How to control access with sudo and FreeIPA
115 views
Skip to first unread message
Rodrigo B Brasil
Jan 23, 2017, 8:51:14 AM1/23/17
to ansible...@googlegroups.com
Hello all!
I'm trying to establish some access control when non-administrative user were running playbooks with Ansible.
All the sudo rules are inherited from FreeIPA and now my only option is to create a sudo rule that enables **ALL** commands to an specific user to run some playbook on some host. This is, definitely, not the best practice, as with the same user could login into the host and execute any other command, and not **ONLY** those on my playbook on the master branch of my Git server.
I'm sure that there is some another more elegant and secure way to grant some temporary administrative privileges on hosts to some user. Maybe working with the new ipa_sudorule or something?
Do you guys have some example to introduce me?
[]s,
Rodrigo B Brasil
Brian Coca
Feb 9, 2017, 10:33:06 PM2/9/17
to Ansible Project
This is one of the things that the Ansible Tower server provides, full
RBAC while using a shared user.
Ansible itself does not have this built in, though there are many ways
to enforce this using other tools to execute it.
----------
Brian Coca
RBAC while using a shared user.
Ansible itself does not have this built in, though there are many ways
to enforce this using other tools to execute it.
----------
Brian Coca
Brian Coca
Feb 10, 2017, 9:16:59 AM2/10/17
to Ansible Project
My favorites are cron, at and incron combined with unix ACLs and
groups to restrict the different keys to each environment.
But any job scheduler should work, you just need to make sure it meets
your requirements, Tower just happens to pay my salary.
----------
Brian Coca
groups to restrict the different keys to each environment.
But any job scheduler should work, you just need to make sure it meets
your requirements, Tower just happens to pay my salary.
----------
Brian Coca
Reply all
Reply to author
Forward
0 new messages