Ansible Plugin Invoke Playbook - add option to not conceal variables

[atfrench]

What feature do you want to see added?

Please see: #127 Recent security requirements has made the plugin difficult to use. We do not use any variables that need to be concealed. Our variables are filenames and paths. Re-configuration of jobs is difficult now as we cannot see what a concealed variable is set to so that we can edit a variable. A possible solution might be to add a new type of key variable that is not concealed. Or add an option to not conceal a variable.

Thanks,
Adrien.

Upstream changes

No response

[nikos-papantoniou]

+1
We've been using the Ansible plugin to provide extra variables like hostnames, filenames, unique ids etc to reusable playbooks. With this change we are unable to troubleshoot if something is misconfigured because we cannot see the actual values of any variable. If a Jenkins job that utilizes Ansible plugin has quite a few extra variables this becomes nightmarish to reconfigure.

[jonesbusy]

I'm not sure if there is any way to no conceal form field if the values is stored encrypted on jenkins home. The solution is probably to (re)introduce "unsecureVars" stored as plain text.

There was some old PR #22 to convert extra vars to list to work with pipeline generator.

The point is that it open again the plugin to have security advisory (https://www.jenkins.io/security/advisory/2023-05-16/) Advisories are open by Jenkins security teams, not plugin maintainers.

Feel free to contribute if a better solution is found.

[NachoGomezC]

Bumping this request, is very annoying when all extra variables are treated as secrets. Credentials/secrets need to me managed explicitly as such in any other part of the Ansible module, not mixed with the regular extra parameters.

IMHO, mixing all of them is the real security flaw here.

[gilkatz]

Who ever still need to resolve that use extras instead of extraVars, this will keep the variables un conceal