Using ansible with password authentication and different usernames

Question

We're in the position of maintaining multiple database servers, which have one of two admin accounts, and which use password authentication. Lets say that the two accounts are "db_admin" and "db_user". The passwords are the same for all examples of each username, but different between the two usernames - ie the password for all hosts where the username is db_admin is "password1", and the password for all hosts where the username is db_user is "password2".

How can I run playbooks (or even ad-hoc commands) against all hosts. I can set ansible_ssh_user in the inventory, and use -k on the command-line, but this prompts only once for the password, which will therefore be wrong for half the hosts. I could repeat the ansible run, of course, specifying a different host group each time, but I'd like to do it in a single pass.

Aside: Please, I would much prefer key-based authentication - this is not currently an option. I'd also like to (using Ansible, of course) edit /etc/{passwd,shadow,group} and change the username to be the same on all hosts, but that's not possible (and might break other things which rely on, for example an "scp file db_user@host", rather than "scp db_admin@host" ). Thirdly, I'd like to go back in time and prevent the divergence in the first place, but none of these are options yet.

[Ansible: how to run a play with hosts with different passwords?](https://stackoverflow.com/q/33155459/2947502) — techraf, Aug 15 '18 at 12:19
Is that answer entirely relevant - the situation is somewhat different in that (if I'm reading it correctly), the ansible_ssh_user is the same in each case, and they are using key-based authentication? — Graham Nicholls, Aug 15 '18 at 12:29
The one(s) to the question you linked to. If you prefer, I'll rephrase: "is that question entirely relevant?" — Graham Nicholls, Aug 15 '18 at 12:35
Yes, I think it is relevant. It shows how you can achieve what you want. — techraf, Aug 15 '18 at 12:39

score 2 · Answer 1 · edited Jun 11 '20 at 10:02

2

Define the user and password in host_vars per each host or group_vars per host group.

You need to define appropriate parameters listed here, i.e.:

ansible_user The default ssh user name to use.

ansible_ssh_pass The ssh password to use. ** Requires sshpass

Per guidance you should encrypt the values with Ansible Vault.

edited Jun 11 '20 at 10:02

Community

1

answered Aug 15 '18 at 12:45

techraf

4,243
8
29
44

score 0 · Answer 2 · answered Aug 16 '18 at 13:05

Create a personal, non-privileged user for you or whomever runs these plays. Use the same credentials, such as configuring auth against a directory, or deploying a ssh key.

Install sudo rules so that this personal user can run commands as db_admin or db_user.

Set become_user in host_vars or inventory to db_admin or db_user as appropriate. Set ansible_user to your personal user at a global level (playbook vars, or group_vars/all). Set become: True on tasks run as the admin user.

This way, its clear who ran the play, and you do not have to change shared credentials.

Using ansible with password authentication and different usernames

2 Answers2