I'm sorry, you can't define sudo access to do specific commands this way.
On Sat, Apr 26, 2014 at 2:45 PM, Jacob Weber <[email protected]> wrote: > Sorry to bring up this old thread again, but I'm running into the same > issue as Phil. > > I'd like to have a user that has sudo access to restart Apache but not, > say, delete it. > > How do people typically handle this? Is it possible to create users that > can run ansible modules like "service" as sudo, without having sudo rights > to run every command? > > Or is the expectation that Ansible should have full sudo access? > > JW > > > > On Tuesday, November 19, 2013 7:59:22 PM UTC-8, Michael DeHaan wrote: > >> "sudo is often configured to only allow certain commands to run via sudo" >> >> Correct, this is not how ansible works. >> >> We simply don't invoke chown, modules are reusable pieces of code and we >> don't require them to be preinstalled. >> >> >> >> >> On Mon, Nov 18, 2013 at 2:06 PM, Phil Franks <[email protected]> wrote: >> >>> Sorry to be digging up an old thread. I ran into this issue to and the >>> issue is not always simply sudo/password/-K issue. >>> >>> sudo is often configured to only allow certain commands to run via sudo. >>> For example, a developer that may restart a web service, but not administer >>> the rest of the system. After tracing logs, I believe ansible does not >>> support this. >>> >>> For example, sudo is configured with the follow authorisation: >>> *%tomcat7 ALL=(ALL) NOPASSWD: /usr/sbin/service tomcat7 restart* >>> >>> >>> *User runs 'sudo service tomcat7 restart' in a shell directly: *==> >>> /var/log/auth.log <== >>> Nov 18 18:49:46 host sudo: username : TTY=pts/0 ; PWD=/home/username ; >>> USER=root ; COMMAND=/usr/sbin/service tomcat7 restart >>> Nov 18 18:49:46 host sudo: pam_unix(sudo:session): session opened for >>> user root by username(uid=0) >>> Nov 18 18:49:52 host sudo: pam_unix(sudo:session): session closed for >>> user root >>> >>> *Ansible playbook task service: name=tomcat7 state=restarted:* >>> ==> /var/log/auth.log <== >>> Nov 18 18:48:54 host sudo: username : TTY=pts/6 ; PWD=/home/username ; >>> USER=root ; COMMAND=/bin/sh -c echo SUDO-SUCCESS- >>> uwsxighxnhfaaspfrokwpdvxgnjycdil; /usr/bin/python <snip> >>> >>> The ansible call is wrapped and sudo called using /bin/sh which sudo >>> does not allow. >>> >>> Is there a workaround for this, other than granting the user sudo access >>> to everything? >>> >>> >>> >>> On Thursday, September 26, 2013 12:52:37 AM UTC+1, Michael DeHaan wrote: >>> >>>> Always why I prefer long form options every time :) >>>> >>>> >>>> >>>> >>>> On Wed, Sep 25, 2013 at 4:40 PM, James Cammarata < >>>> [email protected]> wrote: >>>> >>>>> It does, because sudo may not be passwordless. Using -k is for ssh, -K >>>>> is for sudo. >>>>> >>>>> >>>>> On Wed, Sep 25, 2013 at 3:38 PM, Samnang Sen <[email protected]>wrote: >>>>> >>>>>> But I thought if I'm using passwordless SSH it shouldn't matter? >>>>>> >>>>>> >>>>>> On Wednesday, September 25, 2013 2:52:11 PM UTC-4, Samnang Sen wrote: >>>>>>> >>>>>>> Looks like I'm stuck here ... >>>>>>> >>>>>>> <oqn-01-web1> ESTABLISH CONNECTION FOR USER: deployment on PORT 22 >>>>>>> TO oqn-01-web1 >>>>>>> <oqn-01-web1> EXEC /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible- >>>>>>> 1380135044.57-157834591122680 && chmod a+rx >>>>>>> $HOME/.ansible/tmp/ansible-1380135044.57-157834591122680 && echo >>>>>>> $HOME/.ansible/tmp/ansible-1380135044.57-157834591122680' >>>>>>> <oqn-01-web1> REMOTE_MODULE command /sbin/service httpd restart >>>>>>> <oqn-01-web1> PUT /tmp/tmppxQ9cr TO /home/deploy/.ansible/tmp/ansi >>>>>>> ble-1380135044.57-157834591122680/command >>>>>>> <oqn-01-web1> EXEC /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via >>>>>>> ansible, key=gjnesgjnrperpmifmojteiocwhyyfsrj] password: " -u root >>>>>>> /bin/sh -c '"'"'/usr/bin/python /home/deploy/.ansible/tmp/ansi >>>>>>> ble-1380135044.57-157834591122680/command; rm -rf >>>>>>> /home/deploy/.ansible/tmp/ansible-1380135044.57-157834591122680/ >>>>>>> >/dev/null 2>&1'"'"'' >>>>>>> >>>>>>> >>>>>>> On Wednesday, September 25, 2013 2:49:56 PM UTC-4, Walid Shaari >>>>>>> wrote: >>>>>>>> >>>>>>>> which connection transport are you using? did you try differnet >>>>>>>> ones, and try to use the new -vvvv option to debug ssh connections >>>>>>>> >>>>>>>> >>>>>>>> On 25 September 2013 21:37, Samnang Sen <[email protected]> wrote: >>>>>>>> >>>>>>>>> This hangs and I have to kill the process. I don't want to use -K >>>>>>>>> since I'd rather use passwordless ssh. >>>>>>>>> >>>>>>>>> # ansible -i hosts webserver1 -m shell -a "/sbin/service httpd >>>>>>>>> restart" --sudo >>>>>>>>> >>>>>>>>> Now, if I pass the sudo command via the shell, it works just fine. >>>>>>>>> >>>>>>>>> # ansible -i hosts webserver1 -m shell -a "sudo /sbin/service >>>>>>>>> httpd restart" >>>>>>>>> >>>>>>>>> -- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "Ansible Project" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to [email protected]. >>>>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Ansible Project" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> James Cammarata <[email protected]> >>>>> >>>>> Sr. Software Engineer, AnsibleWorks, Inc. >>>>> http://www.ansibleworks.com/ >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>> >>>> >>>> >>>> -- >>>> Michael DeHaan <[email protected]> >>>> >>>> CTO, AnsibleWorks, Inc. >>>> http://www.ansibleworks.com/ >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> >> >> -- >> Michael DeHaan <[email protected]> >> CTO, AnsibleWorks, Inc. >> http://www.ansibleworks.com/ >> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/f1d0cb31-1631-44b5-b4ae-bf0d41bec087%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/f1d0cb31-1631-44b5-b4ae-bf0d41bec087%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzwe1arohJ%3Dzt1OT_hdoH%3DvuCDs9Hsa5mDs1PKgcT0Smg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
