git checkout to new branch and change back to local user

[Balaji]

Hello All,

Please help to find answers for two questions.

1) 

I am trying to clone a remote git repo which I am able to do with git module but does anyone know how I can achieve to do  

git checkout -b new branch <username_>

git-crypt unlock

using git module or any other means. ( I can use "command" ) but any other better way?

2) I know how to make ansible to ssh to remote 

become_method = sudo 

become_user = name 

create a file 

set owner = name 

but how to achieve, once the owner is set on a remote host

return back to local (control) host,

become a local user,

create a file.

set owner.

Thanks,

[Patrick Hunt]

I can help to address #2 at least for now.

Ansible does not allow you to chain "Become" statements.  In other words you cannot log in as user1, become root, and then become user2 (or even user1) in the same play.  You could address this in a few different ways that I know of:

- split the play into multiple plays within a playbook where you can set the become for each different play:

---
- host: localhost
  become: true
  become_user: root
  become_method: su


  tasks:
  - name: some play performed as root


- host: localhost
  become: true
  become_user: user2
  become_method: su


  tasks:
  - name: some other play performed as user2

- host: localhost
  become: false

  tasks:
  - name: some other play performed as user1
...

- you could also use a command module workaround (at least with a Nix system) such as:

---
- hosts: localhost
  become: true
  become_user: root
  become_method: su


  tasks:
  - name: some task as root


  - name: some task as user2
    command: su - user2 -c "/home/user2/somecommand.sh"
...

My follow-up question is... why?  In your example you could just create the file as root, set the owner, group, and mode to reflect the user you want it to be.

Hope this helps a bit.

Thanks, 

Patrick

[flowerysong]

On Tuesday, March 13, 2018 at 10:35:27 AM UTC-4, Patrick Hunt wrote:

I can help to address #2 at least for now.

Ansible does not allow you to chain "Become" statements.

This is true; you cannot use two types or levels of privilege escalation at once.

 

  In other words you cannot log in as user1, become root, and then become user2 (or even user1) in the same play.

This is untrue. The privilege escalation settings for each task in a play are independent.

- hosts: localhost
  become: true

  tasks:

    - command: whoami
    - command: whoami

      become_user: email

    - command: whoami

      become: false

TASK [command] *****************************************************************

changed: [localhost] => {"attempts": 1, "changed": true, "cmd": ["whoami"], "delta": "0:00:00.002095", "end": "2018-03-13 12:38:30.764121", "rc": 0, "start": "2018-03-13 12:38:30.762026", "stderr": "", "stderr_lines": [], "stdout": "root", "stdout_lines": ["root"]}

TASK [command] *****************************************************************

changed: [localhost] => {"attempts": 1, "changed": true, "cmd": ["whoami"], "delta": "0:00:00.001929", "end": "2018-03-13 12:38:30.889973", "rc": 0, "start": "2018-03-13 12:38:30.888044", "stderr": "", "stderr_lines": [], "stdout": "email", "stdout_lines": ["email"]}

TASK [command] *****************************************************************

changed: [localhost] => {"attempts": 1, "changed": true, "cmd": ["whoami"], "delta": "0:00:00.002009", "end": "2018-03-13 12:38:31.004561", "rc": 0, "start": "2018-03-13 12:38:31.002552", "stderr": "", "stderr_lines": [], "stdout": "ec2-user", "stdout_lines": ["ec2-user"]}

[Balaji]

On Tuesday, March 13, 2018 at 7:35:27 AM UTC-7, Patrick Hunt wrote:Hi Patrick,

Hi Patrick, 

 

My follow-up question is... why?  In your example you could just create the file as root, set the owner, group, and mode to reflect the user you want it to be.

Thank you very much for suggesting above method and sharing your knowledge.

This playbook will be used by other users in my team on their laptop. Hence creating a file and performing few tasks as the local user.

Thanks,

Balaji Chavdi 

[Patrick Hunt]

Good catch.  You're correct, it is possible, I was mistaken.  Practically is it possible to be able to provide multiple sets of credentials for your example?  I've always done a work around, such as I listed in the other comment, since I can pass my current logon (-k) username/password, and can pass 1 set of become credentials (-K), but not a 2nd or 3rd set of become credentials.

[flowerysong]

On Tuesday, March 13, 2018 at 1:42:19 PM UTC-4, Patrick Hunt wrote:

Good catch.  You're correct, it is possible, I was mistaken.  Practically is it possible to be able to provide multiple sets of credentials for your example?  I've always done a work around, such as I listed in the other comment, since I can pass my current logon (-k) username/password, and can pass 1 set of become credentials (-K), but not a 2nd or 3rd set of become credentials.

Well, one of the advantages of sudo as a privilege escalation method is that there aren't separate sets of credentials for each escalation target, you just have to be permitted to run things as the users in question.

But, yes, it is possible to provide different credentials. It's easiest to do this non-interactively using a Vault-encrypted variable or another secret lookup method, but there are various ways to make it interactive.

- hosts: localhost

  become: true

  tasks:

    - command: whoami

      become_method: su

      become_user: flowerysong

      vars:

        ansible_become_pass: "{{ user_passwords.flowerysong }}"

    - command: whoami

TASK [command] *****************************************************************

changed: [localhost] => {"changed": true, "cmd": ["whoami"], "delta": "0:00:00.002181", "end": "2018-03-13 15:15:47.586117", "rc": 0, "start": "2018-03-13 15:15:47.583936", "stderr": "", "stderr_lines": [], "stdout": "flowerysong", "stdout_lines": ["flowerysong"]}

TASK [command] *****************************************************************

changed: [localhost] => {"changed": true, "cmd": ["whoami"], "delta": "0:00:00.002159", "end": "2018-03-13 15:15:47.717122", "rc": 0, "start": "2018-03-13 15:15:47.714963", "stderr": "", "stderr_lines": [], "stdout": "root", "stdout_lines": ["root"]}

[Balaji]

Thanks Flowerysong...!

These answers helped me a lot..

Thanks all..!