编辑:这ansible_become_pass: "{{ scrappy.pass }}" #scrappy 的密码是问题的根源。应该是 ubuntu 用户的密码
我很难理解如何在 ansible 中设置每个任务的权限。
因此,给定剧本scrappy,我想以管理员用户(ubuntu)身份登录,但以用户 scrappy 的身份执行一些操作。
注意:
- scrappy 和 ubuntu 都在
sudoers文件中 - 两者都具有相同的权限集
name ALL=(ALL) ALL - 但是
ubuntu唯一允许登录主机的用户
剧本scrappy.yml:
---
- hosts: fig
name: LogInAsUbuntuButDoSomethingAsScrappy
gather_facts: false
remote_user: ubuntu
vars:
ansible_become_pass: "{{ scrappy.pass }}"
ansible_ssh_private_key_file: "{{ ubuntu_key_path }}"
roles:
- examplerole
任务是:
- name: ScrappyDoesSomething
become_user: scrappy
become: true
apt:
name: python3-pip
state: present
然而,运行上述剧本会导致:
TASK [fig : Run some command as docker user] *********************************************************************
task path: /Users/pnotes/Code/Ansible/example/roles/fig/tasks/main.yml:35
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'echo ~ubuntu && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'/home/ubuntu\n', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" && echo ansible-tmp-1540132846.970539-145559158546185="` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" ) && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'ansible-tmp-1540132846.970539-145559158546185=/var/tmp/ansible-tmp-1540132846.970539-145559158546185\n', b'')
Using module file /Users/pnotes/.pyenv/versions/3.6.4/lib/python3.6/site-packages/ansible/modules/packaging/os/apt.py
<xx.xxx.xx.xxx> PUT /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce TO /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py
<xx.xxx.xx.xxx> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 '[xx.xxx.xx.xxx]'
<xx.xxx.xx.xxx> (0, b'sftp> put /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py\n', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'setfacl -m u:rekc:r-x /var/tmp/ansible-tmp-1540132846.970539-145559158546185/ /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 -tt xx.xxx.xx.xxx '/bin/sh -c '"'"'sudo -H -S -p "[sudo via ansible, key=hegelcumrkxfphxoykzfggauamdrklck] password: " -u rekc /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-hegelcumrkxfphxoykzfggauamdrklck; /usr/bin/env python3.6 /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation failed
fatal: [xx.xxx.xx.xxx]: FAILED! => {
"msg": "Incorrect sudo password"
}
有人能解释一下我这里遗漏了什么吗?谢谢。
答案1
如果该任务需要由 root 运行,则不应该become_user- 这是以没有权限的用户身份运行该任务。
- name: ScrappyDoesSomething
become: true
apt:
name: python3-pip
state: present
在这种情况下,它将是ubuntu请求升级的人,因为他们被设置为remote_user。如果您需要scrappy成为请求升级的人,那么应该将任务remote_user设置为,但仍应为 root。由于远程用户是为剧本设置的,如果您想更改用户,您需要有一个新的剧本。scrappybecome_user
答案2
一个选项是允许用户Ubuntu无需密码即可使用 sudo
ubuntu ALL=(ALL) NOPASSWD: ALL
实际上,这是遵守安全最佳实践的必要条件。在 Ansible 中,最佳实践是让远程用户仅使用 ssh 密钥登录(无密码)。