I'm not sure I agree with that. With our admins, we have ssh with key +
sudo with a password. With this setup (running ansible as a deploy user to
deploy a web app), the only protection I have is the ssh key.
Is there a good reason the ansible user can't be restricted to specific
commands via sudo?
On Tuesday, March 22, 2016 at 12:51:22 PM UTC-4, Uditha Desilva wrote:
>
> It's no more a security role than allowing your sysadmins to su to root...
>
> On Monday, 21 March 2016 18:28:21 UTC, Matt Calhoun wrote:
>>
>> Is there really no way to give the ansible user specific sudo NOPASSWD
>> privileges? This seems like a huge security hole!
>>
>> On Monday, March 21, 2016 at 9:24:31 AM UTC-4, selvam vasu wrote:
>>>
>>> Hi,
>>> I am newbie to ansible. You can find it easily through this dump
>>> question.
>>> I have limited access to one user(selvam) which can ran limited commands
>>> using sudo option.
>>> My sudoers file looks like below.
>>>
>>> selvam ALL=(ALL) NOPASSWD: /usr/sbin/service,/usr/bin/apt-get
>>>
>>> I have tried to install apt package in remote machine using ansible
>>> playbooks as selvam user with sudo option.
>>>
>>> Here is playbook file contents.
>>>
>>> playbook.yml
>>> ---
>>> - hosts: host1
>>> remote_user: selvam
>>> tasks:
>>> - name: users package
>>> apt: name={{ item }} state=latest
>>> become: yes
>>> with_items:
>>> - nginx
>>>
>>> But the problem is when i run this playbook, I am getting the error as
>>> "Missing become password". I need to install the package with passwordless.
>>>
>>> When run this below command manually from my ansible host, it is working
>>> fine with passwordless. How can i accomplish the same through ansible
>>> playbook.
>>>
>>> [selvam@host1] $ ssh host1 sudo -u root apt-get install nginx
>>>
>>> Ansible version:
>>> *******************
>>>
>>> $ ansible-playbook --version
>>> ansible-playbook 1.9.4
>>> configured module search path = None
>>>
>>> Let me know where I have to modify my configs.
>>>
>>> Thanks in Advance.
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/b86092aa-00c9-47f3-972c-707b7e9ac10f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
