How to control access with sudo and FreeIPA

Rodrigo_B_Brasil · January 23, 2017, 1:50pm

Hello all!

I’m trying to establish some access control when non-administrative user were running playbooks with Ansible.

All the sudo rules are inherited from FreeIPA and now my only option is to create a sudo rule that enables ALL commands to an specific user to run some playbook on some host. This is, definitely, not the best practice, as with the same user could login into the host and execute any other command, and not ONLY those on my playbook on the master branch of my Git server.

I’m sure that there is some another more elegant and secure way to grant some temporary administrative privileges on hosts to some user. Maybe working with the new ipa_sudorule or something?

Do you guys have some example to introduce me?

s,

Rodrigo B Brasil

Brian_Coca · February 10, 2017, 3:33am

This is one of the things that the Ansible Tower server provides, full
RBAC while using a shared user.

Ansible itself does not have this built in, though there are many ways
to enforce this using other tools to execute it.

Johannes_Kastl · February 10, 2017, 8:01am

Out of interest, which are those?

Johannes

Brian_Coca · February 10, 2017, 2:16pm

My favorites are cron, at and incron combined with unix ACLs and
groups to restrict the different keys to each environment.

But any job scheduler should work, you just need to make sure it meets
your requirements, Tower just happens to pay my salary.

Topic		Replies	Views
Playbooks for users with different permissions Ansible Project	6	0	May 27, 2014
Ansible: multiple users to run playbook without sudo access to target machines Ansible Project	2	0	May 3, 2018
Ideal permissions setup? Ansible Project	3	0	August 8, 2014
minimal sudoers configuration Ansible Project	1	1	September 11, 2014
Sudo (become) limitations & Best Practices Ansible Project	0	4	November 9, 2018

How to control access with sudo and FreeIPA

Related topics