Reputation: 23
How to become an unprivileged user with unknown password in ansible
I want to make sure that a postgresql database is created.
For this I have a playbook with a postgresql role. The login to the server via ssh uses an unprivileged user, lets name him sshUser. Whenever I want to run a command as a privileged user I use become_user: root. In the config I enabled become_ask_pass for the root user.
- name: Add the user 'postgres'
user:
name: postgres
state: present
become_user: root
[privilege_escalation]
become_user=root
become_ask_pass=True
Now I want to check for the database as user postgres. In non ansible terms I want to become root und than sudo -u postgres psql, since I have the root password but not the postgres password. If I am not root I get "sshUser is not in the sudoers file" when trying this:
- name: Ensure database is created
postgresql_db:
name: "{{ db_name }}"
encoding: UTF-8
state: present
become_user: postgres
Is there a way to become user as root?
EDIT: What I've tried so far:
I tried using become: yes globally as well as locally, probably any combination auf become_method: su | sudo as well as enabling pipelining and allow_world_readable_tmpfiles in the config.
The errors are either
- "wrong su password" when using any combination of become: yes and become_method: su
- "sshUser is not in the sudoers file" when using any combination of become: yes and become_method: sudu
- "peer authentication of user postgres failed" when not using become: yes at all.
The last one is a postgresql error, so I am not sure if it is a step closer to where I want to be since it seems to use the correct user. sudo -u postgres psql definetly works though, so I don't know why it should have problems authenticating if the user postgres was logged in correctly.
I am using Ansible 2.5.1, the host I want to install postgresql is a debian buster.
Upvotes: 0
Views: 1817
Answers (3)
Reputation: 11
You can try to set new become pass inside playbook
- name: set password variable
set_fact:
ansible_become_pass: "{{ newPassword }}"
Upvotes: 0
Reputation: 23
As larsks mentioned it is not possible to chain user changes. This is documented at: https://docs.ansible.com/ansible/2.4/become.html#becoming-an-unprivileged-user
Methods cannot be chained. You cannot use sudo /bin/su - to become a user, you need to have privileges to run the command as that user in sudo or be able to su directly to it
I am still looking for a workaround, but for now i will add the sshUser to the sudoers.
Upvotes: 1
Reputation: 8562
Yes, there is.
https://docs.ansible.com/ansible/latest/user_guide/become.html
Passwords for enable mode
If you need a password to enter enable mode, you can specify it in one of two ways:
providing the --ask-become-pass command line option setting the ansible_become_pass connection variable
Upvotes: -1
Related Questions
- Ansible: create a user with sudo privileges
- Ansible become_user asks for password even though it is configured passwordless
- Ansible: sudo without password
- Create user with option --disabled-password by Ansible
- Setting password idempotently for linux user in ansible
- Becoming non root user in ansible fails
- How to add user and group without a password using Ansible?
- How pass password with Ansible?
- Ansible equivalent of "passwd -l"
- How to remove a system user password with Ansible