If that's all you really need, invoke it via a "command" stanza with a passwordless sudo. Problem solved.
On Tuesday, 22 March 2016 18:46:35 UTC, Matt Calhoun wrote: > > Sure, except that I am running ansible on an unattended deployment box > (Jenkins) in this case vs real humans running interactively in the case of > my admins. > > I'm trying to follow a policy of least privilege and grant the user only > the rights to restart the nginx server as root (needs it to access port > 443) since that's the only thing the user needs to do that requires > privledge escalation. > > I'm wondering why this can't be accomplished with ansible? It seems like > having to allow the deploy user to run any command (rather than just the > one needed to restart the service) creates a potential security hole if > that user's key is compromised. Am I missing something here? > > On Tue, Mar 22, 2016 at 2:37 PM, Brian Coca <[email protected] > <javascript:>> wrote: > >> you can use ansible + sudo + sudo password, you end up with exact same >> security. >> >> >> ---------- >> Brian Coca >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Ansible Project" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ansible-project/sOysHHs0kYU/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CACVha7dT_0MefDXMg9-N-hD0tqaE3v5mxQcUCHduNAfd6g0ptg%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/ansible-project/CACVha7dT_0MefDXMg9-N-hD0tqaE3v5mxQcUCHduNAfd6g0ptg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/daae1f78-adfc-4d4a-9df0-f5faedb7dfec%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
