Ansible: have sudo but no root

Question

I’d like to use Ansible to manage the configuration of a our Hadoop cluster (running Red Hat).

I have sudo access and can manually ssh into the nodes to execute commands. However, I’m experiencing problems when I try to run Ansible modules to perform the same tasks. Although I have sudo access, I can’t become root. When I try to execute Ansible scripts that require elevated privileges, I get an error like this:

Sorry, user awoolford is not allowed to execute '/bin/bash -c echo BECOME-SUCCESS- […] /usr/bin/python /tmp/ansible-tmp-1446662360.01-231435525506280/copy' as awoolford on [some_hadoop_node].

Looking through the documentation, I thought that the become_allow_same_user property might resolve this, and so I added the following to ansible.cfg:

[privilege_escalation]
become_allow_same_user=yes

Unfortunately, it didn't work.

This post suggests that I need permissions to sudo /bin/sh (or some other shell). Unfortunately, that's not possible for security reasons. Here's a snippet from /etc/sudoers:

root            ALL=(ALL)   ALL
awoolford       ALL=(ALL)   ALL, !SU, !SHELLS, !RESTRICT

Can Ansible work in an environment like this? If so, what am I doing wrong?

you said you can manually ssh to the node and execute the commands, which user is that ? — frank, Nov 09 '15 at 11:04
I can `sudo [some_command]` as user `awoolford` providing that it isn't in one of the `!` lists (see snippet from `/etc/sudoers`). — Alex Woolford, Nov 09 '15 at 13:58

score 3 · Accepted Answer · answered Nov 11 '15 at 19:38

Well, you simply cannot execute /bin/sh or /bin/bash as your /etc/sudoers shows. What you could do is change ansible's default shell to something else (variable executable in ansible.conf).

Since your sudo policy allows everything by default (does not seem like really secure to me), and I suppose ansible expects an sh-compatible shell, as a really dirty hack you could copy /bin/bash to some other path/name and set the executable variable accordingly (not tested).

score 0 · Answer 2 · answered Nov 11 '15 at 23:05

In the playbook (some.yml) file, set

runthisplaybook.yml

---
- hosts: label_which_will_work_on_some_servers
  sudo: yes

  roles: 
    - some_role_i_want_to_run

Next, in the role//tasks/main.yml for the action which you have to run as sudo.. use something like become_user (where common_user is a variable defined in some role's defaults\main.yml file as common_user: "this_user_can_sudo":

- name: Run chkconfig on init script
  command: "sudo -u root /sbin/chkconfig --add tomcat" 

# Set execute permission on run_jmeter_test.sh
- name: Set execute permission on run_jmeter_test.sh
  command: "chmod -R 755 {{ jmeter_perf_tests_results }}"
  become_user: "{{ common_user }}"

# OR Set execute permission on run_jmeter_test.sh
- name: Set execute permission on run_jmeter_test.sh
  command: "sudo -u firstuser sudo -u seconduser chmod -R 755 {{ jmeter_perf_tests_results }}"
  become_user: "{{ common_user }}"

# OR Set execute permission on run_jmeter_test.sh
- name: Set execute permission on run_jmeter_test.sh
  command: "chmod -R 755 {{ jmeter_perf_tests_results }}"
  become_user: "{{ common_user }}"

PS: While running ansible-playbook,

ansible-playbook runthisplaybook.yml --sudo-user=this_user_can_sudo -i hosts.yml -u user_which_will_connect_from_source_machine --private-key ${DEPLOYER_KEY_FILE} --extra-vars "target_svr_type=${server_type} deploy_environment=${DEPLOY_ENVIRONMENT} ansible_user=${ANSIBLE_USER}"

score 0 · Answer 3 · answered Dec 02 '19 at 13:37

After a research over the subject, as of Ansible 2.8 it doesn't seem you have a way to run commands as a different user using become without root permissions.

There's another way to achieve what you were asking without being so, how to put it, 'hacky'.

You can use the shell module with sudo su - <user> -c "COMMAND" to execute a command as a different user, without the need for root access to the original user.

For example,

  1 --- 
  2 - hosts: target_host
  3
  4   tasks:
  5   - shell: 'sudo su EXEC_USER -c "whoami"'
  6     register: x
  7
  8   - debug:
  9       msg: "{{ x.stdout_lines }}"   # This returns EXEC_USER

However, if your play is complex, you would need to break it down and wrap only the commands that are required to be executed as different user.

This isn't best practice (using sudo + shell instead of become), however that's a solution, and in my opinion a better one than creating dummy shell on every node you manage.

score -1 · Answer 4 · answered Nov 14 '15 at 07:43

I think now sudo: yes is depricated and replace with become: yes

---
- hosts: servers_on_which_you_want_to_run
  become: yes

  roles: 
    - some_role

The smiplist solution is just create a ansible.cfg in your playbook directory with the following content, if it doesn't accept root user:

[defaults]
sudo_user      = UsernameToWhichYouWantToUse

Hope, this will solve your problem.

Ansible: have sudo but no root

4 Answers4