How to run ansible playbooks with limited sudo?

S

Seboreia2017-02-05 21:08:11

Ansible

Seboreia, 2017-02-05 21:08:11

Greetings!
There was a problem with elementary operations performed through ansible. There are several sudo restricted machines:
[[email protected] ~]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on this host:
group_plugin=/opt/quest/lib64/libsudo_vas.so, requiretty, ! visiblepw, always_set_home, env_reset, env_keep = "COLORS the DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS is",
env_keep + = "the MAIL the PS1 the PS2 QTDIR USERNAME the LANG LC_ADDRESS the LC_CTYPE", env_keep + = "the LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep + = "LC_MONETARY LC_NAME the
LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:
User user1 may run the following commands on this host:
(root) /bin/traceroute *
(root) /usr/sbin/tcpdump *
(root) /bin/su - user2
(user2) ALL
(root) /bin/su - user2, (root) /bin/su - zabbix
(root) /bin/systemctl * nginx*, (root) /bin/systemctl * keepalived*, (root) /bin/systemctl * mongod*, (root) /bin/ systemctl * zabbix*, (root) /bin/nginx-ha-setup
(root) /bin/systemctl * rabbitmq-server*, (root) /bin/systemctl * svnserve*, (root) /bin/systemctl * httpd* , (root) /bin/systemctl * tomcat-*
(zabbix) ALL
(docker) ALL
(etcdctl) ALL
(root) /bin/systemctl * haproxy*
And, accordingly, for user2:
[[email protected] ~]$ sudo - l
Matching Defaults entries for user2 on this host:
group_plugin=/opt/quest/lib64/libsudo_vas.so, requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHOR \:/usr/bin
User user2 may run the following commands on this host:
(root) /bin/traceroute *
(root) /usr/sbin/tcpdump *
(root) NOPASSWD: /usr/bin/systemctl * kube-apiserver, (root) /usr/bin/systemctl * kube-controller-manager, (root) /usr/bin/systemctl * kube-scheduler, (root)
/ usr/bin/systemctl * kube-proxy, (root) /usr/bin/systemctl * kubelet, (root) /usr/bin/systemctl * docker, (root) /usr/bin/systemctl * flanneld, (root)
/ usr/bin/systemctl * etcd, (root) /usr/bin/systemctl * nginx
(root) NOPASSWD: /data/nginx_kill_hup.sh
Why so much drug addiction is not my question, this is the policy within the company...
Brief summary: I I can execute only part of the commands under the user user1 (and only with a password) and part of the commands under the user user2 (without entering a password).
All attempts to simply restart nginx fail:
1)ansible -a "systemctl restart nginx" -K 10.8.227.22
SUDO password:
10.8.227.22 | FAILED | rc=1 >>
Failed to restart nginx.service: Interactive authentication required.
2)ansible -a "systemctl restart nginx" -b -K 10.8.227.22
SUDO password:
10.8.227.22 | FAILED | rc=0 >>
MODULE FAILURE
3)ansible -m raw -a "systemctl restart nginx" -b -K 10.8.227.22
SUDO password:
10.8.227.22 | FAILED | rc=1 >>
Sorry, user user1 is not allowed to execute '/bin/sh -c echo BECOME-SUCCESS-jbjuxgbogegafznhqwfbjurlpjdvmngk; systemctl restart nginx' as root on vm2.company.net.
4)playbook doesn't work either
---
- hosts: 10.8.227.22
tasks:
- service: "name=nginx state=restarted"
name: "restart nginx"
become: yes
ansible-playbook restart-nginx.yaml -K
SUDO password:
PLAY [10.8.227.22] *********** *******************************************************
TASK [setup] ********************************************** *********************
ok: [10.8.227.22]
TASK [restart nginx] ******************** *********************************************
fatal: [10.8.227.22]: FAILED! => {"changed": false, "failed": true, "module_stderr": "", "module_stdout": "\r\nSorry, user user1 is not allowed to execute '/bin/sh -c echo BECOME-SUCCESS -thfyiybjootfvadrtoyhposukqltsmfd;LANG=ru_RU.UTF-8 LC_ALL=ru_RU.UTF-8 LC_MESSAGES=ru_RU.UTF-8 /usr/bin/python /home/user1/.ansible/tmp/ansible-tmp-1486317561.37-213426575430392/service; rm -rf \"/home/user1/.ansible/tmp/ansible-tmp-1486317561.37-213426575430392/\" > /dev/null 2>&1' as root on vm2.company.net.\r\n", " msg": "MODULE FAILURE"}
NO MORE HOSTS LEFT **************************************** *************************
to retry, use: --limit @/home/admin/ansible/restart-nginx.
10.8.227.22 : ok=1 changed=0 unreachable=0 failed=1
5) I even tried this: ansible
-m raw -a "sudo systemctl restart nginx" -K 32541 32498 0 21:03 pts/0 00:00:00 sudo systemctl restart nginx and nothing happens (probably waiting for a password) I've been struggling with this for 2 days already, I just can't find a workaround. Maybe someone has an idea?

Reply

Answer the question

In order to leave comments, you need to log in

[[+comments_count]] answer(s)

S

Seboreia, 2017-02-09
@Seboreia

So, I found a workaround on the Internet: fibed.net/2016/10/29/ansible-i-restricted-sudo
Brief essence: you need to create a connection module, put it in the ansible/lib/ansible/plugins/connection/ directory and in the playbook, in the connection section, select the transport type transport = ssh_sudo (or set transport = ssh_sudo in the main config right away).
The ssh_sudo.py module itself:

import ansible.constants as C
import ansible.plugins.connection.ssh as SSH
import pipes

class Connection (SSH.Connection):

    def __init__(self, play_context, *args, **kwargs):

        super (Connection, self).__init__(play_context, *args, **kwargs)        
        
        self._make_become_cmd = self._play_context.make_become_cmd
        self._play_context.make_become_cmd = self.make_become_cmd
        

    def make_become_cmd (self, cmd, executable = None):
      
        becomecmd = self._make_become_cmd(cmd, executable=None)

        if cmd.split('=')[0] == 'sudo':
            
            command = cmd.split('=')[1]
            exe = self._play_context.become_method
            flags = getattr(C, 'DEFAULT_%s_FLAGS' % self._play_context.become_method.upper(), None)
            prompt = self._play_context.prompt
            user = self._play_context.become_user
            success_key = self._play_context.success_key         

            sudocmd = '%s -k && setsid %s %s-p "%s" -u %s %s;' 'rc=$?; echo %s; exit $rc' % \
                      (exe, exe, flags.replace('-n',''), prompt, user, command, success_key)
 
            becomecmd = '$SHELL -c ' + pipes.quote (sudocmd)
       
        return (becomecmd)

P

Puma Thailand, 2017-02-06
@opium

in ansible there is an option to ask for a password, ask for a password for sudo, and even as far as I remember, you can set a password for sudo in the script file (I don’t remember exactly because I don’t use passwords anywhere)
https://groups.google.com/forum/#!topic /ansible-pr...

P

p1dl0, 2018-02-19
@p1dl0

vars_prompt:
- name: ansible_user
prompt: "Product deploy user"
default: "ansible"
- name: ansible_ssh_pass
prompt: "Enter ssh password"
private: yes
- name: ansible_become_pass
prompt: "Enter root password"
private: yes