"But I'm starting to think that Ansible is not great at running with less than full root access."
To be clear, it's absolutely just fine with sudo or logging in as specific non-root users directly as well, you just can't use sudoers to limit execution to specific commands. On Sat, Apr 26, 2014 at 9:56 PM, Jacob Weber <[email protected]> wrote: > Thanks for both of your replies. But I'm starting to think that Ansible is > not great at running with less than full root access. Particularly since it > wraps commands in its own scripts, so you can't easily use sudoers to let > users run a limited set of commands. > > So I'm leaning more toward having Ansible only run with full root access. > Then I can write some little wrapper scripts that call Ansible with > specific options, and allow my less-privileged users to run these scripts > using sudo. That should limit the damage they can do with Ansible, while > still allowing them to run it for certain tasks. > > JW > > > On Friday, April 25, 2014 1:53:43 PM UTC-7, Michael DeHaan wrote: > >> "Would I need to set sudo=no on the playbook, and then sudo=yes on each >> task that needs it?" >> >> This is quite reasonable. >> >> (sudo: no, not sudo=no, BTW) >> >> >> On Fri, Apr 25, 2014 at 12:31 PM, Adam Morris <[email protected]> wrote: >> >>> >>> The simple solution is not not put sudo=anything in the playbook. Those >>> users needing to run with sudo can use command line flags to turn that on... >>> >>> It sounds like you have two separate sets of tasks... So why not use a >>> pair of roles? >>> >>> If you have split your playbooks up into individual tasks you can >>> include some or all of them into separate playbooks. >>> >>> I have several different roles and some top level playbooks that include >>> some but not others... I hope that this helps. >>> >>> Adam >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit https://groups.google.com/d/ >>> msgid/ansible-project/8cf097fd-9560-45e1-b468- >>> 84f0badbb0b9%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/8cf097fd-9560-45e1-b468-84f0badbb0b9%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/2f99672c-092c-4e55-ba28-c07897db5455%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/2f99672c-092c-4e55-ba28-c07897db5455%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyqq732sWb%3DfwcULJwS%3Dyi-P%2B3JkMdU16xAMbWk5pmsXA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
