playbook without hosts desribed
10 views
Skip to first unread message
Veera
Aug 7, 2019, 12:55:02 PM8/7/19
to Ansible Project
Hi,
Is there a way that we can use a playbook with no "hosts: XXX" defined.
All the servers are available in the inventory file defined in the ansible.cfg , but the playbooks have to be run based on a single or multiple client on the ad-hoc request based.
Is there a way to remove
hosts: all and have the same playbook working for security reasons ?
In the meantime when a play is to be executed in all the clients they have to be mentioned from the command line(or jenkins)
Kai Stian Olstad
Aug 7, 2019, 1:37:16 PM8/7/19
to ansible...@googlegroups.com
On 07.08.2019 18:55, Veera wrote:
> Hi,
>
> Is there a way that we can use a playbook with no "hosts: XXX" defined.
No, hosts is a required attribute for a play.
> Hi,
>
> Is there a way that we can use a playbook with no "hosts: XXX" defined.
> All the servers are available in the inventory file defined in the
> ansible.cfg , but the playbooks have to be run based on a single or
> multiple client on the ad-hoc request based.
> Is there a way to remove
>
>
> hosts: all
>
>
> and have the same playbook working for security reasons ?
> In the meantime when a play is to be executed in all the clients they have
> to be mentioned from the command line(or jenkins)
- hosts: '{{ myvar }}'
ansible-playbook pb.yml -e myvar=all
--
Kai Stian Olstad
Veera
Aug 7, 2019, 9:53:39 PM8/7/19
to Ansible Project
Hi kai,
"for security reasons". - I mean that we have disabled gather_facts for better performance. And we want other users to play the playbook with access to the same inventory .
Thanks for the inputs.
"for security reasons". - I mean that we have disabled gather_facts for better performance. And we want other users to play the playbook with access to the same inventory .
I am looking for a way to avoid them running "ansible-playbook pb.yml -e myvar=all" and to always use "myvar=hostname."
is there a way to stop a particular user to stop using " myvar=all" based on inventory or other modes?
J
Aug 8, 2019, 2:34:48 AM8/8/19
to ansible...@googlegroups.com, J
Hi,
you could start with a task running against the localhost doing `jinja2`
magic and see, if `myvar=!al` and then run the next task with
```
hosts: "{{ myvar}}"
```
Greets
J
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/30444812-fe0f-4a1a-8fba-b7a79bf15be6%40googlegroups.com.
you could start with a task running against the localhost doing `jinja2`
magic and see, if `myvar=!al` and then run the next task with
```
hosts: "{{ myvar}}"
```
Greets
J
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/30444812-fe0f-4a1a-8fba-b7a79bf15be6%40googlegroups.com.
Kai Stian Olstad
Aug 8, 2019, 3:12:47 AM8/8/19
to ansible...@googlegroups.com
On 08.08.2019 03:53, Veera wrote:
> Hi kai,
>
> Thanks for the inputs.
>
> "for security reasons". - I mean that we have disabled gather_facts for
> better performance. And we want other users to play the playbook with
> access to the same inventory .
> I am looking for a way to avoid them running "ansible-playbook pb.yml -e
> myvar=all" and to always use "myvar=hostname."
>
> is there a way to stop a particular user to stop using " myvar=all" based
> on inventory or other modes?
You could use this
> Hi kai,
>
> Thanks for the inputs.
>
> "for security reasons". - I mean that we have disabled gather_facts for
> better performance. And we want other users to play the playbook with
> access to the same inventory .
> I am looking for a way to avoid them running "ansible-playbook pb.yml -e
> myvar=all" and to always use "myvar=hostname."
>
> is there a way to stop a particular user to stop using " myvar=all" based
> on inventory or other modes?
hosts: '{{ "" if myvar == "all" else myvar }}'
If myvar is all hosts becomes empty sting and that is not allowed and Ansible will fail.
But this is easily defeated but adding a comma at the end myvar=all,
To fix that you would need to use the search/regex[1] test and craft a appropriate regexp for this.
[1] https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html#testing-strings
--
Kai Stian Olstad
Brian Coca
Aug 8, 2019, 1:34:20 PM8/8/19
to Ansible Project
Ansible is not designed to limit users in this way, you want something
like tower/awx that can limit access to what users execute.
--
----------
Brian Coca
like tower/awx that can limit access to what users execute.
--
----------
Brian Coca
Kai Stian Olstad
Aug 8, 2019, 1:36:19 PM8/8/19
to ansible...@googlegroups.com
On 08.08.2019 19:33, Brian Coca wrote:
> Ansible is not designed to limit users in this way, you want something
> like tower/awx that can limit access to what users execute.
But it works so I don't see a problem.
> Ansible is not designed to limit users in this way, you want something
> like tower/awx that can limit access to what users execute.
--
Kai Stian Olstad
Brian Coca
Aug 8, 2019, 1:37:31 PM8/8/19
to Ansible Project
its easy to bypass, if it is a security issue, they should really look
at something that uses RBAC.
--
----------
Brian Coca
at something that uses RBAC.
--
----------
Brian Coca
Reply all
Reply to author
Forward
0 new messages