discourage hexdigits in password lookup (#73106)

* actually add new docs

* Update lib/ansible/plugins/lookup/password.py

Co-authored-by: Sandra McCann <samccann@redhat.com>
This commit is contained in:
Brian Coca 2021-01-05 15:03:27 -05:00 committed by GitHub
parent e0c75a6756
commit de3844cba9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 1 deletions

View file

@ -0,0 +1,2 @@
minor_changes:
- Discourage the use of 'hexdigits' in password lookup, as it distorts expected entropy.

View file

@ -40,6 +40,8 @@ DOCUMENTATION = """
- 'By default generated passwords contain a random mix of upper and lowercase ASCII letters, the numbers 0-9 and punctuation (". , : - _").' - 'By default generated passwords contain a random mix of upper and lowercase ASCII letters, the numbers 0-9 and punctuation (". , : - _").'
- "They can be either parts of Python's string module attributes (ascii_letters,digits, etc) or are used literally ( :, -)." - "They can be either parts of Python's string module attributes (ascii_letters,digits, etc) or are used literally ( :, -)."
- "Other valid values include 'ascii_lowercase', 'ascii_uppercase', 'digits', 'hexdigits', 'octdigits', 'printable', 'punctuation' and 'whitespace'." - "Other valid values include 'ascii_lowercase', 'ascii_uppercase', 'digits', 'hexdigits', 'octdigits', 'printable', 'punctuation' and 'whitespace'."
- Be aware that Python's 'hexdigits' includes lower and upper case version of a-f, so it is not a good choice as it doubles
the chances of those values for systems that won't distinguish case, distorting the expected entropy.
- "To enter comma use two commas ',,' somewhere - preferably at the end. Quotes and double quotes are not supported." - "To enter comma use two commas ',,' somewhere - preferably at the end. Quotes and double quotes are not supported."
type: string type: string
length: length:
@ -83,7 +85,7 @@ EXAMPLES = """
- name: create a mysql user with a random password using many different char sets - name: create a mysql user with a random password using many different char sets
mysql_user: mysql_user:
name: "{{ client }}" name: "{{ client }}"
password: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits,hexdigits,punctuation') }}" password: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits,punctuation') }}"
priv: "{{ client }}_{{ tier }}_{{ role }}.*:ALL" priv: "{{ client }}_{{ tier }}_{{ role }}.*:ALL"
- name: create lowercase 8 character name for Kubernetes pod name - name: create lowercase 8 character name for Kubernetes pod name