How do I get the REMOTE_USER variable while in a sudo playbook?
3,846 views
Skip to first unread message
Steve Weber
Mar 26, 2013, 2:15:48 PM3/26/13
to ansible...@googlegroups.com
[14:04] <s8weber> how do i access the ansible_ssh_user , or user variable?
[14:05] <s8weber> I cant use ansible_user_id because my playbook changes to root
[14:06] <s8weber> I was able to do hacks passing the ssh username like extra-vars="default_ssh_user=$USER'
[14:06] <s8weber> or even under a top level playbook that registers a user var for echo "$USER"
[14:07] <s8weber> but I dont want to do this task indirectly.... any help?
-u REMOTE_USER, --user=REMOTE_USER
connect as this user (default=s8weber)
I cant use $ansible_user_id in playbooks that sudo because the user is /root/ not /s8weber/.
How do I get the REMOTE_USER variable?
thanks.
Mathieu Guillaume
Mar 26, 2013, 2:27:49 PM3/26/13
to ansible...@googlegroups.com
At which point do you need this?
If this is when the runner is executing the tasks on the different hosts, I think it depends on the shell, but with bash I have a $SUDO_USER variable.
You should be able to access it in Ansible with $LOOKUP(env, SUDO_USER) (or something close to that, never used lookups myself).
Mathieu Guillaume
Mar 26, 2013, 2:31:36 PM3/26/13
to ansible...@googlegroups.com
The sudo_user could also be made accessible in the host vars with (I think, not tested):
diff --git a/lib/ansible/playbook/play.py b/lib/ansible/playbook/play.py
index e59912c..f1f94ea 100644
--- a/lib/ansible/playbook/play.py
+++ b/lib/ansible/playbook/play.py
@@ -94,6 +94,7 @@ class Play(object):
self.tags = []
if self.sudo_user != 'root':
+ self.vars['sudo_user'] = self.sudo_user
self.sudo = True
# *************************************************
Steve Weber
Mar 26, 2013, 2:51:11 PM3/26/13
to ansible...@googlegroups.com
thanks Mathieu but im not in a python file.. im in a playbook..
Also im not trying to get the sudo user im trying to get the user that is connecting to the host...
here is some more background on the issue.
[14:04] <s8weber> how do i access the ansible_ssh_user , or user variable?
[14:05] <s8weber> I cant use ansible_user_id because my playbook changes to root
[14:06] <s8weber> I was able to do hacks passing the ssh username like extra-vars="default_ssh_user=$USER'
[14:06] <s8weber> or even under a top level playbook that registers a var for echo "$USER"
[14:07] <s8weber> but I dont want to do this task indirectly.... any help?
[14:24] <ilj> s8weber, mm could you be a little more specific, please?
[14:25] <ilj> s8weber, sounds like you want to control what user ansible uses to establish SSH connections?
[14:27] <s8weber> ilj: im trying render a template to a root protected file with the username of the ssh_user in the file.
[14:28] <s8weber> ilj: im trying to do this as directly as possible. so I have a playbook that has sudo: yes and it renders a template to a /etc/area
[14:28] <s8weber> ilj: in the templat im trying to include the name of the user that started the ssh_connection
[14:29] <s8weber> ilj: I want to run the playbook like ansible-playbook -i localhost render-template.yml -K
[14:30] <s8weber> ilk: or run like ansible-playbook -i localhost render-template.yml --user=meme -K
[14:32] <s8weber> this seems to me something that would be common?
[14:33] <ilj> s8weber, one way to do this would be to set a variable for user: in vars_files:, say sys_user, then use this variable for user: in a playbook and template as {{ sys_user }}
[14:34] <ilj> s8weber, it's preconfigured obviously
[14:35] <s8weber> ily: im currently doing somthing like that but yes its preconfigured and thats no good.
[14:37] <s8weber> ilj: ill kate a look at ohai/facter but I still think this var should be in core.
[14:38] <ilj> s8weber, as a dirty hack you could run shell: command where you would use bash one-liner, like id + sed, to update your template in /etc/*
[14:38] <s8weber> ilj: in my group_vars, it would be nice to have somthing like this resolve user: $ssh_remote_user
[14:39] <ilj> s8weber, but yeah, it would be interesting to know if it is possible to use ssh connection user name the way you want
[14:39] <s8weber> ilj: a hack already was to in a playbook with sudo: no do a shell echo $USER and then register the var
[14:40] <ilj> or that
[14:40] <ilj> right
[14:40] <ilj> let's see if someone more knowledgeable weighs in on this question :)
[14:42] <s8weber> sometimes a shell call would look like ... ansible-playbook -i localhost render-template.yml --user=meme extra-vars="save_user=meme' -K
[14:43] <s8weber> that just seems ugly.
[14:44] <ilj> yeah, I'm not a fan on excessive use of command line options myself
[14:44] <ilj> I'd rather keep everything in the playbooks/vars files
[14:44] <s8weber> ilj: and thats what im doing...
[14:45] <s8weber> thanks ilj, ill go bug the developer :)
[14:46] <ilj> s8weber, np man, it would be awesome if you let me know of the solution you find (if any)
Michael DeHaan
Mar 26, 2013, 6:46:18 PM3/26/13
to ansible...@googlegroups.com
He's suggesting a patch to the application to make this variable available.
Curious why the fact username isn't good enough though.
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Michael DeHaan <mic...@ansibleworks.com>
CTO, AnsibleWorks, Inc.
http://www.ansibleworks.com/
Curious why the fact username isn't good enough though.
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Michael DeHaan <mic...@ansibleworks.com>
CTO, AnsibleWorks, Inc.
http://www.ansibleworks.com/
Steve Weber
Mar 26, 2013, 10:43:20 PM3/26/13
to ansible...@googlegroups.com
Ah yes a patch.. But i`m not after the sudo_user.
im looking for the user name that is connecting through 'ssh' before sudo
ansible-playbook -i localhost install.yml --user=$USER --extra-vars="ssh_user=$USER" --ask-sudo-pass
Currently i'm creating the the variable ssh_user as a work around... so I can then pass it to a template.
# install.yml would be something like...
- name render php-fpm file
sudo: yes
task:
- template: src=php-fpm.j2 dest=/etc/php/php-fpm/pool.d/pool-${ssh_user}.conf
# php-fpm.j2 would be something like
[pool-{{ ssh_user }}]
user = {{ ssh_user }}
group = {{ ssh_user }}
is there a way to do the same thing but without creating an extra variable for ssh_user?
Michael DeHaan
Mar 27, 2013, 8:48:14 AM3/27/13
to ansible...@googlegroups.com
I see.
So we want to just basically expose $ansible_ssh_user as a variable
before we call tasks about it.
This is not difficult at all -- Please file a ticket so we don't forget this.
We're past the feature freeze date for 1.1 (which was Monday), so this
will happen on 1.2's development branch after Tuesday...
A simple workaround now would just be to set the variable in the play,
prompt for it via vars_prompt, or pass it in with --extra-vars.
So we want to just basically expose $ansible_ssh_user as a variable
before we call tasks about it.
This is not difficult at all -- Please file a ticket so we don't forget this.
We're past the feature freeze date for 1.1 (which was Monday), so this
will happen on 1.2's development branch after Tuesday...
A simple workaround now would just be to set the variable in the play,
prompt for it via vars_prompt, or pass it in with --extra-vars.
Steve Weber
Mar 27, 2013, 10:21:46 AM3/27/13
to ansible-project
sure ill file the ticket on git hub.
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/ETVSHYDJE_Y/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
Steve Weber
Mar 27, 2013, 10:30:00 AM3/27/13
to ansible...@googlegroups.com, steve...@gmail.com
issue:
https://github.com/ansible/ansible/issues/2516> email to ansible-project+unsubscribe@googlegroups.com.
--
Michael DeHaan <mic...@ansibleworks.com>
CTO, AnsibleWorks, Inc.
http://www.ansibleworks.com/
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/ETVSHYDJE_Y/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
Steve Weber
Apr 15, 2013, 1:37:27 PM4/15/13
to ansible...@googlegroups.com, steve...@gmail.com
I found this workaround
# fill fact $ansible_user_id while not sudo as root
- hosts: any
sudo: no
gather_facts: yes
- name: scm
hosts: any
gather_facts: no
tasks:
- shell: echo before running sudo the user was- $ansible_user_id now as sudo you are- $USER
Wolfgang Ziegler
Feb 11, 2014, 8:18:58 AM2/11/14
to ansible...@googlegroups.com, steve...@gmail.com
Just using {{ ansible_ssh_user }} works for me - probably that got improved meanwhile.
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/ETVSHYDJE_Y/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages