ansible-playbook 可以方便快速的批量执行部署和运维任务,对于不同的场景和服务器,需要使用不同的权限提升方式。
最佳实现:为了提高playbook的兼容性,跟功能没有直接关系的权限提升脚本,不要出现在palybook正文中,可以在ansible-playbook运行的时候,通过-e传入
场景一:我们有服务器的root密码,而且允许root直接登陆。
ansible-playbook -i 'aliyun.lihuanhuan.net,' ./ansible_playbook_test/site.yml -e "ansible_ssh_user='root' ansible_ssh_pass='password'"
#切换到app_user,并执行java程序
- name: run app by java_user
shell: java -jar hello.jar
become: yes
become_method: su
become_user: app_user
场景二:我们有服务器的root密码,但是只允许普通用户user1使用su切换到root。
ansible-playbook -i 'aliyun.lihuanhuan.net,' ./ansible_playbook_test/site.yml -e "ansible_ssh_user='user1' ansible_ssh_pass='user1_password' ansible_become='yes' ansible_become_method='su' ansible_become_user='root' ansible_become_pass='root_password' " -vvv
#切换到app_user,并执行java程序
- name: run app by java_user
shell: java -jar hello.jar
become: yes
become_method: su
become_user: app_user
场景三:我们只有服务器的app_user密码,而且只允许普通用户user1使用su切换到app_user。
ansible-playbook -i 'aliyun.lihuanhuan.net,' ./ansible_playbook_test/site.yml -e "ansible_ssh_user='user1' ansible_ssh_pass='user1_password' ansible_become='yes' ansible_become_method='su' ansible_become_user='app_user' ansible_become_pass='app_user_password' " -vvv
#切换到app_user,并执行java程序
- name: run app by java_user
shell: java -jar hello.jar
become: yes
become_method: su
become_user: app_user
场景四:我们只有user1和password,但是允许使用特定的实用程序切换到root,例如:dzdo su -
ansible-playbook -i 'aliyun.lihuanhuan.net,' ./ansible_playbook_test/site.yml -e "ansible_ssh_user='user1' ansible_ssh_pass='user1_password' ansible_become_exe='dzdo su -' ansible_become='yes' ansible_become_method='su' ansible_become_user='root' ansible_become_pass='user1_password' " -vvv
#切换到app_user,并执行java程序
- name: run app by java_user
shell: java -jar hello.jar
become: yes
become_method: su
become_user: app_user
refer to https://docs.ansible.com/ansible/latest/user_guide/become.html?highlight=become%20method
注意:
1.普通用户user1登录,并且在play级别通过su提权到root,那整个play里的tasks默认都是已root运行,ansible_become_exe保持默认值sudo并且未修改,用户试图切换到user2或者user3 会提示无权限( 我观察message log,tasks 里还是基于user1 切换的,但是user1 到user2和user3 没有免密切换权限 )
ansible-playbook -i 'aliyun.lihuanhuan.net,' ./ansible_playbook_test/site.yml -e "ansible_ssh_user='user1' ansible_ssh_pass='user1_password' ansible_become='yes' ansible_become_method='su' ansible_become_user='root' ansible_become_pass='root_password' " -vvv
# 这里会报错,因为user1无法使用root 密码切换到user2
- name: run a shell command
shell: whoami
become: yes
become_method: su
become_user: user2
2.普通用户user a登录,并且在play级别通过su提权到root,那整个play里的tasks默认都已root运行,ansible_become_exe被修改为新的脚本或者工具(这个工具允许用户无密码切换到普通user b和 user c),我们在tasks里可以直接用become 切换用户到user b 或者 user c。
ansible-playbook -i 'aliyun.lihuanhuan.net,' ./ansible_playbook_test/site.yml -e "ansible_ssh_user='user1' ansible_ssh_pass='user1_password' ansible_become_exe='dzdo su -' ansible_become='yes' ansible_become_method='su' ansible_become_user='root' ansible_become_pass='user1_password' " -vvv
#这里重写了ansible_become_exe =‘dzdo su -’ 而且通过这个工具有权限免密切换到user2,因此这里得到的返回是user2
- name: run a shell command
shell: whoami
become: yes
become_method: su
become_user: user2
3.如果没有了特权,只能获取到普通user1和root 密码,并且只能user1切换到root,而且想通过user2执行命令。
#第一种方式:直接通过ssh key 登录到user2
---
- name: demo1
hosts: "{{ hosts_group }}"
remote_user: "user2"
tasks:
- name: run some command
shell: "whoami"
#第二种方式:通过user1提权到root后,在tasks 里使用sudo临时以user2运行。
- name: run a shell command
shell: sudo -u user2 ls -l