Ansible:维护sudoers列表的最佳实践 [英] Ansible: best practice for maintaining list of sudoers
问题描述
在文档中,有一个使用lineinfile模块编辑/etc/sudoers的示例.
In the documentation, there is an example of using the lineinfile module to edit /etc/sudoers.
- lineinfile: "dest=/etc/sudoers state=present regexp='^%wheel' line='%wheel ALL=(ALL) NOPASSWD: ALL'"
感觉有点骇人听闻.
我认为user模块中将有一些东西可以解决这个问题,但是似乎没有任何选择.
I assumed there would be something in the user module to handle this but there doesn't appear to be any options.
在/etc/sudoers中添加和删除用户的最佳实践是什么?
What are the best practices for adding and removing users to /etc/sudoers?
推荐答案
该行实际上并没有将用户添加到sudoers中,只是确保wheel组可以为所有命令使用无密码的sudo.
That line isn't actually adding an users to sudoers, merely making sure that the wheel group can have passwordless sudo for all command.
关于将用户添加到/etc/sudoers的最佳方法是将用户添加到必要的组,然后为这些组提供对sudo的相关访问权限.当您也不使用Ansible时,也是如此.
As for adding users to /etc/sudoers this is best done by adding users to necessary groups and then giving these groups the relevant access to sudo. This holds true when you aren't using Ansible too.
用户模块允许您指定组的排他性列表或简单地追加将指定的组更改为用户已经拥有的当前组.这自然是幂等的,因为不能多次将用户定义为一个组.
The user module allows you to specify an exclusive list of group or to simply append the specified groups to the current ones that the user already has. This is naturally idempotent as a user cannot be defined to be in a group multiple times.
一个示例游戏可能看起来像这样:
An example play might look something like this:
- hosts: all
vars:
sudoers:
- user1
- user2
- user3
tasks:
- name: Make sure we have a 'wheel' group
group:
name: wheel
state: present
- name: Allow 'wheel' group to have passwordless sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
validate: visudo -cf %s
- name: Add sudoers users to wheel group
user:
name: "{{ item }}"
groups: wheel
append: yes
with_items: "{{ sudoers }}"
这篇关于Ansible:维护sudoers列表的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
