This has been discussed a few times in prior threads.
Ultimately the proposal was that we would consider making certain flags
automatically removable using something like a token value of {{ omit }}
and the system could prune those values that used this magic variable.
priv={% if x %}{{y}}{% else %}{{ omit }}{% endif %}
Though in the above, it seems you're trying to abstract a module around a
very general purpose role in a slightly non-conventional way. In your
particular usage, it might be better to just have defaults for most of
those settings.
{{ item.flags | default(default_value) }}
etc
On Wed, Jul 30, 2014 at 7:26 PM, Miks Kalniņš <[email protected]>
wrote:
> I have similar problem and can't really use the workaround.
>
> - name: Create PostgreSQL users
> sudo: yes
> sudo_user: postgres
> postgresql_user: >
> name={{ item.name }}
> {% if item.password is defined %} password={{item.password}}{% endif %}
> {% if item.db is defined %} db={{item.db}}{% endif %}
> {% if item.priv is defined %} priv={{item.priv}}{% endif %}
> {% if item.flags is defined %} role_attr_flags={{item.flags}}{% endif
> %}
> with_items: postgresql_users
> tags: [ 'postgresql' ]
>
>
> On Tuesday, 29 July 2014 03:30:42 UTC+3, Victor Lin wrote:
>>
>> I noticed that since the new ansible with security patched is released,
>> many our roles and playbooks are broken. For example, our role depends on
>> this, it is also broken
>>
>> https://github.com/Ansibles/generic-users/blob/master/
>> tasks/main.yml#L3-L5
>>
>> since it uses if else statements to generate optional arguments like gid.
>> In the latest version of Ansible, it adds new arguments, so it fails to
>> pass security check, an error like
>>
>> A variable inserted a new parameter into the module args. Be sure to
>> quote variables if they contain equal signs (for example: "{{var}}").
>>
>> is raised.
>>
>> I tried to modify the way arguments are passed by leveraging default
>> filter
>>
>> - name: generic-users | Make sure all groups are present
>> group: >
>> name="{{ item.name }}"
>> system="{{ item.system|default('no') }}"
>> gid="{{ item.gid|default(None) }}"
>> state=present
>> with_items: genericusers_groups
>>
>>
>> For argument "system", there is a value "no" I can use as a default
>> value, no problem at all. But for "gid", I tried to feed it with
>> "default(None)", the value will be rendered as string first anyway, so that
>> would be gid=None, ValueError be raised. As a result, unavoidable, I need
>> to pass a valid value to gid.
>>
>> I saw some discuss in this issue report: https://github.com/
>> ansible/ansible/issues/8233
>>
>> I understand that for security reason, if-else statements in playbook are
>> not welcomed, but the problem is without if-else statements, I have no idea
>> how to omit arguments without "do not set anything for this" value. The
>> problem is a little bit like Python's not set default value, we usually
>> create an object stands for not_set value like this
>>
>> NOT_SET = object()
>>
>> def foobar(value=NOT_SET):
>> pass
>>
>> But in ansible, I didn't see anything like that. Or did I miss something?
>> I think it would be helpful if there is some kind of special filter like
>>
>> - name: generic-users | Make sure all groups are present
>> group: >
>> name="{{ item.name }}"
>> system="{{ item.system|default('no') }}"
>> gid="{{ item.gid|default_omit) }}"
>> state=present
>> with_items: genericusers_groups
>>
>> The default_omit filter here omits "gid" argument if it is not defined.
>> Just an idea. However, since modifying context in a jinja2 template would
>> be difficult to implement, I think maybe it's better to encourage YAML
>> style arguments like this:
>>
>> - name: generic-users | Make sure all groups are present
>> group:
>> name: "{{ item.name }}"
>> system: "{{ item.system|default('no') }}"
>> gid: "{{ item.gid|default_omit) }}"
>> state=present
>> with_items: genericusers_groups
>>
>> And for the default_omit, maybe it can return a random nonce generated by
>> system (so that attacker cannot inject this value to remove argument), like
>> this
>>
>> __omit_place_holder_8843d7f92416211de9ebb963ff4ce28125932878__
>>
>> And when ansible sees this value for a argument, it simply remove the key
>> from arguments instead of passing it down to module.
>>
>> But anyway, these are just some thinkings, the more important thing is, I
>> would like to know, at this moment, how can I solve that "gid" cannot be
>> omit issue? Is there any workaround? There are so many modules there, if
>> you give an argument there, it means you want to change that thing, and
>> there is no not_set value.
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/bd0bf141-b33a-4f65-b6fd-3c2066be3c2e%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/bd0bf141-b33a-4f65-b6fd-3c2066be3c2e%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzX9sjcKiQyO7oAazyCcj60yjfxeQ7i%2B372jvTsjYDFtg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
