Understanding of REMOTE_USER II: Command ID in the managed host

Hello everybody,

Regarding the understanding of how the REMOTE_USER works in managed hosts…

I’ve created a playbook which executes the command ID, with the aim of knowing who is the user executing the action in the managed host.

I have 2 nodes with the following users:
Control Node: ANSIBLE - ROOT
Managed Host: ANSIBLE - SSHUSER - ROOT

When I run the playbook, I get the follow results:

So my question is, why is the user ANSIBLE (managed host’s user) the one executing the task in HOST1.EXAMPLE.COM, if I didn’t specify REMOTE_USER= ANSIBLE?
Why ANSIBLE, and not SSHUSER??

(for sure If I write -b (become), ROOT will be the one executing the action)

Thank you very much in advance!

See "Ansible remote_user vs ansible_user" for clarification of the plethora
of users
https://stackoverflow.com/questions/36668756/ansible-remote-user-vs-ansible-user

Couple notes:

* Best practice is to run ansible on controller as unprivileged user (not
  root) who will automatically become "ansible_user" (if not overridden in
  the inventory).

* ansible will ssh ansible_user@remote if not overridden by --user option on
  the command line, or in the play (remote_user)

* In most cases the privileges are escalated with "become_*" options after
  unprivileged user (ansible_user or remote_user) establishes connection to
  the remote host. "See Understanding Privilege Escalation"
  https://docs.ansible.com/ansible/latest/user_guide/become.html#understanding-privilege-escalation

* The standard chain is: ansible_user -> remote_user -> become_user

Cheers,

  -vlado

Thank you Vladimir for your quick and useful answer!

I’ve understood the basis now, but… it raises the question below:

Let’s imagine that I don’t have ANSIBLE user on the managed host, as follows:
–>Control Node: ANSIBLE - ROOT
–>Managed Host: SSHUSER - ROOT

Taking into account that I am not overriding any “user” kind variables (either remote_user in playbooks or ansible_user in the inventory)…
What would happen if I am ANSIBLE in the Control Node, and I run the ID Command on the Managed Host with no priv. escalation?
If ANSIBLE is my default “ansible_user” and It establishes a SSH connection like ANSIBLE@host1.example.com… It would prompt an error because the user does not exists on the managed host, wouldn’t it?

(I don’t want to try deleting Ansible user with the aim of not changing the test environment as much as possible)

Thank you very much in advance… your help is really apreciated.

Regards,
Vicente.

Yes, it would. That's the --user option for. For example

  $ ansible host1.example.com --user SSHUSER --module-name setup

Exacly!
I’ve created a new user (usertest) on the Control Node and tried to connect to the managed node, with the same conditions as before (ansible user with no priv. escalation nor ansible_user var defined).
Result → SSH raised an authentication error =)

Thank you Vladimir.