Sure, except that I am running ansible on an unattended deployment box (Jenkins) in this case vs real humans running interactively in the case of my admins.
I'm trying to follow a policy of least privilege and grant the user only the rights to restart the nginx server as root (needs it to access port 443) since that's the only thing the user needs to do that requires privledge escalation. I'm wondering why this can't be accomplished with ansible? It seems like having to allow the deploy user to run any command (rather than just the one needed to restart the service) creates a potential security hole if that user's key is compromised. Am I missing something here? On Tue, Mar 22, 2016 at 2:37 PM, Brian Coca <[email protected]> wrote: > you can use ansible + sudo + sudo password, you end up with exact same > security. > > > ---------- > Brian Coca > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ansible-project/sOysHHs0kYU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CACVha7dT_0MefDXMg9-N-hD0tqaE3v5mxQcUCHduNAfd6g0ptg%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CACVha7dT_0MefDXMg9-N-hD0tqaE3v5mxQcUCHduNAfd6g0ptg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEw3D2e9QY%2BNy6c-aX9E9MP8GitX%3DQrXfdRsUgvvow9Out2H1w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
