Thank you Brian and Toshio for your replies. Thanks Toshio for your detailed reply.
I did not realise that it is the ansible command can be run from the Ansible server as a non-root user. I had been setting up a sudo entry for the Ansible commands. However, that is not where my confusion with the use of sudo. Thanks. On Friday, 16 January 2015 23:31:48 UTC, tkuratomi wrote: > > On Fri, Jan 16, 2015 at 10:11 AM, Stuart Budd <[email protected] > <javascript:>> wrote: > > I do not think that this is right. The sudo does not work for the first > > example. > > > > Is there any documentation please for basic Ansible user configuration > for > > initiating Ansible instructions between a local and remote server using > > several different user examples. > > > > This is not something that I have been able to find. It is easy if using > the > > same user accounts and particularly just root but confusing if using > several > > accounts. > > > I had a couple replies in this thread that I think eventually helped > explain this: > https://groups.google.com/forum/#!search/toshio$20rew$20sudo/ansible-project/LkNe-hZKbwg/ZZ4NfZ9wFm4J > > > Let me see if I can help out here with the same sort of information. > The concepts aren't very complex but if you've already spent some time > on it and gotten confused then chances are that you've got some ideas > of how it works that aren't matching with what's really happening and > that's why the confusion exists. Get rid of those extraneous concepts > and then hopefully will become clear :-) > > > > > > On Friday, 16 January 2015 17:59:52 UTC, Stuart Budd wrote: > >> > >> Thanks for your reply, taking the first example, > >> > The first thing to understand is that when doing ansible --sudo > ansible is dealing with three accounts: > > (1) The local user > (2) The remote user that you ssh into the box as > (3) The user that you sudo to on the remote box > > Ansible does not natively deal with more than these three accounts. > As I go through your examples, I'll comment on which of these three > users are being used in your examples. In some cases, I think that > you'll see that you were assuming that ansible had a fourth user in > addition to these three and that's what's leading to the confusion. > > >> first example > >> ========= > >> logs in as foo and runs command as bar (uses foo's privlege to sudo to > >> bar) > >> ansible_ssh_user=foo > >> ansible_sudo_user=bar > >> > >> > >> ansible server server1 > >> --------------------- ----------- > >> foo --> ssh --> foo > >> bar > >> > > Up to here, what your specifying is something that ansible handles. > > (1) Local user running /usr/bin/ansible is foo > (2) Remote user is an account on the remote box which is also named foo > (3) sudoing to a third account which is named bar in order to run your > commands > > So far so good :-) > > >> The Ansible session is initiated on the Ansible server as user root. ( > or > >> should I use foo ? ) > > Here you try to bring in a fourh account, though. You're trying to > bring in the root account on the remote machine. This is not one of > the three accounts we listed in the first section. So it's not an > account that you're telling ansible to deal with. If you want the > root account to be used on the remote machine, you need to substitute > it for account (2) or account (3) above. The most common case of > using ansible with sudo is to have root be the account used for (3). > > >> Ansible uses user foo for the SSH session between the Ansible server > and > >> the remote server, server1 > >> > > This is both correct and an over simplification. When talking about > the connection between the two servers we're really talking about two > accounts. One the local server, we have account (1) which is named > foo. On the remote server we have account(2) which is also named foo. > Despite these two accounts having the same name, they are separate > accounts. The local account (1) has an ssh public key/private key > pair. The public key in this pair has to be in the remote > account(2)'s ~/.ssh/authorized_keys file. So in this example, it's > more accurate to say: > > "Ansible uses local user foo on the Ansible server to create an SSH > conenction to the remote user foo on the remote server, server1." > > > >> On server1, user foo is given access to run commands as user bar via > the > >> /etc/suders file > >> > >> /etc/sudoers > >> ----------------------------------------------- > >> foo ALL=(bar) NOPASSWD: ALL > >> > >> > > <nod> So the setup you talk about in this example means that when > ansible runs commands on server1 using --sudo, those commands are run > as the bar user on server1. If things were setup this way, I'd expect > that you'd see the following: > > <foo@ansible-server> $ ansible server1 --sudo -m command -a 'whoami' > server1 | success | rc=0 >> > bar > > >> > >> Second example > >> ============ > >> logs in as foo and runs commands as foo user (this is actually a sudo > >> noop) > >> ansible_ssh_user=foo > >> ansible_sudo_user=foo > >> > >> > >> ansible server server1 > >> --------------------- ----------- > >> foo --> ssh --> foo > >> > > So in this example: > (1) Local user running /usr/bin/ansible is foo > (2) Remote user is an account on the remote box which is also named foo > (3) sudoing will sudo to the remote account foo. Which as you say is a > no-op. > > >> The Ansible session is initiated on the Ansible server as user root. > >> Ansible uses user foo for the SSH session between the Ansible server > and > >> the remote server, server1 > >> > Same two comments about these statements as in Example 1. > > >> On server1, user foo runs commands on server1 > >> > Correct. > > >> No changed to the /etc/suders file are required. > >> > This may not be correct depending on how /etc/sudoers is setup to > begin with and what you're actually doing with ansible. At least on > my Fedora21 system, sudo has to be configured to allow sudo execution > of a command: > > <[email protected]> $ sudo -u testuser /bin/bash > <[email protected]> $ sudo -u testuser whoami > testuser is not in the sudoers file. This incident will be reported. > > testuser hasn't been configured in the /etc/sudoers file so testuser > isn't allowed to use sudo *even though it's sudo'ing to its own > account*. > > So if your server1 is similarly configured, I'd expect the following > ansible command to return an error: ansible server1 --sudo -m command > -a 'whoami' > > OTOH, as you say, this is a sudo no-op. So you can achieve the same > thing without ansible attempting to use sudo. So I'd expect that this > equivalent command would work: ansible server1 -m command -a 'whoami' > > >> > >> > >> Third example > >> ========== > >> logs in as foo and runs commands as root user (for this you need to > modify > >> the sudoers) > >> ansible_ssh_user=foo > >> ansible_sudo_user=root > >> > >> > >> ansible server server1 > >> --------------------- ----------- > >> foo --> ssh --> foo > >> root > >> > > So in this case we have: > (1) Local user running /usr/bin/ansible is foo > (2) Remote user is an account on the remote box which is also named foo > (3) sudoing will sudo to the remote account root. Which is user 0 and > has all privileges > > Note that this is the most common way that people run ansible with sudo. > > >> The Ansible session is initiated on the Ansible server as user root. > >> Ansible uses user foo for the SSH session between the Ansible server > and > >> the remote server, server1 > >> > Same comments for these two as the previous examples. > > >> On server1, user foo runs commands on server1 as the root user. > >> > >> /etc/sudoers > >> ----------------------------------------------- > >> foo ALL=(ALL) NOPASSWD: ALL > >> > >> > >> Do I have this right now? > > yep, this is correct. > > >> Is this documented anywhere. I have looked for something like this but > can > >> not find it. > > I don't believe so. The reason is likely that none of this is > terribly ansible-specific. It's just a simple automating of ssh and > sudo. ie: if you don't modify ansible.cfg or otherwise set an > ansible_sudo_user or ansible_ssh_user, ansible is basically > automating the following: > > <foo@ansible-server> $ ssh foo@server1 > > Welcome to server1 > > <foo@server1> $ sudo -u root whoami > root > <foo@server1> $ exit > > (equivalent to ansible server1 -m command -a 'whoami' --sudo ) > > > Hope that helps you understand things. > -Toshio > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f06e25a2-552d-4a6e-90b5-f11d2080efc1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
