weareinteractive / ansible-sudo Goto Github PK

View Code? Open in Web Editor NEW

41.0 7.0 45.0 84 KB

Ansible role which installs and configures sudo

License: MIT License

Makefile 56.56% Jinja 43.44%

ansible-sudo's Introduction

Ansible weareinteractive.sudo role

weareinteractive.sudo is an Ansible role which:

installs sudo

configures sudo

Note:

Since Ansible Galaxy supports organization now, this role has moved from franklinkim.sudo to weareinteractive.sudo!

Installation

Using ansible-galaxy:

$ ansible-galaxy install weareinteractive.sudo

Using requirements.yml:

- src: weareinteractive.sudo

Using git:

$ git clone https://github.com/weareinteractive/ansible-sudo.git weareinteractive.sudo

Dependencies

Ansible >= 2.5

Variables

Here is a list of all the default variables for this role, which are also available in defaults/main.yml.

---
# sudo_defaults:
#  - defaults: env_reset
#  - name: user1
#    defaults: requiretty
# sudo_users:
#  - name: '%group1'
#  - name: 'bar'
#    nopasswd: yes
#  - name: '%group2'
#    commands: '/bin/ls'
#  - name: '%group3'
#    commands:
#      - /bin/ls
#      - /bin/df
#  - name: '%group4'
#    hosts: 127.0.0.1

# package name (version)
sudo_package: sudo
# list of username or %groupname
sudo_users: []
# list of username or %groupname and their defaults
sudo_defaults: []
# default sudoers file
sudo_sudoers_file: ansible
# path of the sudoers.d directory
sudo_sudoers_d_path: /etc/sudoers.d
# delete other files in `sudo_sudoers_d_path`
purge_other_sudoers_files: no

Usage

This is an example playbook:

---

- hosts: all
  become: yes
  roles:
    - weareinteractive.sudo
  vars:
    sudo_defaults:
      - defaults: env_reset
      - defaults: secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      - name: 'user1'
        defaults: 'requiretty'
      - name: '%group1'
        defaults: '!requiretty'
    sudo_users:
      - name: 'user1'
      - name: 'user2'
        nopasswd: yes
      - name: '%group1'
        hosts: 127.0.0.1
      - name: '%group2'
        commands: '/bin/ls'
      - name: '%group3'
        commands:
          - '/usr/bin/ls'
          - '/usr/bin/df'
          - '/usr/bin/mailq'
      - name: '%group4'
        users: 'user1,user2'
        groups: 'group1,group2'
    purge_other_sudoers_files: yes

Testing

$ git clone https://github.com/weareinteractive/ansible-sudo.git
$ cd ansible-sudo
$ make test

Contributing

In lieu of a formal style guide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality.

Fork it
Create your feature branch (git checkout -b my-new-feature)
Commit your changes (git commit -am 'Add some feature')
Push to the branch (git push origin my-new-feature)
Create new Pull Request

Note: To update the README.md file please install and run ansible-role:

$ gem install ansible-role
$ ansible-role docgen

License

ansible-sudo's People

Contributors

Stargazers

Watchers

Forkers

ahaitoute timdev od-build michaeld keymon logic855 ypid plugin73 bpetit marnijt gorazio msaum haimo918 cjsteel axltxl jonhatalla leers9 jammystuff samuelharmer sean797 jmcabandara teadur shitana nickbroon memberit vaizard daihu crazikpl lizhuozhuo weekendesk warf richardlock thalunil jwfh binbashar imo2017 bastiaanvisser dregor robustq asteen27 aruntheja-4 frankgiesecke fusioncore15 tobii-it axemann

ansible-sudo's Issues

Create a Host_Alias section in the sudoer file when multiple hosts are specified.

It doesn't look like the sudo_users.hosts variable supports an array. It would be nice to be able to input the hosts as an array and have the role create a Host_Alias section and then reference the Host_Alias in the configuration line:

sudo_users:

name: oracle
hosts:
- oracle1.example.org
- oracle2.example.org

Resulting sudoers file:

Host_Alias ORACLE_SERVERS=oracle1.example.org,oracle2.example.org
oracle ORACLE_SERVERS=(root) NOPASSWD: ALL

This would of course rely on #30

Add support for host and command aliases

It would be nice to have support for host and command aliases so that you can use the same alias multiple times in a sudoers file. eg:

Cmnd_Alias ORACLE_CMDS=/bin/ls
Host_Alias ORACLE_SERVERS=oracle1.example.com,oracle2,example.com

%admins ORACLE_SERVERS=(root) NOPASSWD: ORACLE_CMDS

Error while purging non manages files

Hello,
Im, getting this error even though with the example provided on ansible galaxy

hosts: mdo
become: yes
roles:
- weareinteractive.sudo
  vars:
  sudo_defaults:
  - defaults: env_reset
  - defaults: secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  - name: 'user1'
    defaults: 'requiretty'
  - name: '%group1'
    defaults: '!requiretty'
    sudo_users:
  - name: 'user1'
  - name: 'user2'
    nopasswd: yes
  - name: '%group1'
    hosts: 127.0.0.1
  - name: '%group2'
    commands: '/bin/ls'
  - name: '%group3'
    commands:
    - '/usr/bin/ls'
    - '/usr/bin/df'
    - '/usr/bin/mailq'
  - name: '%group4'
    users: 'user1,user2'
    groups: 'group1,group2'
    purge_other_sudoers_files: yes

TASK [weareinteractive.sudo : Remove unmanaged /etc/sudoers.d files] **************************************************************************************************
fatal: [mdo]: FAILED! => {"msg": "Unexpected failure in finding the lookup named '{{ sudoers_contents.files }}' in the available lookup plugins"}

ansible --version
ansible 2.4.2.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/ansible/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /bin/ansible
python version = 2.7.5 (default, Jun 20 2019, 20:27:34) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

Any help?
Thanks
Regards

Unable to specify run as group parameter

Take the following sudoers entries:

# User privilege specification
deploy    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

the second param in the bracket allows a user/group to use sudo -g to set their group membership for the run command.

inconsistent version formats

I think the mix of version format means that this role cannot easily be install. The only work around is to specify a specific version.

- downloading role 'sshd', owned by willshersystems
 [WARNING]: - willshersystems.sshd was NOT installed successfully: Unable to
compare role versions (v0.7.2, 0.2.0, 0.4.1, 0.3.0, 0.4.5, 0.4.3, 0.2.5,
v0.7.1, v0.4.8, v0.4.10, v0.4.9, 0.1.0, 0.5.1, v0.4.7, v0.4.6, v0.6.2, v0.5,
v0.7.0, v0.6.0, 0.4.4, 0.2.3, 0.4.2, 0.4.0, 0.2.1, v0.6.1, 0.2.2, 0.3.1, 0.2.4,
0.3.2) to determine the most recent version due to incompatible version
formats. Please contact the role author to resolve versioning conflicts, or
specify an explicit role version to install.

Would it be possible to settle on one format, and delete the versions that use the other?

Specify user on which i can use sudo

Hi!
In 1.0.0 version I see this:
https://github.com/weareinteractive/ansible-sudo/blob/1.0.0/templates/etc-sudoers-d-ansible.j2#L4
.. ALL=(ALL) ..
How can i specify this in latest version? May i send pull request with this feature?

Add support for separate /etc/sudoers files

Instead of writing to a monolithic file, it's nice to be able to consolidate like-minded sudo tasks into individual /etc/sudoers files. For example, it's much easier to find sudoers files for oracle stuff if the name of the file is /etc/sudoers.d/oracle.

I think a simple loop in the config.yml task would take care of that.

Ansible lint errors

When I run ansible-lint on this role I get 3 errors. Two of them are in meta/readme.yml
I wonder if this file is used for something more than information and can be renamed to readme.md?

[701] No 'galaxy_info' found
[204] Lines should be no longer than 160 chars

The third error is resolved in proposed PRs - #18 (cosmetic change) or #19

Multi commands

Please add the following Future:

sudo_users:
  - name: 'example'
    commands:
      - '/usr/bin/ls'
      - '/usr/bin/df'
      - '/usr/bin/mailq'

This helps greatly with the clarity.

failing ansible container build with 1.12.2 release

Hi there,

our ansible container build fails with the following error using the latest 1.12.2 release. Downgrade to 1.12.0 fixed the problem. I'm still looking for the exact reason atm but i'm not experienced in this roles source code. We use centos:latest as conductor image, ansible version 2.4.3.0 and ansible container version 0.9.2.

TASK [weareinteractive.sudo : Remove unmanaged /etc/sudoers.d/ files] ********** task path: /etc/ansible/roles/weareinteractive.sudo/tasks/config.yml:20 fatal: [app]: FAILED! => { "failed": true, "msg": "Unexpected failure in finding the lookup named '{{ sudoers_contents.files }}' in the available lookup plugins" } to retry, use: --limit @/tmp/tmpCOujGw/playbook.retry

visudo not in PATH in Debian 10

As far as I know, /usr/sbin/ is not in the PATH anymore in Debian 10 for regular users. Hence, the call to visudo fails, although it is available as /usr/sbin/visudo.

fatal: [172.23.50.246]: FAILED! => {"changed": false, "checksum": "911203c5a64220a807e529e2bb53ffee9b2b6218", "cmd": "visudo -cf /home/tux/.ansible/tmp/ansible-tmp-1563060757.75-52386768038095/source", "msg": "[Errno 2] No such file or directory", "rc": 2}

Ansible 2.8.0 deprecation warnings

Just a heads up. Getting some deprecation warning with 2.8.0:

[DEPRECATION WARNING]: evaluating purge_other_sudoers_files as a bare variable, this behaviour will go away and you might need to add |bool to the expression in the future. Also see CONDITIONAL_BARE_VARS configuration toggle.. This feature will be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

Convert to module

Hey, I am fairly new to Ansible, but I am just wondering if there's any reason this couldn't all be converted to a module instead of a role? Would seem a good bit more tidy... Thanks!