Hello,
I noticed that an ansible_ssh_user defined in the inventory for a host or group is used also when delegating to a host that does not have it set. This seems counterintuitive to me and makes it difficult to delegate tasks to a host that requires a different user. I wonder if this is by design?
I would expect Ansible to not use the ansible_ssh_user of host A when connecting to host B via delegate_to at all, or at least that it would be possible to override it by setting a different remote_user in the play.
Please see the example below:
hosts:
testhost ansible_ssh_user=ec2-user
otherhost
sshtest.yml:
- hosts: testhost
gather_facts: no
tasks:- command: whoami
- hosts: testhost
remote_user: otheruser
gather_facts: no
tasks:- command: whoami
delegate_to: otherhost
‘ansible-playbook -i hosts -vvvv sshtest.yml’ output:
PLAY [testhost] ***************************************************************
TASK: [command whoami] ********************************************************
ESTABLISH CONNECTION FOR USER: ec2-user on PORT 22 TO testhost
REMOTE_MODULE command whoami
EXEC /bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-tmp-1390928371.32-215246186572191 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1390928371.32-215246186572191 && echo $HOME/.ansible/tmp/ansible-tmp-1390928371.32-215246186572191’
PUT /tmp/tmpx2j5XZ TO /home/ec2-user/.ansible/tmp/ansible-tmp-1390928371.32-215246186572191/command
EXEC /bin/sh -c ‘/usr/bin/python /home/ec2-user/.ansible/tmp/ansible-tmp-1390928371.32-215246186572191/command; rm -rf /home/ec2-user/.ansible/tmp/ansible-tmp-1390928371.32-215246186572191/ >/dev/null 2>&1’
changed: [testhost] => {“changed”: true, “cmd”: [“whoami”], “delta”: “0:00:00.006628”, “end”: “2014-01-28 16:59:33.480779”, “rc”: 0, “start”: “2014-01-28 16:59:33.474151”, “stderr”: “”, “stdout”: “ec2-user”}PLAY [testhost] ***************************************************************
TASK: [command whoami] ********************************************************
ESTABLISH CONNECTION FOR USER: ec2-user on PORT 22 TO otherhost
fatal: [testhost] => {‘msg’: ‘FAILED: Authentication failed.’, ‘failed’: True}FATAL: all hosts have already failed – aborting
PLAY RECAP ********************************************************************
to retry, use: --limit @/home/ansible/sshtest.retrytesthost : ok=1 changed=1 unreachable=1 failed=0
The delegation to otherhost fails because Ansible tries to use the ansible_ssh_user of testhost also on otherhost where that user does not exist. This happens whether or not I have “remote_user: otheruser” in the second play. Explicitly setting “ansible_ssh_user=otheruser” for otherhost in the inventory does work so it’s more of an annoyance than a major issue but it seems a bit counterintuitive to me. Any thoughts?
This is on latest devel, by the way.
//Niku