2

EDIT: This ansible_become_pass: "{{ scrappy.pass }}" #scrappy's password is the source of the problem. Should be password for ubuntu user

I am having a hard time understanding how to set privileges per task in ansible.

So given the playbook scrappy, I want to log in as the admin user (ubuntu) but do something as the user scrappy.

Note that:

  • both scrappy and ubuntu are in the sudoers file
  • both also have the same set of permissions name ALL=(ALL) ALL
  • but ubuntu is the only user allowed to log into the host

Playbook scrappy.yml:

---
- hosts: fig
  name: LogInAsUbuntuButDoSomethingAsScrappy
  gather_facts: false
  remote_user: ubuntu
  vars:   
    ansible_become_pass: "{{ scrappy.pass }}" 
    ansible_ssh_private_key_file: "{{ ubuntu_key_path }}" 

 roles: 
   - examplerole

and the task is:

- name: ScrappyDoesSomething
  become_user: scrappy
  become: true
  apt: 
    name: python3-pip
    state: present

Yet, running the above playbook results in:

TASK [fig : Run some command as docker user] *********************************************************************
task path: /Users/pnotes/Code/Ansible/example/roles/fig/tasks/main.yml:35
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'echo ~ubuntu && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'/home/ubuntu\n', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" && echo ansible-tmp-1540132846.970539-145559158546185="` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" ) && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'ansible-tmp-1540132846.970539-145559158546185=/var/tmp/ansible-tmp-1540132846.970539-145559158546185\n', b'')
Using module file /Users/pnotes/.pyenv/versions/3.6.4/lib/python3.6/site-packages/ansible/modules/packaging/os/apt.py
<xx.xxx.xx.xxx> PUT /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce TO /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py
<xx.xxx.xx.xxx> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 '[xx.xxx.xx.xxx]'
<xx.xxx.xx.xxx> (0, b'sftp> put /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py\n', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'setfacl -m u:rekc:r-x /var/tmp/ansible-tmp-1540132846.970539-145559158546185/ /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 -tt xx.xxx.xx.xxx '/bin/sh -c '"'"'sudo -H -S  -p "[sudo via ansible, key=hegelcumrkxfphxoykzfggauamdrklck] password: " -u rekc /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-hegelcumrkxfphxoykzfggauamdrklck; /usr/bin/env python3.6 /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation failed
fatal: [xx.xxx.xx.xxx]: FAILED! => {
    "msg": "Incorrect sudo password"
}

Can someone please explain what I am missing here? Thank you.

SavageSuga
  • 23
  • 7

2 Answers2

2

An option would be to allow the user ubuntu to sudo without a password

ubuntu ALL=(ALL) NOPASSWD: ALL

Actually, this is necessary to comply with security best practices. In Ansible, the best practice is letting remote_user login with an ssh key only (no password).

See Is it insecure to have an ansible user with passwordless sudo?.

Vladimir Botka
  • 5,138
  • 8
  • 20
2

If the task needs to be run by root, it should not have become_user - this is running the task as that user, which does not have the rights to do so.

- name: ScrappyDoesSomething
  become: true
  apt: 
    name: python3-pip
    state: present

In this case it will be ubuntu who requests escalation, since they are set as remote_user. If you need scrappy to be the one who requests escalation, then remote_user should be set to scrappy for the task, but become_user should still be root. Since the remote user is set for a play, you need to have a new play if you want to change users.

Bruce Becker
  • 302
  • 1
  • 4
  • 18