如何按任务或任务组切换用户? [英] How to switch a user per task or set of tasks?

问题描述

在我的可玩游戏中经常出现的主题是，我经常必须以sudo特权(sudo: yes)执行命令，因为我想为某个用户使用它.理想情况下，我宁愿使用sudo切换到该用户并正常执行命令.因为这样我就不必清理通常的post命令，例如整理目录.这是我其中一部剧本的摘录:

A recurring theme that's in my ansible playbooks is that I often must execute a command with sudo privileges (sudo: yes) because I'd like to do it for a certain user. Ideally I'd much rather use sudo to switch to that user and execute the commands normally. Because then I won't have to do my usual post commands clean up such as chowning directories. Here's a snippet from one of my playbooks:

- name: checkout repo
  git: repo=https://github.com/some/repo.git version=master dest={{ dst }}
  sudo: yes
- name: change perms
  file: dest={{ dst }} state=directory mode=0755 owner=some_user
  sudo: yes

理想情况下，即使需要sudo才能以该用户身份运行命令，也可以以其他用户身份运行命令集.

Ideally I could run commands or sets of commands as a different user even if it requires sudo to su to that user.

推荐答案

使用Ansible 1.9或更高版本

Ansible使用become，become_user和become_method指令来实现特权升级.您可以将它们应用于整个剧本或剧本，可以将它们设置在随附的剧本中，也可以针对特定任务进行设置.

With Ansible 1.9 or later

Ansible uses the become, become_user, and become_method directives to achieve privilege escalation. You can apply them to an entire play or playbook, set them in an included playbook, or set them for a particular task.

- name: checkout repo
  git: repo=https://github.com/some/repo.git version=master dest={{ dst }}
  become: yes
  become_user: some_user

您可以使用become_with指定如何实现特权升级，默认值为sudo.

You can use become_with to specify how the privilege escalation is achieved, the default being sudo.

该指令对使用该指令的块的范围有效(示例).

The directive is in effect for the scope of the block in which it is used (examples).

有关其他示例，请参见主机和用户，并成为(特权升级)以获取更多详细文档.

See Hosts and Users for some additional examples and Become (Privilege Escalation) for more detailed documentation.

除了任务范围的become和become_user指令外，Ansible 1.9还添加了一些新变量和命令行选项，以在没有显式指令的情况下在播放期间设置这些值:

In addition to the task-scoped become and become_user directives, Ansible 1.9 added some new variables and command line options to set these values for the duration of a play in the absence of explicit directives:

• 命令行选项 become/become_user指令.
• 特定于连接的变量，可以针对每个主机或组进行设置.

• Command line options for the equivalent become/become_user directives.
• Connection specific variables which can be set per host or group.

从Ansible 2.0.2.0开始，下面描述的较早的sudo/sudo_user语法仍然有效，但是弃用通知指出:此功能将在以后的版本中删除."

As of Ansible 2.0.2.0, the older sudo/sudo_user syntax described below still works, but the deprecation notice states, "This feature will be removed in a future release."

- name: checkout repo
  git: repo=https://github.com/some/repo.git version=master dest={{ dst }}
  sudo: yes
  sudo_user: some_user

这篇关于如何按任务或任务组切换用户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！