Without sudo, is it possible to manage multiple become users with distinct passwords?

[edno...@gmail.com]

Apologies in advance if this issue has been answered already.  My searches came up empty.

I have a playbook that uses multiple become users on each host.  I'd like to have the playbook work with whatever become method the caller wants to use.  I know the caller can use connection variables to define per-host become passwords, but is it possible to have passwords defined on a per-host/per-user basis?

Thanks,
Ed


[centos@testing ~]$ cat two_be.yml
---
- hosts: localhost
  tasks:
  - command: whoami
    register: who_is_user1
    become: true
    become_user: user1
  - debug:
      var: who_is_user1.stdout_lines
  - command: whoami
    register: who_is_user2
    become: true
    become_user: user2
  - debug:
      var: who_is_user2.stdout_lines
[centos@testing ~]$ ansible-playbook two_be.yml --become-method=sudo
 [WARNING]: provided hosts list is empty, only localhost is available


PLAY [localhost] ***************************************************************

TASK [setup] *******************************************************************
ok: [localhost]

TASK [command] *****************************************************************
changed: [localhost]

TASK [debug] *******************************************************************
ok: [localhost] => {
    "who_is_user1.stdout_lines": [
        "user1"
    ]
}

TASK [command] *****************************************************************
changed: [localhost]

TASK [debug] *******************************************************************
ok: [localhost] => {
    "who_is_user2.stdout_lines": [
        "user2"
    ]
}

PLAY RECAP *********************************************************************
localhost                  : ok=5    changed=2    unreachable=0    failed=0

[centos@testing ~]$ ansible-playbook two_be.yml --become-method=su --ask-become-pass
SU password:
 [WARNING]: provided hosts list is empty, only localhost is available


PLAY [localhost] ***************************************************************

TASK [setup] *******************************************************************
ok: [localhost]

TASK [command] *****************************************************************
changed: [localhost]

TASK [debug] *******************************************************************
ok: [localhost] => {
    "who_is_user1.stdout_lines": [
        "user1"
    ]
}

TASK [command] *****************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "module_stderr": "su: Authentication failure\n", "module_stdout": "", "msg": "MODULE FAILURE"}
        to retry, use: --limit @/home/centos/two_be.retry

PLAY RECAP *********************************************************************
localhost                  : ok=3    changed=1    unreachable=0    failed=1

[centos@testing ~]$

[Johannes Kastl]

On 08.02.17 05:10 edno...@gmail.com wrote:
> - hosts: localhost
> tasks:
> - command: whoami
> register: who_is_user1
> become: true
> become_user: user1

I think you could set a become_password at this point.
become_password: foobar

Instead of using cleartext it might be better to have this in the
host_vars (maybe encrypted with ansible-vault) and just use the
variable here:

In the file host_vars/host_foo/some.yml:
become_password_for_user_xyz: secret

And then use "become_password: {{ become_password_for_user_xyz }}" in
your playbook.

Untested.

Johannes