You'll be able to use the raw module and not much else.
ansible istanbul -m raw -a “/app/jboss/int/apache-2.2.23-p2/tools/ITPapache2 stop” --sudo --ask-sudo-pass
Ok, so here's the deal.
Ansible has lots of design goals. Limited sudo is far off the
beaten path from some of the other design goals.
zero bootstrapping is one, so it installs modules in temp dirs. You
do not have to install 'ansible-helpers' or any package prior to using
ansible from a remote machine. Bare cloud images are cool.
Having a well defined resource model is one, so it doesn't just
execute unix commands, it runs programs (modules are programs). For
various reasons of using SSH as transport, the arguments to these
"programs" are baked into the modules themselves, to optimize how we
do things over SSH (which is not ordinarily, shall we say, super
zippy).
Being able to execute commands is one, so it allows executing commands
as whatever user anyway -- as modules don't exist for everything you
want to run.
The basic answer is no, the user needs to be able to login and do
actual 'stuff'.
Compare this of course with all the other config management packages
that run root level agents and ansible can be constrained a lot better
-- because you can actually use that resource model as not root, do
non-root things (obviously some modules won't work then), or if you
want root, access them via other accounts.
So, yeah, you are not going to make a sudo policy that allows user
'xyz' to create users, because ansible is not a series of modules
calling bash commands with 'sudo'. Modules are programs.
For all of these various reasons, especially the no bootstrapping one,
the answer is no.
You can things as non-root, or root, or sudo to root ... but you can't
really limit sudo to specific commands.
I'm ok with that -- the other properties are very worth it.