On Fri, Jan 16, 2015 at 10:11 AM, Stuart Budd <[email protected]> wrote: > I do not think that this is right. The sudo does not work for the first > example. > > Is there any documentation please for basic Ansible user configuration for > initiating Ansible instructions between a local and remote server using > several different user examples. > > This is not something that I have been able to find. It is easy if using the > same user accounts and particularly just root but confusing if using several > accounts. > I had a couple replies in this thread that I think eventually helped explain this: https://groups.google.com/forum/#!search/toshio$20rew$20sudo/ansible-project/LkNe-hZKbwg/ZZ4NfZ9wFm4J
Let me see if I can help out here with the same sort of information. The concepts aren't very complex but if you've already spent some time on it and gotten confused then chances are that you've got some ideas of how it works that aren't matching with what's really happening and that's why the confusion exists. Get rid of those extraneous concepts and then hopefully will become clear :-) > > On Friday, 16 January 2015 17:59:52 UTC, Stuart Budd wrote: >> >> Thanks for your reply, taking the first example, >> The first thing to understand is that when doing ansible --sudo ansible is dealing with three accounts: (1) The local user (2) The remote user that you ssh into the box as (3) The user that you sudo to on the remote box Ansible does not natively deal with more than these three accounts. As I go through your examples, I'll comment on which of these three users are being used in your examples. In some cases, I think that you'll see that you were assuming that ansible had a fourth user in addition to these three and that's what's leading to the confusion. >> first example >> ========= >> logs in as foo and runs command as bar (uses foo's privlege to sudo to >> bar) >> ansible_ssh_user=foo >> ansible_sudo_user=bar >> >> >> ansible server server1 >> --------------------- ----------- >> foo --> ssh --> foo >> bar >> Up to here, what your specifying is something that ansible handles. (1) Local user running /usr/bin/ansible is foo (2) Remote user is an account on the remote box which is also named foo (3) sudoing to a third account which is named bar in order to run your commands So far so good :-) >> The Ansible session is initiated on the Ansible server as user root. ( or >> should I use foo ? ) Here you try to bring in a fourh account, though. You're trying to bring in the root account on the remote machine. This is not one of the three accounts we listed in the first section. So it's not an account that you're telling ansible to deal with. If you want the root account to be used on the remote machine, you need to substitute it for account (2) or account (3) above. The most common case of using ansible with sudo is to have root be the account used for (3). >> Ansible uses user foo for the SSH session between the Ansible server and >> the remote server, server1 >> This is both correct and an over simplification. When talking about the connection between the two servers we're really talking about two accounts. One the local server, we have account (1) which is named foo. On the remote server we have account(2) which is also named foo. Despite these two accounts having the same name, they are separate accounts. The local account (1) has an ssh public key/private key pair. The public key in this pair has to be in the remote account(2)'s ~/.ssh/authorized_keys file. So in this example, it's more accurate to say: "Ansible uses local user foo on the Ansible server to create an SSH conenction to the remote user foo on the remote server, server1." >> On server1, user foo is given access to run commands as user bar via the >> /etc/suders file >> >> /etc/sudoers >> ----------------------------------------------- >> foo ALL=(bar) NOPASSWD: ALL >> >> <nod> So the setup you talk about in this example means that when ansible runs commands on server1 using --sudo, those commands are run as the bar user on server1. If things were setup this way, I'd expect that you'd see the following: <foo@ansible-server> $ ansible server1 --sudo -m command -a 'whoami' server1 | success | rc=0 >> bar >> >> Second example >> ============ >> logs in as foo and runs commands as foo user (this is actually a sudo >> noop) >> ansible_ssh_user=foo >> ansible_sudo_user=foo >> >> >> ansible server server1 >> --------------------- ----------- >> foo --> ssh --> foo >> So in this example: (1) Local user running /usr/bin/ansible is foo (2) Remote user is an account on the remote box which is also named foo (3) sudoing will sudo to the remote account foo. Which as you say is a no-op. >> The Ansible session is initiated on the Ansible server as user root. >> Ansible uses user foo for the SSH session between the Ansible server and >> the remote server, server1 >> Same two comments about these statements as in Example 1. >> On server1, user foo runs commands on server1 >> Correct. >> No changed to the /etc/suders file are required. >> This may not be correct depending on how /etc/sudoers is setup to begin with and what you're actually doing with ansible. At least on my Fedora21 system, sudo has to be configured to allow sudo execution of a command: <[email protected]> $ sudo -u testuser /bin/bash <[email protected]> $ sudo -u testuser whoami testuser is not in the sudoers file. This incident will be reported. testuser hasn't been configured in the /etc/sudoers file so testuser isn't allowed to use sudo *even though it's sudo'ing to its own account*. So if your server1 is similarly configured, I'd expect the following ansible command to return an error: ansible server1 --sudo -m command -a 'whoami' OTOH, as you say, this is a sudo no-op. So you can achieve the same thing without ansible attempting to use sudo. So I'd expect that this equivalent command would work: ansible server1 -m command -a 'whoami' >> >> >> Third example >> ========== >> logs in as foo and runs commands as root user (for this you need to modify >> the sudoers) >> ansible_ssh_user=foo >> ansible_sudo_user=root >> >> >> ansible server server1 >> --------------------- ----------- >> foo --> ssh --> foo >> root >> So in this case we have: (1) Local user running /usr/bin/ansible is foo (2) Remote user is an account on the remote box which is also named foo (3) sudoing will sudo to the remote account root. Which is user 0 and has all privileges Note that this is the most common way that people run ansible with sudo. >> The Ansible session is initiated on the Ansible server as user root. >> Ansible uses user foo for the SSH session between the Ansible server and >> the remote server, server1 >> Same comments for these two as the previous examples. >> On server1, user foo runs commands on server1 as the root user. >> >> /etc/sudoers >> ----------------------------------------------- >> foo ALL=(ALL) NOPASSWD: ALL >> >> >> Do I have this right now? yep, this is correct. >> Is this documented anywhere. I have looked for something like this but can >> not find it. I don't believe so. The reason is likely that none of this is terribly ansible-specific. It's just a simple automating of ssh and sudo. ie: if you don't modify ansible.cfg or otherwise set an ansible_sudo_user or ansible_ssh_user, ansible is basically automating the following: <foo@ansible-server> $ ssh foo@server1 Welcome to server1 <foo@server1> $ sudo -u root whoami root <foo@server1> $ exit (equivalent to ansible server1 -m command -a 'whoami' --sudo ) Hope that helps you understand things. -Toshio -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAG9juEpc%2B9dzgEoQ%3DBefZuNsw67A08KW9ghKjqGibeHjT2u_5w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
