mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
parent
2424d57868
commit
bf0da4aa3c
5 changed files with 19 additions and 8 deletions
|
@ -70,7 +70,7 @@ Run commands in the background, killing the task after 'NUM' seconds.
|
|||
*--become-method=*'BECOME_METHOD'::
|
||||
|
||||
Privilege escalation method to use (default=sudo),
|
||||
valid choices: [ sudo | su | pbrun | pfexec | runas | doas ]
|
||||
valid choices: [ sudo | su | pbrun | pfexec | runas | doas | dzdo ]
|
||||
|
||||
*--become-user=*'BECOME_USER'::
|
||||
|
||||
|
|
|
@ -8,12 +8,12 @@ Ansible can use existing privilege escalation systems to allow a user to execute
|
|||
Become
|
||||
``````
|
||||
Ansible allows you 'become' another user, different from the user that logged into the machine (remote user). This is done using existing
|
||||
privilege escalation tools, which you probably already use or have configured, like 'sudo', 'su', 'pfexec', 'doas', 'pbrun' and others.
|
||||
privilege escalation tools, which you probably already use or have configured, like 'sudo', 'su', 'pfexec', 'doas', 'pbrun', 'dzdo', and others.
|
||||
|
||||
|
||||
.. note:: Before 1.9 Ansible mostly allowed the use of `sudo` and a limited use of `su` to allow a login/remote user to become a different user
|
||||
and execute tasks, create resources with the 2nd user's permissions. As of 1.9 `become` supersedes the old sudo/su, while still being backwards compatible.
|
||||
This new system also makes it easier to add other privilege escalation tools like `pbrun` (Powerbroker), `pfexec` and others.
|
||||
This new system also makes it easier to add other privilege escalation tools like `pbrun` (Powerbroker), `pfexec`, `dzdo` (Centrify), and others.
|
||||
|
||||
.. note:: Setting any var or directive makes no implications on the values of the other related directives, i.e. setting become_user does not set become.
|
||||
|
||||
|
@ -29,7 +29,7 @@ become_user
|
|||
set to user with desired privileges, the user you 'become', NOT the user you login as. Does NOT imply `become: yes`, to allow it to be set at host level.
|
||||
|
||||
become_method
|
||||
at play or task level overrides the default method set in ansible.cfg, set to 'sudo'/'su'/'pbrun'/'pfexec'/'doas'
|
||||
at play or task level overrides the default method set in ansible.cfg, set to 'sudo'/'su'/'pbrun'/'pfexec'/'doas'/'dzdo'
|
||||
|
||||
|
||||
Connection variables
|
||||
|
@ -60,7 +60,7 @@ New command line options
|
|||
|
||||
--become-method=BECOME_METHOD
|
||||
privilege escalation method to use (default=sudo),
|
||||
valid choices: [ sudo | su | pbrun | pfexec | doas ]
|
||||
valid choices: [ sudo | su | pbrun | pfexec | doas | dzdo ]
|
||||
|
||||
--become-user=BECOME_USER
|
||||
run operations as this user (default=root), does not imply --become/-b
|
||||
|
|
|
@ -201,9 +201,9 @@ DEFAULT_SUDO_FLAGS = get_config(p, DEFAULTS, 'sudo_flags', 'ANSIBLE_SUDO_
|
|||
DEFAULT_ASK_SUDO_PASS = get_config(p, DEFAULTS, 'ask_sudo_pass', 'ANSIBLE_ASK_SUDO_PASS', False, boolean=True)
|
||||
|
||||
# Become
|
||||
BECOME_ERROR_STRINGS = {'sudo': 'Sorry, try again.', 'su': 'Authentication failure', 'pbrun': '', 'pfexec': '', 'runas': '', 'doas': 'Permission denied'} #FIXME: deal with i18n
|
||||
BECOME_MISSING_STRINGS = {'sudo': 'sorry, a password is required to run sudo', 'su': '', 'pbrun': '', 'pfexec': '', 'runas': '', 'doas': 'Authorization required'} #FIXME: deal with i18n
|
||||
BECOME_METHODS = ['sudo','su','pbrun','pfexec','runas','doas']
|
||||
BECOME_ERROR_STRINGS = {'sudo': 'Sorry, try again.', 'su': 'Authentication failure', 'pbrun': '', 'pfexec': '', 'runas': '', 'doas': 'Permission denied', 'dzdo': ''} #FIXME: deal with i18n
|
||||
BECOME_MISSING_STRINGS = {'sudo': 'sorry, a password is required to run sudo', 'su': '', 'pbrun': '', 'pfexec': '', 'runas': '', 'doas': 'Authorization required', 'dzdo': ''} #FIXME: deal with i18n
|
||||
BECOME_METHODS = ['sudo','su','pbrun','pfexec','runas','doas','dzdo']
|
||||
BECOME_ALLOW_SAME_USER = get_config(p, 'privilege_escalation', 'become_allow_same_user', 'ANSIBLE_BECOME_ALLOW_SAME_USER', False, boolean=True)
|
||||
DEFAULT_BECOME_METHOD = get_config(p, 'privilege_escalation', 'become_method', 'ANSIBLE_BECOME_METHOD','sudo' if DEFAULT_SUDO else 'su' if DEFAULT_SU else 'sudo' ).lower()
|
||||
DEFAULT_BECOME = get_config(p, 'privilege_escalation', 'become', 'ANSIBLE_BECOME',False, boolean=True)
|
||||
|
|
|
@ -530,6 +530,12 @@ class PlayContext(Base):
|
|||
#FIXME: make shell independant
|
||||
becomecmd = '%s %s echo %s && %s %s env ANSIBLE=true %s' % (exe, flags, success_key, exe, flags, cmd)
|
||||
|
||||
elif self.become_method == 'dzdo':
|
||||
|
||||
exe = self.become_exe or 'dzdo'
|
||||
|
||||
becomecmd = '%s -u %s %s -c %s' % (exe, self.become_user, executable, success_cmd)
|
||||
|
||||
else:
|
||||
raise AnsibleError("Privilege escalation method not found: %s" % self.become_method)
|
||||
|
||||
|
|
|
@ -131,6 +131,7 @@ class TestPlayContext(unittest.TestCase):
|
|||
pfexec_flags = ''
|
||||
doas_exe = 'doas'
|
||||
doas_flags = ' -n -u foo '
|
||||
dzdo_exe = 'dzdo'
|
||||
|
||||
cmd = play_context.make_become_cmd(cmd=default_cmd, executable=default_exe)
|
||||
self.assertEqual(cmd, default_cmd)
|
||||
|
@ -166,6 +167,10 @@ class TestPlayContext(unittest.TestCase):
|
|||
play_context.become_method = 'bad'
|
||||
self.assertRaises(AnsibleError, play_context.make_become_cmd, cmd=default_cmd, executable="/bin/bash")
|
||||
|
||||
play_context.become_method = 'dzdo'
|
||||
cmd = play_context.make_become_cmd(cmd=default_cmd, executable="/bin/bash")
|
||||
self.assertEqual(cmd, """%s -u %s %s -c 'echo %s; %s'""" % (dzdo_exe, play_context.become_user, default_exe, play_context.success_key, default_cmd))
|
||||
|
||||
class TestTaskAndVariableOverrride(unittest.TestCase):
|
||||
|
||||
inventory_vars = (
|
||||
|
|
Loading…
Reference in a new issue