AWX connecting to RHEL host as root instead of username from machine credentials

[Brett Murphy]

Hi All,

Here is my playbook, and the settings to use the machine credential username, yet it still does ssh as user=root

 - name: Update Packages
     hosts: "{{ vm_inventory_group }}"
     become: yes
     become_method: sudo
     gather_facts: yes

  -  roles:
       update_rhel_packages
       vars:
         machine:
           username: '{{ ansible_user }}'

Expected results

<myhostname.local> SSH: EXEC sshpass -d10 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o '-u "username_used_in_credential" -o ConnectTimeout=10 -o 'ControlPath="/home/runner/.ansible/cp/1e6060cc9b"' myhostname.local '/bin/sh -c '"'"'echo ~root && sleep 0'"'"''

Actual results

<myhostname.local> SSH: EXEC sshpass -d10 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/home/runner/.ansible/cp/1e6060cc9b"' myhostname.local '/bin/sh -c '"'"'echo ~root && sleep 0'"'"''

I originally thought this could be a bug but have been advised it is probably a mis-config on my behalf.

AWX version

21.7.0

Container Platform: OKD 4.10

Thanks in advance

[Brett Murphy]

Also of note is if I set the username directly in the playbook it STILL connects as root, so this does not seem to be an AWX issue not passing in the username, rather one with Ansible?

vars:
    machine:
      username:  my_username 

[Robert Sossomon]

Check your play config in AWX to see who you set it as.   You can set your credentials in AWX that are different than the logged in user and the play will use the set username/credentials instead of logged in user.  Handy for when you want to give play execute permissions to a junior member for a host they have no permissions on.  

--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/bc21bf69-4472-4942-9cbc-fb1404bcfdaen%40googlegroups.com.

[Brett Murphy]

Sorry I accidentally clicked reply_author!! I have no way to see what I sent you so please post it back here in your reply 

[Brett Murphy]

I will have another try:

So I am comparing Ansible Tower and AWX here with exactly the same playbook and no credentials selected.

The playbook specifies a hard coded remote user, I know it wont actually connect because there is no password but I am trying to troubleshoot what username is being used so this will fit the purpose of the test.

PLAYBOOK:

---
- name: This is a hello-world example
  hosts: "{{ vm_inventory_group }}"
  remote_user: my_non_root_user

The debug log for Ansible Tower shows:

ESTABLISH SSH CONNECTION FOR USER:   my_non_root_user

And for AWX:

ESTABLISH SSH CONNECTION FOR USER: root

If I can fundamentally understand why these two platforms are behaving differently I will be well on my way to fixing this.

Thanks.

On Thursday, October 6, 2022 at 10:17:11 AM UTC+11 6soss...@gmail.com wrote:

[Robert Sossomon]

So in my previous usage of AWX if there is a userId saved with the host credentials, then it will be used for the connection.  Also if you have defined the user in the play executor in AWX, that would be used.  Then it would default to the credentials actually used in the playback.

My suspicion is that when you created the credentials for accessing that host, you may have accidentally store root as the USER ID.  

Unfortunately I don't have awx installed to grab the screens from, but that's where I would start looking from previous experience. 

To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/a6cdcc89-d62d-4864-a615-811a2b221c28n%40googlegroups.com.

[Brett Murphy]

Yes I understand that any dynamic config provided by AWX would override the hard coded "remote_user" in the playbook, this is a very good point.

The first one, credentials.. I literally have  no credential set in the template so we can write that one out.

The second one, "play executor in AWX", I do not know what or where that is so I doubt I have changed it, and I certainly would never set it to root.

Could this be some new default in AWX that needs to be overridden?

Thanks.

[AWX Project]

Brett,

| The first one, credentials.. I literally have  no credential set in the template so we can write that one out.

So the JT doesn't have the credential assigned to it?

if so, we wouldn't expect -u "username_used_in_credential", as you mentioned in the opening post

AWX defaults to root if a username from the credential isn't supplied.

What happens when you attach a machine credential to the JT?

AWX Team

[Brett Murphy]

Hi, thanks for the suggestion.

When I set a machine credential in the job template the user is still root on the ssh, this is my fundamental problem.

I forgot to show in my OP that I am hard coding: remote_user="username_used_in_credential" for this test.

So can you clarify that even though my playbook has this hard coded that AWX will override it? because it wont... 

The same playbook works in Ansible Tower fine by the way, it uses the machine credential in the ssh.

Thanks,

Brett.

[Brett Murphy]

For anyone else who ever has this problem dont put this in the Inventory Yaml :(
username: root

[Robert Sossomon]

Yup, rather will do it too...  glad you were able to find the culprit. 

To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/2992a04d-60f2-401d-996e-f4e50c482e40n%40googlegroups.com.