There is a ruby-based playbook for ansible. (I know that it’s bad from the root, but for good reason), which, from the root, does its work on a certain number of servers.

There is a PHP-shnaya admin working on behalf of wwwrun

I want to run a playbook on the button in the admin panel. That is, the user wwwrun launches a playbook, which is played from the root.

So here is the question. Is it possible to make such role settings in ansible (or otherwise?), Without giving the user wwwrun the opportunity to increase their privileges?

PS I read the documentation and the Internet; Maybe I read badly of course, but then throw a link where it is written about it.

  • The ansible tag is absolutely unnecessary: ​​the task is to “run a sh script by clicking a link in the admin panel of the site” from another user. - AK
  • @AK tag is just needed. How to do through sudo, I already know. The question is whether it is possible to do this without a sh-script by means of the most ansibl - rjhdby

2 answers 2

Create a script

#!/bin/sh ansible-playbook ...

In sudoers add permission for the wwwrun user wwwrun run exactly this generated script:

 wwwrun ALL=(ALL) NOPASSWD: /full/path/to/script

Technically, this is a privilege escalation by the user, but only for one specific command, which, provided there are no rights to edit this script (and playboy!), Is quite acceptable.

Another option is a full-fledged queue with a queue server (redundantly, if it’s necessary for this task) or its likeness. The simplest on the file:

  • The web-muzzle creates somewhere a file with a specific name, noting that you need to start the playbook.

  • a shell script is run on the crown, checking if such a file exists. If there is, it starts the playbook and then deletes the file.

  • Respectively, there is a check on the web-muzzle - if the file is still there, then the playbook has not yet run.

In the bonus - only one playbook is executed at the same time. Minus - CZK is started most often once a minute.

The questions why the playbook is executed from the root and why I’m not going to touch on this for this web-muzzle.

    If you really are interested in exactly ansible way.

    An ansible script that runs on a server server-ansible-01 from under user user01 and does work on another server-web-01 can really work from under user ansible of server server-web-01. (At what server-ansible-01 and server-web-01 can be the same server - and this is exactly your case)

    This is a full-time feature ansible. It is set at the playbook level, not the role - although if there is a desire, then for the individual steps of the role connected in the playbook, other credentials can be specified.

    Just enter your remote_user in your remote_user :

     - name: asdf hosts: '{{ target }}' remote_user: root roles: - myrole01

    Also, if you connect to a remote server-ansible-01 as ansible, then you can perform some steps as an apache or root user. We read about become - Become (Privilege Escalation)

    This works in modern versions of an ansibl (it seems, from 1.9, I definitely have been in 2.1 for a long time), there used to be other commands, sudo_user and sudo , you can search in the documentation, I have already refactored my playbooks.

    Questions that relate to the ability to connect to another server - they always boil down to the correct setting of ssh-keys (I recommend to read in this my question: Ansible: forward ssh-agent and sudo ) and will partially affect the issue of passwordless sudo:

     - name: nopasswd sudo for ansible user lineinfile: "dest=/etc/sudoers state=present regexp='^{{ ansible_user.login }}' line='{{ ansible_user.login }} ALL=(ALL) NOPASSWD: ALL'"

    I do not very much welcome the fact that you want to execute ansible scripts from under the root account (all the scripts work quietly without me, moreover - with SELinux enabled), this crutch if you don’t want to clean up is yours own decision.

    In general, nothing prevents the launch of a playbook on behalf of the user wwwrun version and the execution of scripts on a “remote” web server (with the same IP) but as root of this web server.

    All the above concerns the performance of a playbook from another user. But.

    You put a completely different question into your question: "how do I run the sh-script from the admin site of the site, but not from the user of the web server".

    This question is in no way related to ansibl, the answer to it was given to you above - if this part of the question is more important to you, then I recommend accepting the answer. .

    Moreover, if you want to concretize the question and set the task “to run not just any script whatsoever, but an ansible playbook”, then you may have difficulties precisely because the user wwwrun has reduced rights for security reasons - you will need him in / usr / apache create your own ssh key and much more to fix. I went through, I know. It’s not that these problems are unsolvable, it’s just that lately I’ve somehow paid more attention to not creating security holes when creating solutions, and you have enough holes here.

    • About the root. I need to create local users on a fairly large osprey * nix servers. A set of operating systems - RHEL, SLES, HP-UX. There are only two options, either under the root or on each of them, to get a user who knows how to sudo to useradd. For some reason, the first option is simpler and more preferable. - rjhdby
    • Many thanks for the detailed answer. Long tossed someone to put a daw, but since all the same chose the option proposed by @ Small and he gave it before, then put it to him. - rjhdby