How does Ansible know what account to use for the SSH connection and sudo
679 views
Skip to first unread message
Stuart Budd
Jan 21, 2015, 11:25:06 AM1/21/15
to ansible...@googlegroups.com
I do not understand how this example works for user foo
If I have not stated the user account to use for the ssh connection within the command line using: ansible_ssh_user=foo
or the Ansible host file: /etc/ansible/hosts
Is the current user account used as the ssh connection to a remote server if not specified on the command line or within the file: /etc/ansible/hosts ?
If so, does the logic for which user account to use for the ssh connection go like this:
Use the current user account, unless specified in the command line using command: ansible_ssh_user=foo
and if not specified in the /etc/ansible/hosts file as: ansible_ssh_user=foo
Ansible Local Server Remote server
local-01 remote-01
--------------------------- --------------------
Local User foo --> ssh --> Remote user foo
So in this example:
(1) Local user running /usr/bin/ansible is foo
(2) Remote user is an account on the remote box remote-01 which is also named foo
(3) sudoing will sudo to the remote account foo. Which as you say is a no-op.
Server local-01
[root@local-01 /]# grep sudo_user /etc/ansible/ansible.cfg
sudo_user = root
[root@local-01 /]# cat /etc/ansible/hosts
[servers]
remote-01
[root@local-01 /]#
Ansible command
[root@local-01 ~]# su - foo
[foo@local-01 ~]$ ssh foo@remote-01 whoami
foo
[foo@local-01 ~]$ ansible remote-01 -m command -a "whoami"
remote-01 | success | rc=0 >>
foo
[foo@local-01 ~]$
Question
How does the above Ansible command work if I have not specified the user account for the SSH connection or the local user account either within
the command line, /etc/ansible/ansible.cfg or within the file /etc/ansible/hosts ?
Is this not the function of the parameters ansible_ssh_user and ansible_sudo_user ?
Should I not need to specify this: ansible_ssh_user=foo ?
Even if I do not need this: ansible_sudo_user=foo ?
If I have not stated the user account to use for the ssh connection within the command line using: ansible_ssh_user=foo
or the Ansible host file: /etc/ansible/hosts
Is the current user account used as the ssh connection to a remote server if not specified on the command line or within the file: /etc/ansible/hosts ?
If so, does the logic for which user account to use for the ssh connection go like this:
Use the current user account, unless specified in the command line using command: ansible_ssh_user=foo
and if not specified in the /etc/ansible/hosts file as: ansible_ssh_user=foo
Ansible Local Server Remote server
local-01 remote-01
--------------------------- --------------------
Local User foo --> ssh --> Remote user foo
So in this example:
(1) Local user running /usr/bin/ansible is foo
(2) Remote user is an account on the remote box remote-01 which is also named foo
(3) sudoing will sudo to the remote account foo. Which as you say is a no-op.
Server local-01
[root@local-01 /]# grep sudo_user /etc/ansible/ansible.cfg
sudo_user = root
[root@local-01 /]# cat /etc/ansible/hosts
[servers]
remote-01
[root@local-01 /]#
Ansible command
[root@local-01 ~]# su - foo
[foo@local-01 ~]$ ssh foo@remote-01 whoami
foo
[foo@local-01 ~]$ ansible remote-01 -m command -a "whoami"
remote-01 | success | rc=0 >>
foo
[foo@local-01 ~]$
Question
How does the above Ansible command work if I have not specified the user account for the SSH connection or the local user account either within
the command line, /etc/ansible/ansible.cfg or within the file /etc/ansible/hosts ?
Is this not the function of the parameters ansible_ssh_user and ansible_sudo_user ?
Should I not need to specify this: ansible_ssh_user=foo ?
Even if I do not need this: ansible_sudo_user=foo ?
Toshio Kuratomi
Jan 21, 2015, 12:24:49 PM1/21/15
to ansible...@googlegroups.com
On Wed, Jan 21, 2015 at 8:25 AM, Stuart Budd <s2b...@gmail.com> wrote:
> I do not understand how this example works for user foo
>
> If I have not stated the user account to use for the ssh connection within
> the command line using: ansible_ssh_user=foo
> or the Ansible host file: /etc/ansible/hosts
>
> Is the current user account used as the ssh connection to a remote server if
> not specified on the command line or within the file: /etc/ansible/hosts ?
>
Correct.
> I do not understand how this example works for user foo
>
> If I have not stated the user account to use for the ssh connection within
> the command line using: ansible_ssh_user=foo
> or the Ansible host file: /etc/ansible/hosts
>
> Is the current user account used as the ssh connection to a remote server if
> not specified on the command line or within the file: /etc/ansible/hosts ?
>
> If so, does the logic for which user account to use for the ssh connection
> go like this:
>
> Use the current user account, unless specified in the command line using
> command: ansible_ssh_user=foo
* for /usr/bin/ansible use: -u foo
/usr/bin/ansible rhel7-test -u ansibletest1 -a whoami
* for /usr/bin/ansible-playbook you can use -u foo if nothing else is
setting the user (not in /etc/ansible/hosts or the playbook). If you
really want to override what's specified in hosts or the playbook use
-e ansible_ssh_user=foo:
ansible-playbook test.yml -v -e 'ansible_ssh_user=ansibletest1'
> and if not specified in the /etc/ansible/hosts file as:
> ansible_ssh_user=foo
>
> Ansible Local Server Remote server
> local-01 remote-01
> --------------------------- --------------------
> Local User foo --> ssh --> Remote user foo
>
> So in this example:
> (1) Local user running /usr/bin/ansible is foo
> (2) Remote user is an account on the remote box remote-01 which is also
> named foo
> (3) sudoing will sudo to the remote account foo. Which as you say is a
> no-op.
somewhere (for instance in ansible.cfg)
Otherwise you'll be sudo'ing to root.
> Server local-01
> [root@local-01 /]# grep sudo_user /etc/ansible/ansible.cfg
> sudo_user = root
> [root@local-01 /]# cat /etc/ansible/hosts
> [servers]
> remote-01
> [root@local-01 /]#
>
>
> Ansible command
> [root@local-01 ~]# su - foo
> [foo@local-01 ~]$ ssh foo@remote-01 whoami
> foo
> [foo@local-01 ~]$ ansible remote-01 -m command -a "whoami"
> remote-01 | success | rc=0 >>
> foo
> [foo@local-01 ~]$
>
= root in ansible.cfg. So just in case you're wondering, ansible does
not sudo unless you tell it to. That would look something like this:
[foo@local-01 ~]$ ansible remote-01 -m command -a "whoami" --sudo -K
sudo password:
remote-01 | success | rc=0 >>
root
>
> Question
> How does the above Ansible command work if I have not specified the user
> account for the SSH connection or the local user account either within
> the command line, /etc/ansible/ansible.cfg or within the file
> /etc/ansible/hosts ?
>
are logged in locally as.
> Is this not the function of the parameters ansible_ssh_user and
> ansible_sudo_user ?
>
overrides that, yes.
ansible_sudo_user specifies which user to sudo to once you've ssh'd
into the remote box.
> Should I not need to specify this: ansible_ssh_user=foo ?
> Even if I do not need this: ansible_sudo_user=foo ?
>
their boxes. So those people don't need to set ansible_ssh_user. If
you are using different usernames on the local and remote box then you
do need to set ansible_ssh_user so that ansible knows which account it
needs to ssh into on the remote machine.
-Toshio
Stuart Budd
Jan 21, 2015, 2:28:17 PM1/21/15
to ansible...@googlegroups.com
Got it.
Thank you tkuratomi for the very informative answer.
Cheers
Thank you tkuratomi for the very informative answer.
Cheers
Tom Bamford
Jan 22, 2015, 3:49:38 AM1/22/15
to ansible...@googlegroups.com
Note that if you are using ssh transport (not sure about Paramiko), and you have a matching host in ssh_config with a User line, that will be used.
So given that ~you/.ssh/config contains
Host myhost
User root
and you invoke the following as you…
ansible myhost -a whoami
…Ansible will connect as root
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/dd4acdd0-fd8c-432d-8b71-7ba6b9d6b08e%40googlegroups.com.--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
Stuart Budd
Jan 22, 2015, 4:51:38 AM1/22/15
to ansible...@googlegroups.com
Hi this bit is not correct: "…Ansible will connect as root"
That did confuse me as there does not seem to be any documentation for using different user accounts and how they interact with Ansible.
In my example above. The user account that Ansible uses to connect as is the foo user.
My example does the following:
Running the Ansible command as user foo on the local server local-01
User foo on the local Ansible server local-01, connects as user foo using SSH to the remote server remote-01 and reports back that it is logged in as user foo
That did confuse me as there does not seem to be any documentation for using different user accounts and how they interact with Ansible.
In my example above. The user account that Ansible uses to connect as is the foo user.
My example does the following:
Running the Ansible command as user foo on the local server local-01
User foo on the local Ansible server local-01, connects as user foo using SSH to the remote server remote-01 and reports back that it is logged in as user foo
Brian Coca
Jan 22, 2015, 10:21:15 AM1/22/15
to ansible...@googlegroups.com
ansible just calls ssh and sudo, it works the same as those tools do
because it uses those tools.
if you run ssh as 'foo' on the local server and do not specify a
remote user to connect as, ssh will use foo as the login user on the
remote machine. Ansible does exactly the same.
--
Brian Coca
because it uses those tools.
if you run ssh as 'foo' on the local server and do not specify a
remote user to connect as, ssh will use foo as the login user on the
remote machine. Ansible does exactly the same.
--
Brian Coca
Stuart Budd
Jan 24, 2015, 8:15:14 AM1/24/15
to ansible...@googlegroups.com
Thank you Brian. Question resolved.
Reply all
Reply to author
Forward
0 new messages