playbook without hosts desribed

Veera · August 7, 2019, 4:55pm

Hi,

Is there a way that we can use a playbook with no “hosts: XXX” defined.
All the servers are available in the inventory file defined in the ansible.cfg , but the playbooks have to be run based on a single or multiple client on the ad-hoc request based.

Is there a way to remove
`

hosts: all
`

and have the same playbook working for security reasons ?
In the meantime when a play is to be executed in all the clients they have to be mentioned from the command line(or jenkins)

Kai_Stian_Olstad · August 7, 2019, 5:37pm

Hi,

Is there a way that we can use a playbook with no "hosts: XXX" defined.

No, hosts is a required attribute for a play.

All the servers are available in the inventory file defined in the
ansible.cfg , but the playbooks have to be run based on a single or
multiple client on the ad-hoc request based.

You can always set hosts: all and use the --limit to only run on some hosts.

Is there a way to remove

hosts: all

and have the same playbook working for security reasons ?

I don't understand what you mean by "for security reasons".

In the meantime when a play is to be executed in all the clients they have
to be mentioned from the command line(or jenkins)

You can use a variable for hosts an set it with extra vars on the command line

- hosts: '{{ myvar }}'

ansible-playbook pb.yml -e myvar=all

Veera · August 8, 2019, 1:53am

Hi kai,

Thanks for the inputs.

“for security reasons”. - I mean that we have disabled gather_facts for better performance. And we want other users to play the playbook with access to the same inventory .
I am looking for a way to avoid them running “ansible-playbook pb.yml -e myvar=all” and to always use “myvar=hostname.”

is there a way to stop a particular user to stop using " myvar=all" based on inventory or other modes?

mailinglists-ansible · August 8, 2019, 5:57am

Hi,

you could start with a task running against the localhost doing `jinja2`
magic and see, if `myvar=!al` and then run the next task with

hosts: "{{ myvar}}"

Greets
J

Kai_Stian_Olstad · August 8, 2019, 7:12am

You could use this
hosts: '{{ "" if myvar == "all" else myvar }}'

If myvar is all hosts becomes empty sting and that is not allowed and Ansible will fail.

But this is easily defeated but adding a comma at the end myvar=all,
To fix that you would need to use the search/regex[1] test and craft a appropriate regexp for this.

[1] https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html#testing-strings

system · August 8, 2019, 5:33pm

Ansible is not designed to limit users in this way, you want something
like tower/awx that can limit access to what users execute.

Kai_Stian_Olstad · August 8, 2019, 5:36pm

But it works so I don't see a problem.

system · August 8, 2019, 5:36pm

its easy to bypass, if it is a security issue, they should really look
at something that uses RBAC.

Topic		Replies	Views
Limiting hosts on included playbooks Ansible Project	4	0	November 12, 2013
Including playbooks into other playbooks: variable hosts Ansible Project	10	1	April 8, 2013
Choose host (localhost) without inventory file Ansible Project	1	0	July 28, 2013
ansible-playbook hosts defined as "," defaults to play all the inventory defined in -i Ansible Project	4	0	February 10, 2017
Ansible fails to execute a playbook when the value for 'hosts' is defined somewhere in inventory Ansible Project	5	1	July 13, 2017

playbook without hosts desribed

Related topics