Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ansible: best practice for maintaining list of sudoers

In the documentation, there is an example of using the lineinfile module to edit /etc/sudoers.

- lineinfile: "dest=/etc/sudoers state=present regexp='^%wheel' line='%wheel ALL=(ALL) NOPASSWD: ALL'" 

Feels a bit hackish.

I assumed there would be something in the user module to handle this but there doesn't appear to be any options.

What are the best practices for adding and removing users to /etc/sudoers?

like image 842
chishaku Avatar asked Oct 27 '15 03:10

chishaku


People also ask

What is way to mention sudo privileges in Ansible?

To specify a password for sudo, run ansible-playbook with --ask-become-pass ( -K for short). If you run a playbook utilizing become and the playbook seems to hang, most likely it is stuck at the privilege escalation prompt. Stop it with CTRL-c , then execute the playbook with -K and the appropriate password.

Does Ansible sudo need Passwordless?

Ansible is intended for automating administrative tasks, so generally needs top-level (root) level access hence "passwordless sudo". If you only need it to run a subset of the commands available on your system though, you can lock it down to just those commands with a more detailed sudo configuration.

Should I run Ansible as root?

Note: Ansible does not require root access; however, if you choose to use a non-root user, you must configure the appropriate sudo permissions for the tasks you want to accomplish. You will be prompted for the root password for servera, which will allow your SSH key to be installed on the remote host.


1 Answers

That line isn't actually adding an users to sudoers, merely making sure that the wheel group can have passwordless sudo for all command.

As for adding users to /etc/sudoers this is best done by adding users to necessary groups and then giving these groups the relevant access to sudo. This holds true when you aren't using Ansible too.

The user module allows you to specify an exclusive list of group or to simply append the specified groups to the current ones that the user already has. This is naturally idempotent as a user cannot be defined to be in a group multiple times.

An example play might look something like this:

- hosts: all   vars:     sudoers:       - user1       - user2       - user3   tasks:     - name: Make sure we have a 'wheel' group       group:         name: wheel         state: present      - name: Allow 'wheel' group to have passwordless sudo       lineinfile:         dest: /etc/sudoers         state: present         regexp: '^%wheel'         line: '%wheel ALL=(ALL) NOPASSWD: ALL'         validate: visudo -cf %s      - name: Add sudoers users to wheel group       user:         name: "{{ item }}"         groups: wheel         append: yes       with_items: "{{ sudoers }}" 
like image 73
ydaetskcoR Avatar answered Sep 21 '22 07:09

ydaetskcoR