Which user to run plays?
128 views
Skip to first unread message
Skyler Slade
Sep 18, 2014, 2:09:50 PM9/18/14
to ansible...@googlegroups.com
Presently I do all system administration for my organization. Another colleague will soon be handling some administration duties. I have configured Ansible to add his user using the user module. In testing this, I also configured Ansible to configure my user "skyler" but this task always fails with the error "usermod: user skyler is currently logged in." This leads me to believe that Ansible cannot manage the user that is currently running the Ansible play (in this case, set via ansible_ssh_user).
Which user should Ansible use? And if this user is different than my user or my colleague's user, we will need to share those credentials, correct?
I was hoping we could run Ansible using our own individual accounts, and that Ansible would also manage these accounts, but this doesn't seem possible.
Do I understand correct or have I missed something?
James Cammarata
Sep 18, 2014, 2:44:34 PM9/18/14
to ansible...@googlegroups.com
Hi Skyler,
This is a UNIX/Linux limitation actually. In general though, it is very common to have a single, shared account for system maintenance. There are many ways you can set this up without requiring a shared password (sudo, ssh keys with a passphrase, etc.), it really is a matter of personal preference.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/776f4f80-d9d1-4415-9ce5-46f3245f12bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Josh Smift
Sep 18, 2014, 2:51:48 PM9/18/14
to ansible...@googlegroups.com
Keep in mind is that there are two things here: The user you run Ansible
as, and the remote user that Ansible acts as on the target systems. One
thing you can do is set remote_user to 'ansible', and then put your
admins' public keys in the 'ansible' user's authorized_keys file on the
target systems; then each can run Ansible as themselves, but Ansible acts
as 'ansible' on the target systems.
I'm not sure if that's better, from a best practices point of view, than
also having a shared *private* key for the 'ansible' user, having the
'ansible' user's authorized_keys file on the target systems contain only
the pubkey corresponding to that shared key, and have the admins run
Ansible as the 'ansible' user (e.g. 'sudo -u ansible ansible-playbook etc
etc'). I imagine it depends on your environment, and that there are
arguments either way.
-Josh (j...@care.com)
This email is intended for the person(s) to whom it is addressed and may contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use, distribution, copying, or disclosure by any person other than the addressee(s) is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and delete the message and any attachments from your system.
as, and the remote user that Ansible acts as on the target systems. One
thing you can do is set remote_user to 'ansible', and then put your
admins' public keys in the 'ansible' user's authorized_keys file on the
target systems; then each can run Ansible as themselves, but Ansible acts
as 'ansible' on the target systems.
I'm not sure if that's better, from a best practices point of view, than
also having a shared *private* key for the 'ansible' user, having the
'ansible' user's authorized_keys file on the target systems contain only
the pubkey corresponding to that shared key, and have the admins run
Ansible as the 'ansible' user (e.g. 'sudo -u ansible ansible-playbook etc
etc'). I imagine it depends on your environment, and that there are
arguments either way.
-Josh (j...@care.com)
This email is intended for the person(s) to whom it is addressed and may contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use, distribution, copying, or disclosure by any person other than the addressee(s) is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and delete the message and any attachments from your system.
Skyler Slade
Sep 18, 2014, 4:51:23 PM9/18/14
to ansible...@googlegroups.com, j...@care.com
Thanks for your reply.
On Thursday, September 18, 2014 2:51:48 PM UTC-4, Josh Smift wrote:
Keep in mind is that there are two things here: The user you run Ansible
as, and the remote user that Ansible acts as on the target systems. One
thing you can do is set remote_user to 'ansible', and then put your
admins' public keys in the 'ansible' user's authorized_keys file on the
target systems; then each can run Ansible as themselves, but Ansible acts
as 'ansible' on the target systems.
I've chosen this approach. It seems like I also need to set ansible_ssh_user because remote_user doesn't seem to influence which SSH user is used when connecting. That is, unless I specify ansible_ssh_user in my inventory, though I have remote_user=ansible in my playbook, ansible-playbook wants to connect using the username of my local user.
Do I need to use ansible_ssh_user in addition to remote_user?
Skyler Slade
Sep 18, 2014, 5:20:41 PM9/18/14
to ansible...@googlegroups.com, j...@care.com
Apologies, I figured it out. I needed to provide an ssh password by using the -k flag.
Kevin Bullock
Sep 19, 2014, 9:47:04 AM9/19/14
to ansible...@googlegroups.com
pacem in terris / мир / शान्ति / سَلاَم / 平和
Kevin R. Bullock
Reply all
Reply to author
Forward
0 new messages