Ansible become option with passwordless

[selvam vasu]

Hi,

I am newbie to ansible. You can find it easily through this dump question. 

I have limited access to one user(selvam) which can ran limited commands using sudo option.

My sudoers file looks like below.

 

selvam  ALL=(ALL) NOPASSWD: /usr/sbin/service,/usr/bin/apt-get

I have tried to install apt package in remote machine using ansible playbooks as selvam user with sudo option.

Here is playbook file contents.

playbook.yml

---

- hosts: host1

  remote_user: selvam

  tasks:

    - name: users package

      apt: name={{ item }} state=latest

      become: yes

      with_items:

        - nginx

But the problem is when i run this playbook, I am getting the error as "Missing become password". I need to install the package with passwordless.

When run this below command manually from my ansible host, it is working fine with passwordless. How can i accomplish the same through ansible playbook.

[selvam@host1] $ ssh host1 sudo -u root apt-get install nginx

Ansible version:

*******************

$ ansible-playbook --version

ansible-playbook 1.9.4

  configured module search path = None

Let me know where I have to  modify my configs. 

Thanks in Advance.

[Uditha Desilva]

2 things:

1) Ansible requires FULL sudo access, i.e

selvam ALL=(ALL) NOPASSWD: ALL

2) You may also need to allow sudo for this user to not require a tty:

Defaults:selvam !requiretty

[Matt Calhoun]

Is there really no way to give the ansible user specific sudo NOPASSWD privileges? This seems like a huge security hole!

[Uditha Desilva]

It's no more a security role than allowing your sysadmins to su to root...

[Matt Calhoun]

I'm not sure I agree with that. With our admins, we have ssh with key + sudo with a password. With this setup (running ansible as a deploy user to deploy a web app), the only protection I have is the ssh key.

Is there a good reason the ansible user can't be restricted to specific commands via sudo?

[Brian Coca]

you can use ansible + sudo + sudo password, you end up with exact same security.

----------

Brian Coca

[Calhoun, Matt]

Sure, except that I am running ansible on an unattended deployment box (Jenkins) in this case vs real humans running interactively in the case of my admins.

I'm trying to follow a policy of least privilege and grant the user only the rights to restart the nginx server as root (needs it to access port 443) since that's the only thing the user needs to do that requires privledge escalation. 

I'm wondering why this can't be accomplished with ansible? It seems like having to allow the deploy user to run any command (rather than just the one needed to restart the service) creates a potential security hole if that user's key is compromised. Am I missing something here?

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/sOysHHs0kYU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CACVha7dT_0MefDXMg9-N-hD0tqaE3v5mxQcUCHduNAfd6g0ptg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Uditha Desilva]

If that's all you really need, invoke it via a "command" stanza with a passwordless sudo. Problem solved.

[Brian Coca]

The way ansible works is by running arbitrary scripts (modules) on the remote machine, as such it is very hard to make sudo rules to allow this that are virtually equivalent to ALL.

​Some modules do execute system commands, many others use syscalls directly, so even if we introduce a way to 'delegate' the privilege escalation to the module, it won't help you in many cases.​

----------

Brian Coca

[selvam vasu]

Hi Uditha,

I can use "command" module to accomplish my "sudo apt-get install nginx" task, But I want to schedule my play-book to run on every half hour to maintain configuration in my client. In this case, it always will try to install nginx every time. But if I use apt module, it will install the nginx package if it is not installed or doesn't have latest only. How can we get the same using command module. But a/w it is not a straight method. 

[Uditha Desilva]

apt-get is already idempotent: e.g.

vagrant@precise64:~$ sudo apt-get install nginx -y

Reading package lists... Done

Building dependency tree

Reading state information... Done

nginx is already the newest version.

0 upgraded, 0 newly installed, 0 to remove and 189 not upgraded.

vagrant@precise64:~$ sudo apt-get install nginx -y

Reading package lists... Done

Building dependency tree

Reading state information... Done

nginx is already the newest version.

0 upgraded, 0 newly installed, 0 to remove and 189 not upgraded.

If you're concerned that it might "silently" upgrade you, specify "=versionnumber" to prevent that.