Playbooks for users with different permissions

[Jacob Weber]

I have a playbook that sets up a remote box, using sudo=yes. But only a limited set of users will have permission to run this, since it requires root on the remote box.

I'd like to allow less privileged users to run part of this playbook, e.g. tasks with a certain tag. These will do some relatively safe things, like updating the httpd config on the box. So when the root user sets things up, it gives these less privileged users the rights they need to run these tasks.

But what's a good way to set up this playbook so that both sets of users can use it? Currently the whole playbook has sudo=yes, but that prevents the less privileged users from running it at all. Would I need to set sudo=no on the playbook, and then sudo=yes on each task that needs it?

I guess I could copy these safe tasks to a separate playbook, but then they'd be duplicated, which is not ideal.

[Adam Morris]

The simple solution is not not put sudo=anything in the playbook.  Those users needing to run with sudo can use command line flags to turn that on...

It sounds like you have two separate sets of tasks...  So why not use a pair of roles?

If you have split your playbooks up into individual tasks you can include some or all of them into separate playbooks.

I have several different roles and some top level playbooks that include some but not others...  I hope that this helps.

Adam

[Michael DeHaan]

"Would I need to set sudo=no on the playbook, and then sudo=yes on each task that needs it?"

This is quite reasonable.

(sudo: no, not sudo=no, BTW)

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8cf097fd-9560-45e1-b468-84f0badbb0b9%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Jacob Weber]

Thanks for both of your replies. But I'm starting to think that Ansible is not great at running with less than full root access. Particularly since it wraps commands in its own scripts, so you can't easily use sudoers to let users run a limited set of commands.

So I'm leaning more toward having Ansible only run with full root access. Then I can write some little wrapper scripts that call Ansible with specific options, and allow my less-privileged users to run these scripts using sudo. That should limit the damage they can do with Ansible, while still allowing them to run it for certain tasks.

JW

[Michael DeHaan]

"But I'm starting to think that Ansible is not great at running with less than full root access."

To be clear, it's absolutely just fine with sudo or logging in as specific non-root users directly as well, you just can't use sudoers to limit execution to specific commands.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2f99672c-092c-4e55-ba28-c07897db5455%40googlegroups.com.

[Vani Paridhyani]

Hello,

I have a somewhat similar situation.

I want to run different tasks in my playbook as different users.

These users are non-root and non-sudoers. I give "remote_user: non-root" for each task, but i get "Authentication Failed" error for each host. I am able to do ssh login to these hosts as the non-root user.

Thanks,

Vani

[Michael DeHaan]

I'd suggest hoping on IRC if you need help with basic SSH users, would be more interactive.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a8339708-433b-4325-855a-596fb9feff12%40googlegroups.com.