Hi,
I am newbie to ansible. You can find it easily through this dump question.
I have limited access to one user(selvam) which can ran limited commands using sudo option.
My sudoers file looks like below.
selvam ALL=(ALL) NOPASSWD: /usr/sbin/service,/usr/bin/apt-get
I have tried to install apt package in remote machine using ansible playbooks as selvam user with sudo option.
Here is playbook file contents.
playbook.yml
2 things:
selvam ALL=(ALL) NOPASSWD: ALL
Defaults:selvam !requiretty
Is there really no way to give the ansible user specific sudo NOPASSWD privileges? This seems like a huge security hole!
It’s no more a security role than allowing your sysadmins to su to root…
I’m not sure I agree with that. With our admins, we have ssh with key + sudo with a password. With this setup (running ansible as a deploy user to deploy a web app), the only protection I have is the ssh key.
Is there a good reason the ansible user can’t be restricted to specific commands via sudo?
you can use ansible + sudo + sudo password, you end up with exact same security.
Sure, except that I am running ansible on an unattended deployment box
(Jenkins) in this case vs real humans running interactively in the case of
my admins.
I'm trying to follow a policy of least privilege and grant the user only
the rights to restart the nginx server as root (needs it to access port
443) since that's the only thing the user needs to do that requires
privledge escalation.
I'm wondering why this can't be accomplished with ansible? It seems like
having to allow the deploy user to run any command (rather than just the
one needed to restart the service) creates a potential security hole if
that user's key is compromised. Am I missing something here?
If that’s all you really need, invoke it via a “command” stanza with a passwordless sudo. Problem solved.
The way ansible works is by running arbitrary scripts (modules) on the remote machine, as such it is very hard to make sudo rules to allow this that are virtually equivalent to ALL.
Hi Uditha,
I can use “command” module to accomplish my “sudo apt-get install nginx” task, But I want to schedule my play-book to run on every half hour to maintain configuration in my client. In this case, it always will try to install nginx every time. But if I use apt module, it will install the nginx package if it is not installed or doesn’t have latest only. How can we get the same using command module. But a/w it is not a straight method.
apt-get is already idempotent: e.g.
vagrant@precise64:~$ sudo apt-get install nginx -y
Reading package lists… Done
Building dependency tree
Reading state information… Done
nginx is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 189 not upgraded.
vagrant@precise64:~$ sudo apt-get install nginx -y
Reading package lists… Done
Building dependency tree
Reading state information… Done
nginx is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 189 not upgraded.
If you’re concerned that it might “silently” upgrade you, specify “=versionnumber” to prevent that.