We are facing customer restriction on providing root access to run the ansible playbook .Our playbook needs root access to execute smooth.They are apprehensive about the commands executed by playbook thinking if it compromise their system security.
Our playbook is huge and it’s not possible for us to fetch them each os level command it execute.Is there any way to run the playbook using dzdo which can handle this restriction from customer.
Have any of you faced these situation and what are best possible solutions to such deadlock?
Using root to run ansible isn’t recommended and common practice is to use a non root account in combination with privilege escalation, which defaults to sudo.
Your case needs a different method:
Don't assume Ansible just runs 'system commands', in many cases the
modules use an API so 'list of system commands' is not something that
will work.
The modules themselves are executed under sudo/user from a temporary
dir in their home, so you can 'match' more or less what that 'command'
will look like but it requires a lot of globbing to allow.
The modules Ansible ships with are open source, so they CAN be
audited, as well as the shared code that operates on the systems.