I want to execute Ant with the verbose option but I don't want the arguments passed into the Exec task to be displayed in situations where they are sensitive (i.e. user/password).
An example is where there's a connection to a database:
<exec executable="/bin/sh" failonerror="true">
<arg line="/opt/blah/blah/bin/frmcmp_batch.sh Module=blah Userid=username/mypassword@blah Module_Type=blah"/>
</exec>
I don't want the arguments (specifically "Userid=username/mypassword@blah" showing up in the log).
What is the best way to hide/secure the arguments?
Currently I'm using the following workaround (described here) to hide "mypassword" but I was wondering if there's a more elegant solution?
build.xml
<?xml version="1.0" encoding="UTF-8"?>
<project default="test">
<target name="test" depends="">
<echo message="Testing..."/>
<echo message="Turning verbose off... you should NOT see the arguments..."/>
<script language="javascript">
var logger = project.getBuildListeners().firstElement();
// 2 works to turn off verbose
logger.setMessageOutputLevel(2);
</script>
<exec dir="." executable="cmd">
<arg line="/c dummy.bat mypassword"/>
</exec>
<echo message="Turning verbose on... you should see the arguments..."/>
<script language="javascript">
var logger = project.getBuildListeners().firstElement();
// 3 works to turn verbose back on
logger.setMessageOutputLevel(3);
</script>
<exec dir="." executable="cmd">
<arg line="/c dummy.bat mypassword"/>
</exec>
</target>
</project>
dummy.bat
@echo off
echo dummy
Output
test:
[echo] Testing...
[echo] Turning verbose off... you should NOT see the arguments...
[exec] dummy
[echo] Turning verbose on... you should see the arguments...
[exec] Current OS is Windows XP
[exec] Executing 'cmd' with arguments:
[exec] '/c'
[exec] 'dummy.bat'
[exec] 'mypassword'
[exec]
[exec] The ' characters around the executable and arguments are
[exec] not part of the command.
[exec] dummy
Best way to secure the password is not to use one :-) The following answer describes how to setup an SSH key:
- Ant, download fileset from remote machine
The ANT sshexec command supports a "keyfile" attribute.
Update
Ahhh, scripting sudo can be a royal pain.
Here are solutions which have worked for me in the past.
- Configure the user to not require a password. See "sudoers" file. In our setup we grant this special access to users in an admin user group. (See Ant build.xml requires user input, but Eclipse has no tty)
- Use SSH :-) Logging into the local machine is a perfectly valid way to automate a process. Enables us to use SSH keys to control access and possible to restrict the commands a user runs (via little known features of the authorized_keys file)
- Use an automation tool like rundeck. It has useful support for sudo built in. Passwords can be configured as options that are specified at runtime (GUI) but not saved anywhere. There is a command-line and REST API available for invoking jobs. This solution is possibly least useful, but I mention it because it's such a useful tool for automating operations tasks.
It seems you're concerned about the password appearing in a log file? My fixation is to never write my password down or hard-code it within a script....
