1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

[PR #5703/77fde030 backport][stable-6] Add support for host restriction in sudoers module (#5716)

Add support for host restriction in sudoers module (#5703)

* Add support to restrict privileges by host

* Missing comma

* Making linter happy.

* Add version 6.2.0 as when sudoers host parameter added

Co-authored-by: Felix Fontein <felix@fontein.de>

* Changelog fragment for PR #5703

* Test for sudoers host-based restriction

Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 77fde030cd)

Co-authored-by: Laurence <laurence+github@entek.org.uk>
This commit is contained in:
patchback[bot] 2022-12-20 12:59:26 +01:00 committed by GitHub
parent 02e6a8608f
commit bc50b48205
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 2 deletions

View file

@ -0,0 +1,2 @@
minor_changes:
- sudoers - adds ``host`` parameter for setting hostname restrictions in sudoers rules (https://github.com/ansible-collections/community.general/issues/5702).

View file

@ -43,6 +43,12 @@ options:
- Whether a password will be required to run the sudo'd command. - Whether a password will be required to run the sudo'd command.
default: true default: true
type: bool type: bool
host:
description:
- Specify the host the rule is for.
default: ALL
type: str
version_added: 6.2.0
runas: runas:
description: description:
- Specify the target user the command(s) will run as. - Specify the target user the command(s) will run as.
@ -95,10 +101,11 @@ EXAMPLES = '''
- name: >- - name: >-
Allow the monitoring group to run sudo /usr/local/bin/gather-app-metrics Allow the monitoring group to run sudo /usr/local/bin/gather-app-metrics
without requiring a password without requiring a password on the host called webserver
community.general.sudoers: community.general.sudoers:
name: monitor-app name: monitor-app
group: monitoring group: monitoring
host: webserver
commands: /usr/local/bin/gather-app-metrics commands: /usr/local/bin/gather-app-metrics
- name: >- - name: >-
@ -136,6 +143,7 @@ class Sudoers(object):
self.group = module.params['group'] self.group = module.params['group']
self.state = module.params['state'] self.state = module.params['state']
self.nopassword = module.params['nopassword'] self.nopassword = module.params['nopassword']
self.host = module.params['host']
self.runas = module.params['runas'] self.runas = module.params['runas']
self.sudoers_path = module.params['sudoers_path'] self.sudoers_path = module.params['sudoers_path']
self.file = os.path.join(self.sudoers_path, self.name) self.file = os.path.join(self.sudoers_path, self.name)
@ -178,7 +186,13 @@ class Sudoers(object):
commands_str = ', '.join(self.commands) commands_str = ', '.join(self.commands)
nopasswd_str = 'NOPASSWD:' if self.nopassword else '' nopasswd_str = 'NOPASSWD:' if self.nopassword else ''
runas_str = '({runas})'.format(runas=self.runas) if self.runas is not None else '' runas_str = '({runas})'.format(runas=self.runas) if self.runas is not None else ''
return "{owner} ALL={runas}{nopasswd} {commands}\n".format(owner=owner, runas=runas_str, nopasswd=nopasswd_str, commands=commands_str) return "{owner} {host}={runas}{nopasswd} {commands}\n".format(
owner=owner,
host=self.host,
runas=runas_str,
nopasswd=nopasswd_str,
commands=commands_str
)
def validate(self): def validate(self):
if self.validation == 'absent': if self.validation == 'absent':
@ -225,6 +239,10 @@ def main():
'type': 'bool', 'type': 'bool',
'default': True, 'default': True,
}, },
'host': {
'type': 'str',
'default': 'ALL',
},
'runas': { 'runas': {
'type': 'str', 'type': 'str',
'default': None, 'default': None,

View file

@ -131,6 +131,19 @@
src: "{{ sudoers_path }}/my-sudo-rule-6" src: "{{ sudoers_path }}/my-sudo-rule-6"
register: rule_6_contents register: rule_6_contents
- name: Create rule to allow user to sudo just on host-1
community.general.sudoers:
name: my-sudo-rule-7
state: present
user: alice
host: host-1
commands: /usr/local/bin/command
register: rule_7
- name: Grab contents of my-sudo-rule-7
ansible.builtin.slurp:
src: "{{ sudoers_path }}/my-sudo-rule-7"
register: rule_7_contents
- name: Revoke rule 1 - name: Revoke rule 1
community.general.sudoers: community.general.sudoers:
@ -229,6 +242,7 @@
- "rule_4_contents['content'] | b64decode == '%students ALL=NOPASSWD: /usr/local/bin/command\n'" - "rule_4_contents['content'] | b64decode == '%students ALL=NOPASSWD: /usr/local/bin/command\n'"
- "rule_5_contents['content'] | b64decode == 'alice ALL=NOPASSWD: /usr/local/bin/command\n'" - "rule_5_contents['content'] | b64decode == 'alice ALL=NOPASSWD: /usr/local/bin/command\n'"
- "rule_6_contents['content'] | b64decode == 'alice ALL=(bob)NOPASSWD: /usr/local/bin/command\n'" - "rule_6_contents['content'] | b64decode == 'alice ALL=(bob)NOPASSWD: /usr/local/bin/command\n'"
- "rule_7_contents['content'] | b64decode == 'alice host-1=NOPASSWD: /usr/local/bin/command\n'"
- name: Check revocation stat - name: Check revocation stat
ansible.builtin.assert: ansible.builtin.assert: