Sorry to bring up this old thread again, but I'm running into the same issue as Phil.
I'd like to have a user that has sudo access to restart Apache but not, say, delete it. How do people typically handle this? Is it possible to create users that can run ansible modules like "service" as sudo, without having sudo rights to run every command? Or is the expectation that Ansible should have full sudo access? JW On Tuesday, November 19, 2013 7:59:22 PM UTC-8, Michael DeHaan wrote: > > "sudo is often configured to only allow certain commands to run via sudo" > > Correct, this is not how ansible works. > > We simply don't invoke chown, modules are reusable pieces of code and we > don't require them to be preinstalled. > > > > > On Mon, Nov 18, 2013 at 2:06 PM, Phil Franks <[email protected]<javascript:> > > wrote: > >> Sorry to be digging up an old thread. I ran into this issue to and the >> issue is not always simply sudo/password/-K issue. >> >> sudo is often configured to only allow certain commands to run via sudo. >> For example, a developer that may restart a web service, but not administer >> the rest of the system. After tracing logs, I believe ansible does not >> support this. >> >> For example, sudo is configured with the follow authorisation: >> *%tomcat7 ALL=(ALL) NOPASSWD: /usr/sbin/service tomcat7 restart* >> >> >> *User runs 'sudo service tomcat7 restart' in a shell directly: *==> >> /var/log/auth.log <== >> Nov 18 18:49:46 host sudo: username : TTY=pts/0 ; PWD=/home/username ; >> USER=root ; COMMAND=/usr/sbin/service tomcat7 restart >> Nov 18 18:49:46 host sudo: pam_unix(sudo:session): session opened for >> user root by username(uid=0) >> Nov 18 18:49:52 host sudo: pam_unix(sudo:session): session closed for >> user root >> >> *Ansible playbook task service: name=tomcat7 state=restarted:* >> ==> /var/log/auth.log <== >> Nov 18 18:48:54 host sudo: username : TTY=pts/6 ; PWD=/home/username ; >> USER=root ; COMMAND=/bin/sh -c echo >> SUDO-SUCCESS-uwsxighxnhfaaspfrokwpdvxgnjycdil; /usr/bin/python <snip> >> >> The ansible call is wrapped and sudo called using /bin/sh which sudo does >> not allow. >> >> Is there a workaround for this, other than granting the user sudo access >> to everything? >> >> >> >> On Thursday, September 26, 2013 12:52:37 AM UTC+1, Michael DeHaan wrote: >> >>> Always why I prefer long form options every time :) >>> >>> >>> >>> >>> On Wed, Sep 25, 2013 at 4:40 PM, James Cammarata < >>> [email protected]> wrote: >>> >>>> It does, because sudo may not be passwordless. Using -k is for ssh, -K >>>> is for sudo. >>>> >>>> >>>> On Wed, Sep 25, 2013 at 3:38 PM, Samnang Sen <[email protected]>wrote: >>>> >>>>> But I thought if I'm using passwordless SSH it shouldn't matter? >>>>> >>>>> >>>>> On Wednesday, September 25, 2013 2:52:11 PM UTC-4, Samnang Sen wrote: >>>>>> >>>>>> Looks like I'm stuck here ... >>>>>> >>>>>> <oqn-01-web1> ESTABLISH CONNECTION FOR USER: deployment on PORT 22 TO >>>>>> oqn-01-web1 >>>>>> <oqn-01-web1> EXEC /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible- >>>>>> 1380135044.57-157834591122680 && chmod a+rx >>>>>> $HOME/.ansible/tmp/ansible-1380135044.57-157834591122680 && echo >>>>>> $HOME/.ansible/tmp/ansible-1380135044.57-157834591122680' >>>>>> <oqn-01-web1> REMOTE_MODULE command /sbin/service httpd restart >>>>>> <oqn-01-web1> PUT /tmp/tmppxQ9cr TO /home/deploy/.ansible/tmp/ansi >>>>>> ble-1380135044.57-157834591122680/command >>>>>> <oqn-01-web1> EXEC /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via >>>>>> ansible, key=gjnesgjnrperpmifmojteiocwhyyfsrj] password: " -u root >>>>>> /bin/sh -c '"'"'/usr/bin/python /home/deploy/.ansible/tmp/ansi >>>>>> ble-1380135044.57-157834591122680/command; rm -rf >>>>>> /home/deploy/.ansible/tmp/ansible-1380135044.57-157834591122680/ >>>>>> >/dev/null 2>&1'"'"'' >>>>>> >>>>>> >>>>>> On Wednesday, September 25, 2013 2:49:56 PM UTC-4, Walid Shaari wrote: >>>>>>> >>>>>>> which connection transport are you using? did you try differnet >>>>>>> ones, and try to use the new -vvvv option to debug ssh connections >>>>>>> >>>>>>> >>>>>>> On 25 September 2013 21:37, Samnang Sen <[email protected]> wrote: >>>>>>> >>>>>>>> This hangs and I have to kill the process. I don't want to use -K >>>>>>>> since I'd rather use passwordless ssh. >>>>>>>> >>>>>>>> # ansible -i hosts webserver1 -m shell -a "/sbin/service httpd >>>>>>>> restart" --sudo >>>>>>>> >>>>>>>> Now, if I pass the sudo command via the shell, it works just fine. >>>>>>>> >>>>>>>> # ansible -i hosts webserver1 -m shell -a "sudo /sbin/service httpd >>>>>>>> restart" >>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "Ansible Project" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>>> >>>>>>> >>>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> James Cammarata <[email protected]> >>>> >>>> Sr. Software Engineer, AnsibleWorks, Inc. >>>> http://www.ansibleworks.com/ >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>> >>> >>> >>> -- >>> Michael DeHaan <[email protected]> >>> >>> CTO, AnsibleWorks, Inc. >>> http://www.ansibleworks.com/ >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > > > -- > Michael DeHaan <[email protected] <javascript:>> > CTO, AnsibleWorks, Inc. > http://www.ansibleworks.com/ > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f1d0cb31-1631-44b5-b4ae-bf0d41bec087%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
