[ansible] – Understanding Configuration file (ansible.cfg) and Privilege Escalation

Following an example o ansible.cfg in order to illustrate this explanation.

[defaults]
remote_user = myuser
inventory = inventory

[privilege_escalation]
become = False
become_method = sudo
become_user = root
become_ask_pass = False

The [defaults] mean the DEFAULT user and hosts(inventory) which will be used when the ansible command be executed. Then, if the following command is played, it means that ansible will connect in all servers/hosts defined in the inventory via a ssh with the user “myuser”  and executed the command cat /etc/myfile  in each one.

$ansible myservers -m command -a 'cat /etc/myfile'

NOTE: In this example, the SSH key-based authentication for the myuser need already be done where the ansible is  installed. 

However, if you need other permission in the host to be allowed to perform some action then it can be defined in the [privilege_escalation] which means that after connecting via ssh in the server with the default user you will use the become_method and become_user to change the user and execute the command. Following an example where is required to write in the files which in this way requires a permission that the myuser doesn’t have.  To perform it is required use the [privilege_escalation] setup.

$ansible myservers -m copy-a 'content="COPY CONTENT WITH ANSIBLE.\n" dest=/etc/myfile' --become

Why the become is required in the above example?

The param --become is used to escalate the privilege. If you defined the become as true in the configuration file then it means that the privilege_escalation will be always executed by default and the –become parameter is no longer required.

Why the become_ask_pass is defined as False in this example?

It is defined as False in order to tell that is not required to ask the password when the sudo method be called. However, for it works in this example, the myuser used to connect need has the privilege granted in order to use the root user.

For further information see Understanding Privilege Escalation and Ansible Configuration Settings

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s