Ansible: have sudo but no root

Question

I’d like to use Ansible to manage the configuration of a our Hadoop cluster (running Red Hat).

I have sudo access and can manually ssh into the nodes to execute commands. However, I’m experiencing problems when I try to run Ansible modules to perform the same tasks. Although I have sudo access, I can’t become root. When I try to execute Ansible scripts that require elevated privileges, I get an error like this:

Sorry, user awoolford is not allowed to execute '/bin/bash -c echo BECOME-SUCCESS- […] /usr/bin/python /tmp/ansible-tmp-1446662360.01-231435525506280/copy' as awoolford on [some_hadoop_node].

Looking through the documentation, I thought that the become_allow_same_user property might resolve this, and so I added the following to ansible.cfg:

[privilege_escalation]
become_allow_same_user=yes

Unfortunately, it didn't work.

This post suggests that I need permissions to sudo /bin/sh (or some other shell). Unfortunately, that's not possible for security reasons. Here's a snippet from /etc/sudoers:

root            ALL=(ALL)   ALL
awoolford       ALL=(ALL)   ALL, !SU, !SHELLS, !RESTRICT

Can Ansible work in an environment like this? If so, what am I doing wrong?

Answer 1

Well, you simply cannot execute /bin/sh or /bin/bash as your /etc/sudoers shows. What you could do is change ansible's default shell to something else (variable executable in ansible.conf).

Since your sudo policy allows everything by default (does not seem like really secure to me), and I suppose ansible expects an sh-compatible shell, as a really dirty hack you could copy /bin/bash to some other path/name and set the executable variable accordingly (not tested).