Provided I understand you correctly, this is how users, accounts, and permissions work on Unix-like systems. It's nothing special to ansible.
1) You give one user's credentials to a system and the system then executes commands as that user. This is what happens when you ssh into a box. You would not expect to present your username and ssh private key to a machine and then be able to run commands as me. 2) Once logged in, the system contains a few commands that let you run commands as a different user. This is what sudo is doing. From your account you could run sudo -u toshio whoami and if sudo is configured to give you that access, it lets you run whoami as my account. Similarly, sudo whoami is asking sudo to run the command as the root account and if sudo is configured to do so, it will do that. If the system were to let you connect as one user but then run commands as a different user without going through a defined facility like su or sudo it would entirely defeat the purpose of permissions and separate accounts. Any user with an account on the box would be able to access the files of other users and run commands that performed root actions on the box. So when ansible connects to a box with a sudo user specified it first connects to the box with your credentials, the system then allows ansible to perform actions on your behalf. Ansible then runs the equivalent of sudo -u SUDOUSER command to perform that command as the user you specified. Sudo reads its configuration to determine if you are allowed to run that command as SUDOUSER. If so, the system rubs the command as SUDOUSER and ansible returns success to you. This is all rooted in the standard unix permission model and supported by standard unix utilities. Ansible doesn't do anything outside of this model. Now it sounds like what you may want to achieve is having a user account foo on your main box use ansible to run commands on another box as user account bar. You have sudo on the other box configured to allow the bar account to run administrative commands. To do that you need foo to ssh to the other box using the bar user's credentials (usually username and a private key whose public key is listed in bar's .ssh/authorized_keys file.) In most cases this is best accomplished by adding the foo user's public key to the bar user's .ssh/authorized_keys file on the remote machine. Then seeing the ansible ssh user to bar. Hope that helps explain where confusion about what's going on is occurring, -toshio On Oct 2, 2014 2:21 AM, "Andreas Calvo" <[email protected]> wrote: > Yes, but as for the sudo limitation (or scope), the user connected is the > one invoking the sudo commands (even if they will be run as a different > user than root). > So, at the end, and I might be a little paranoic here, the same user > you're connecting will be invoking the sudo commands. > > To the end, how's ansible invoking the sudo command when an alternative > sudo user has been specified? > > On Wednesday, October 1, 2014 2:15:42 PM UTC+2, Michael DeHaan wrote: >> >> The user you connect as, and sudo to, are both seperately configurable. >> >> >> >> On Wed, Oct 1, 2014 at 6:23 AM, Andreas Calvo <[email protected]> >> wrote: >> >>> Thanks! >>> >>> Having the same user to do the connection and run sudo does not seems a >>> good fit. >>> And SU is not an option since the password cannot be stored in the >>> inventory file. >>> >>> On Tuesday, September 30, 2014 7:36:40 PM UTC+2, tkuratomi wrote: >>>> >>>> On Tue, Sep 30, 2014 at 11:41 AM, Andreas Calvo >>>> <[email protected]> wrote: >>>> > Michael, >>>> > Sure! >>>> > >>>> > The goal is to be able to separate the user than connects to the >>>> server from >>>> > the user that runs privileged commands (even if using sudo). >>>> > If ssh user is different than sudo user, does it imply that sudo >>>> commands >>>> > will be executed as sudo --user? >>>> > >>>> >>>> Are you meaning like this? >>>> >>>> $ ansible localhost -a whoami >>>> localhost | success | rc=0 >> >>>> badger >>>> >>>> $ ansible localhost -a whoami -K --sudo >>>> sudo password: >>>> localhost | success | rc=0 >> >>>> root >>>> >>>> $ ansible localhost -a whoami -K --sudo -U testuser >>>> sudo password: >>>> localhost | success | rc=0 >> >>>> testuser >>>> >>>> In a playbook, that looks something like: >>>> >>>> $ cat test.yml >>>> - hosts: localhost >>>> sudo: yes >>>> tasks: >>>> - command: whoami >>>> register: output >>>> - debug: var=output >>>> >>>> $ ansible-playbook test.yml -K >>>> >>>> Docs for this are at: >>>> http://docs.ansible.com/playbooks_intro.html#hosts-and-users >>>> >>>> -Toshio >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit https://groups.google.com/d/ >>> msgid/ansible-project/c8f6aca4-e755-4c93-99d7- >>> e2bd2487b06b%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-project/c8f6aca4-e755-4c93-99d7-e2bd2487b06b%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/96505be3-e4b8-4f58-90c0-8638699c4c70%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/96505be3-e4b8-4f58-90c0-8638699c4c70%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAG9juEqh3f5F67SfG-Uc28oUXTGFAKUH7gFRcHJ7mKK%2BZc%3DWuA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
