mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
[PR #5703/77fde030 backport][stable-6] Add support for host restriction in sudoers module (#5716)
Add support for host restriction in sudoers module (#5703)
* Add support to restrict privileges by host
* Missing comma
* Making linter happy.
* Add version 6.2.0 as when sudoers host parameter added
Co-authored-by: Felix Fontein <felix@fontein.de>
* Changelog fragment for PR #5703
* Test for sudoers host-based restriction
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 77fde030cd
)
Co-authored-by: Laurence <laurence+github@entek.org.uk>
This commit is contained in:
parent
02e6a8608f
commit
bc50b48205
3 changed files with 36 additions and 2 deletions
2
changelogs/fragments/5703-sudoers-host-support.yml
Normal file
2
changelogs/fragments/5703-sudoers-host-support.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
minor_changes:
|
||||||
|
- sudoers - adds ``host`` parameter for setting hostname restrictions in sudoers rules (https://github.com/ansible-collections/community.general/issues/5702).
|
|
@ -43,6 +43,12 @@ options:
|
||||||
- Whether a password will be required to run the sudo'd command.
|
- Whether a password will be required to run the sudo'd command.
|
||||||
default: true
|
default: true
|
||||||
type: bool
|
type: bool
|
||||||
|
host:
|
||||||
|
description:
|
||||||
|
- Specify the host the rule is for.
|
||||||
|
default: ALL
|
||||||
|
type: str
|
||||||
|
version_added: 6.2.0
|
||||||
runas:
|
runas:
|
||||||
description:
|
description:
|
||||||
- Specify the target user the command(s) will run as.
|
- Specify the target user the command(s) will run as.
|
||||||
|
@ -95,10 +101,11 @@ EXAMPLES = '''
|
||||||
|
|
||||||
- name: >-
|
- name: >-
|
||||||
Allow the monitoring group to run sudo /usr/local/bin/gather-app-metrics
|
Allow the monitoring group to run sudo /usr/local/bin/gather-app-metrics
|
||||||
without requiring a password
|
without requiring a password on the host called webserver
|
||||||
community.general.sudoers:
|
community.general.sudoers:
|
||||||
name: monitor-app
|
name: monitor-app
|
||||||
group: monitoring
|
group: monitoring
|
||||||
|
host: webserver
|
||||||
commands: /usr/local/bin/gather-app-metrics
|
commands: /usr/local/bin/gather-app-metrics
|
||||||
|
|
||||||
- name: >-
|
- name: >-
|
||||||
|
@ -136,6 +143,7 @@ class Sudoers(object):
|
||||||
self.group = module.params['group']
|
self.group = module.params['group']
|
||||||
self.state = module.params['state']
|
self.state = module.params['state']
|
||||||
self.nopassword = module.params['nopassword']
|
self.nopassword = module.params['nopassword']
|
||||||
|
self.host = module.params['host']
|
||||||
self.runas = module.params['runas']
|
self.runas = module.params['runas']
|
||||||
self.sudoers_path = module.params['sudoers_path']
|
self.sudoers_path = module.params['sudoers_path']
|
||||||
self.file = os.path.join(self.sudoers_path, self.name)
|
self.file = os.path.join(self.sudoers_path, self.name)
|
||||||
|
@ -178,7 +186,13 @@ class Sudoers(object):
|
||||||
commands_str = ', '.join(self.commands)
|
commands_str = ', '.join(self.commands)
|
||||||
nopasswd_str = 'NOPASSWD:' if self.nopassword else ''
|
nopasswd_str = 'NOPASSWD:' if self.nopassword else ''
|
||||||
runas_str = '({runas})'.format(runas=self.runas) if self.runas is not None else ''
|
runas_str = '({runas})'.format(runas=self.runas) if self.runas is not None else ''
|
||||||
return "{owner} ALL={runas}{nopasswd} {commands}\n".format(owner=owner, runas=runas_str, nopasswd=nopasswd_str, commands=commands_str)
|
return "{owner} {host}={runas}{nopasswd} {commands}\n".format(
|
||||||
|
owner=owner,
|
||||||
|
host=self.host,
|
||||||
|
runas=runas_str,
|
||||||
|
nopasswd=nopasswd_str,
|
||||||
|
commands=commands_str
|
||||||
|
)
|
||||||
|
|
||||||
def validate(self):
|
def validate(self):
|
||||||
if self.validation == 'absent':
|
if self.validation == 'absent':
|
||||||
|
@ -225,6 +239,10 @@ def main():
|
||||||
'type': 'bool',
|
'type': 'bool',
|
||||||
'default': True,
|
'default': True,
|
||||||
},
|
},
|
||||||
|
'host': {
|
||||||
|
'type': 'str',
|
||||||
|
'default': 'ALL',
|
||||||
|
},
|
||||||
'runas': {
|
'runas': {
|
||||||
'type': 'str',
|
'type': 'str',
|
||||||
'default': None,
|
'default': None,
|
||||||
|
|
|
@ -131,6 +131,19 @@
|
||||||
src: "{{ sudoers_path }}/my-sudo-rule-6"
|
src: "{{ sudoers_path }}/my-sudo-rule-6"
|
||||||
register: rule_6_contents
|
register: rule_6_contents
|
||||||
|
|
||||||
|
- name: Create rule to allow user to sudo just on host-1
|
||||||
|
community.general.sudoers:
|
||||||
|
name: my-sudo-rule-7
|
||||||
|
state: present
|
||||||
|
user: alice
|
||||||
|
host: host-1
|
||||||
|
commands: /usr/local/bin/command
|
||||||
|
register: rule_7
|
||||||
|
|
||||||
|
- name: Grab contents of my-sudo-rule-7
|
||||||
|
ansible.builtin.slurp:
|
||||||
|
src: "{{ sudoers_path }}/my-sudo-rule-7"
|
||||||
|
register: rule_7_contents
|
||||||
|
|
||||||
- name: Revoke rule 1
|
- name: Revoke rule 1
|
||||||
community.general.sudoers:
|
community.general.sudoers:
|
||||||
|
@ -229,6 +242,7 @@
|
||||||
- "rule_4_contents['content'] | b64decode == '%students ALL=NOPASSWD: /usr/local/bin/command\n'"
|
- "rule_4_contents['content'] | b64decode == '%students ALL=NOPASSWD: /usr/local/bin/command\n'"
|
||||||
- "rule_5_contents['content'] | b64decode == 'alice ALL=NOPASSWD: /usr/local/bin/command\n'"
|
- "rule_5_contents['content'] | b64decode == 'alice ALL=NOPASSWD: /usr/local/bin/command\n'"
|
||||||
- "rule_6_contents['content'] | b64decode == 'alice ALL=(bob)NOPASSWD: /usr/local/bin/command\n'"
|
- "rule_6_contents['content'] | b64decode == 'alice ALL=(bob)NOPASSWD: /usr/local/bin/command\n'"
|
||||||
|
- "rule_7_contents['content'] | b64decode == 'alice host-1=NOPASSWD: /usr/local/bin/command\n'"
|
||||||
|
|
||||||
- name: Check revocation stat
|
- name: Check revocation stat
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
|
|
Loading…
Reference in a new issue