Salt: Feature request: add option to hide output from cmd module state return data

@cmclaughlin, thanks for the report. What happens when you run the state like this:

django-auth-models:
  cmd.run:
    - name: echo "{{ create_admin_cmd }}" | {{ dir }}/manage-wrapper.sh shell && touch {{ dir }}/.admin:
    - creates: {{ dir }}/.admin
    - output_loglevel: quiet
    - quiet: True

When you combine the name and id, salt will report the single value in the log to record that the state succeeded. If you want to hide the command run from the log, you will need to use a separate name and id. For further explanation, see the documentation on highstate data format.

@jfindlay thanks for the suggestion. The password is still logged. Here's my change and resulting log in case I'm missing something...

Code:

django-auth-models:
  cmd.run:
    - name: echo "{{ create_admin_cmd }}" | {{ dir }}/manage-wrapper.sh shell && touch {{ dir }}/.admin
    - creates: {{ dir }}/.admin
    - output_loglevel: quiet
    - quiet: True

Logs:

2016-02-04 00:32:25,138 [salt.state                                                ][INFO    ][28047] Running state [echo "from django.contrib.auth.models import User; User.objects.create_superuser('admin', 'REMOVED', 'REMOVED')" | /mnt/cabot/manage-wrapper.sh shell && touch /mnt/cabot/.admin] at time 00:32:25.138359
2016-02-04 00:32:25,139 [salt.state                                                ][INFO    ][28047] Executing state cmd.run for echo "from django.contrib.auth.models import User; User.objects.create_superuser('admin', 'REMOVED', 'REMOVED')" | /mnt/cabot/manage-wrapper.sh shell && touch /mnt/cabot/.admin
2016-02-04 00:32:25,139 [salt.state                                                ][INFO    ][28047] /mnt/cabot/.admin exists
2016-02-04 00:32:25,139 [salt.state                                                ][INFO    ][28047] Completed state [echo "from django.contrib.auth.models import User; User.objects.create_superuser('admin', 'REMOVED', 'REMOVED')" | /mnt/cabot/manage-wrapper.sh shell && touch /mnt/cabot/.admin] at time 00:32:25.139211

@cmclaughlin, thanks for the extra information. I can confirm that the INFO log is showing name data.

sls

jmoney-main ~ master # cat /srv/salt/test.sls
django-auth-models:
  cmd.run:
    - name: echo secret | wc
    - output_loglevel: quiet
    - quiet: True

command

jmoney-main ~ master # salt jmoney-main state.apply test
jmoney-main:
----------
          ID: django-auth-models
    Function: cmd.run
        Name: echo secret | wc
      Result: True
     Comment: Command "echo secret | wc" run
     Started: 17:48:25.963892
    Duration: 19.518 ms
     Changes:
              ----------
              pid:
                  16488
              retcode:
                  0
              stderr:
              stdout:
                        1       1       7

Summary for jmoney-main
------------
Succeeded: 1 (changed=1)
Failed:    0
------------
Total states run:     1
Total run time:  19.518 ms

logs

# minion log
[INFO    ] User root Executing command state.apply with jid 20160203174825759783
[DEBUG   ] Command details {'tgt_type': 'glob', 'jid': '20160203174825759783', 'tgt': 'jmoney-main', 'ret': '', 'user': 'root', 'arg': ['test'], 'fun': 'state.apply'}
[INFO    ] Starting a new job with PID 16482
[DEBUG   ] LazyLoaded state.apply
[DEBUG   ] LazyLoaded saltutil.is_running
[DEBUG   ] LazyLoaded grains.get
[DEBUG   ] Initializing new AsyncZeroMQReqChannel for ('/etc/salt/pki/minion', 'jmoney-main', 'tcp://127.0.0.1:4506', 'aes')
[DEBUG   ] Initializing new SAuth for ('/etc/salt/pki/minion', 'jmoney-main', 'tcp://127.0.0.1:4506')
[DEBUG   ] Initializing new AsyncZeroMQReqChannel for ('/etc/salt/pki/minion', 'jmoney-main', 'tcp://127.0.0.1:4506', 'aes')
[DEBUG   ] Initializing new SAuth for ('/etc/salt/pki/minion', 'jmoney-main', 'tcp://127.0.0.1:4506')
[DEBUG   ] Loaded minion key: /etc/salt/pki/minion/minion.pem
[INFO    ] Loading fresh modules for state activity
[DEBUG   ] LazyLoaded jinja.render
[DEBUG   ] LazyLoaded yaml.render
[DEBUG   ] In saltenv 'base', looking at rel_path u'test.sls' to resolve u'salt://test.sls'
[DEBUG   ] In saltenv 'base', ** considering ** path u'/var/cache/salt/minion/files/base/test.sls' to resolve u'salt://test.sls'
[INFO    ] Fetching file from saltenv 'base', ** skipped ** latest already in cache u'salt://test.sls'
[DEBUG   ] compile template: /var/cache/salt/minion/files/base/test.sls
[DEBUG   ] Jinja search path: ['/var/cache/salt/minion/files/base']
[PROFILE ] Time (in seconds) to render '/var/cache/salt/minion/files/base/test.sls' using 'jinja' renderer: 0.00494885444641
[DEBUG   ] Rendered data from file: /var/cache/salt/minion/files/base/test.sls:
django-auth-models:
  cmd.run:
    - name: echo secret | wc
    - output_loglevel: quiet
    - quiet: True

[DEBUG   ] LazyLoaded config.get
[DEBUG   ] Results of YAML rendering:
OrderedDict([('django-auth-models', OrderedDict([('cmd.run', [OrderedDict([('name', 'echo secret | wc')]), OrderedDict([('output_loglevel', 'quiet')]), OrderedDict([('quiet', True)])])]))])
[PROFILE ] Time (in seconds) to render '/var/cache/salt/minion/files/base/test.sls' using 'yaml' renderer: 0.00334811210632
[DEBUG   ] LazyLoaded cmd.run
[INFO    ] Running state [echo secret | wc] at time 17:48:25.963892
[INFO    ] Executing state cmd.run for echo secret | wc
[DEBUG   ] LazyLoaded cmd.run_all
[INFO    ] {'pid': 16488, 'retcode': 0, 'stderr': '', 'stdout': '      1       1       7'}
[INFO    ] Completed state [echo secret | wc] at time 17:48:25.983410
[DEBUG   ] File /var/cache/salt/minion/accumulator/140313430907920 does not exist, no need to cleanup.
[DEBUG   ] Minion return retry timer set to 9 seconds (randomized)
[INFO    ] Returning information for job: 20160203174825759783
[DEBUG   ] Initializing new AsyncZeroMQReqChannel for ('/etc/salt/pki/minion', 'jmoney-main', 'tcp://127.0.0.1:4506', 'aes')
[DEBUG   ] Initializing new SAuth for ('/etc/salt/pki/minion', 'jmoney-main', 'tcp://127.0.0.1:4506')

Seeing the same issue. Trying to use ceph-authtool without exposing the key I'm using.

As much as i too love logging all my super top secret info. Can we get this fixed please. Would be nice to have a 'sensitive' flag much like chef's that suppresses everything

https://imgflip.com/i/1ef4i5

Is there a way to completely disable logging on a per state basis? If not, what would be a good way to disable logging only for say cmd.run states on only certain nodes?

Regards,
Brandon

'output_loglevel: quiet' still shows full cmd.run output in version 2016.11.5
Also tried 'quiet: True' with the same result: full cmd.run output shown.

Please provide some way to hide sensitive output from cmd states.
Thank you.

This bug still exists in version 2017.7.1

Do we have a work around for this issue? Or an ETA for the bug fix?

I have looked into writing a tmp file via file.append. this also logs the file changes.

output_loglevel works exactly how it is intended to work, it suppresses the command being run, as well as the output from that command, from showing up in the minion log. There is definitely a case for suppressing the output from the changes dict however, when it is set to quiet.

This has been implemented in https://github.com/saltstack/salt/pull/44840.

Is there a bug fix release for this? We have 2017.7.4 and still cannot stop the output of selected sensitive text. Tried all suggested options, hide_output: True, output_loglevel: quiet, quiet: True etc....
Nothing is preventing the minion command from being output in the master console.

@thetoolsmith, and anybody else running into this. I've had success using cmd.run environment variables. Example:

    cmd.run:
        - name: echo -en "$password\n$password\n" | smbpasswd -s -a backups
        - env:
            - password: {{pillar['samba']['password']}}

output:

          ID: samba
    Function: cmd.run
        Name: echo -en "$password\n$password\n" | smbpasswd -s -a backups
      Result: True
     Comment: Command "echo -en "$password\n$password\n" | smbpasswd -s -a backups" run
     Started: 19:20:11.155744
    Duration: 36.669 ms
     Changes:   
              ----------
              pid:
                  5763
              retcode:
                  0
              stderr:
              stdout:

Also works when the CLI tool doesn't read the password from stdin:

set new admin password:
  cmd.run:
    - name: grafana-cli admin reset-admin-password $PASSWORD
    - env:
      - PASSWORD: "{{ admin_password }}"