argument, it simply remove the key
> from arguments instead of passing it down to module.
>
> But anyway, these are just some thinkings, the more important thing is, I
> would like to know, at this moment, how can I solve that "gid" cannot be
> omit issue? Is there any workaround? There are so many modules there, if
> you give an argument there, it means you want to change that thing, and
> there is no not_set value.
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/bd0bf141-b33a-4f65-b6fd-3c2066be3c2e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
