Toshio, Thanks for your answer. Yes, we came up with the same conclusion: to use PKI to avoid exposing a user.
Thank you! On Thursday, October 2, 2014 5:09:00 PM UTC+2, tkuratomi wrote: > > Provided I understand you correctly, this is how users, accounts, and > permissions work on Unix-like systems. It's nothing special to ansible. > > 1) You give one user's credentials to a system and the system then > executes commands as that user. This is what happens when you ssh into a > box. You would not expect to present your username and ssh private key to > a machine and then be able to run commands as me. > > 2) Once logged in, the system contains a few commands that let you run > commands as a different user. This is what sudo is doing. From your > account you could run sudo -u toshio whoami and if sudo is configured to > give you that access, it lets you run whoami as my account. Similarly, > sudo whoami is asking sudo to run the command as the root account and if > sudo is configured to do so, it will do that. > > If the system were to let you connect as one user but then run commands as > a different user without going through a defined facility like su or sudo > it would entirely defeat the purpose of permissions and separate accounts. > Any user with an account on the box would be able to access the files of > other users and run commands that performed root actions on the box. > > So when ansible connects to a box with a sudo user specified it first > connects to the box with your credentials, the system then allows ansible > to perform actions on your behalf. Ansible then runs the equivalent of > sudo -u SUDOUSER command to perform that command as the user you > specified. Sudo reads its configuration to determine if you are allowed to > run that command as SUDOUSER. If so, the system rubs the command as > SUDOUSER and ansible returns success to you. > > This is all rooted in the standard unix permission model and supported by > standard unix utilities. Ansible doesn't do anything outside of this model. > > Now it sounds like what you may want to achieve is having a user account > foo on your main box use ansible to run commands on another box as user > account bar. You have sudo on the other box configured to allow the bar > account to run administrative commands. > > To do that you need foo to ssh to the other box using the bar user's > credentials (usually username and a private key whose public key is listed > in bar's .ssh/authorized_keys file.) In most cases this is best > accomplished by adding the foo user's public key to the bar user's > .ssh/authorized_keys file on the remote machine. Then seeing the ansible > ssh user to bar. > > Hope that helps explain where confusion about what's going on is occurring, > > -toshio > On Oct 2, 2014 2:21 AM, "Andreas Calvo" <[email protected] > <javascript:>> wrote: > >> Yes, but as for the sudo limitation (or scope), the user connected is the >> one invoking the sudo commands (even if they will be run as a different >> user than root). >> So, at the end, and I might be a little paranoic here, the same user >> you're connecting will be invoking the sudo commands. >> >> To the end, how's ansible invoking the sudo command when an alternative >> sudo user has been specified? >> >> On Wednesday, October 1, 2014 2:15:42 PM UTC+2, Michael DeHaan wrote: >>> >>> The user you connect as, and sudo to, are both seperately configurable. >>> >>> >>> >>> On Wed, Oct 1, 2014 at 6:23 AM, Andreas Calvo <[email protected]> >>> wrote: >>> >>>> Thanks! >>>> >>>> Having the same user to do the connection and run sudo does not seems a >>>> good fit. >>>> And SU is not an option since the password cannot be stored in the >>>> inventory file. >>>> >>>> On Tuesday, September 30, 2014 7:36:40 PM UTC+2, tkuratomi wrote: >>>>> >>>>> On Tue, Sep 30, 2014 at 11:41 AM, Andreas Calvo >>>>> <[email protected]> wrote: >>>>> > Michael, >>>>> > Sure! >>>>> > >>>>> > The goal is to be able to separate the user than connects to the >>>>> server from >>>>> > the user that runs privileged commands (even if using sudo). >>>>> > If ssh user is different than sudo user, does it imply that sudo >>>>> commands >>>>> > will be executed as sudo --user? >>>>> > >>>>> >>>>> Are you meaning like this? >>>>> >>>>> $ ansible localhost -a whoami >>>>> localhost | success | rc=0 >> >>>>> badger >>>>> >>>>> $ ansible localhost -a whoami -K --sudo >>>>> sudo password: >>>>> localhost | success | rc=0 >> >>>>> root >>>>> >>>>> $ ansible localhost -a whoami -K --sudo -U testuser >>>>> sudo password: >>>>> localhost | success | rc=0 >> >>>>> testuser >>>>> >>>>> In a playbook, that looks something like: >>>>> >>>>> $ cat test.yml >>>>> - hosts: localhost >>>>> sudo: yes >>>>> tasks: >>>>> - command: whoami >>>>> register: output >>>>> - debug: var=output >>>>> >>>>> $ ansible-playbook test.yml -K >>>>> >>>>> Docs for this are at: >>>>> http://docs.ansible.com/playbooks_intro.html#hosts-and-users >>>>> >>>>> -Toshio >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> To view this discussion on the web visit https://groups.google.com/d/ >>>> msgid/ansible-project/c8f6aca4-e755-4c93-99d7- >>>> e2bd2487b06b%40googlegroups.com >>>> <https://groups.google.com/d/msgid/ansible-project/c8f6aca4-e755-4c93-99d7-e2bd2487b06b%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/96505be3-e4b8-4f58-90c0-8638699c4c70%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/96505be3-e4b8-4f58-90c0-8638699c4c70%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2dc7e230-b528-49c3-b1b9-1516681bb53d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
