在远程节点上使用sudoer限制Ansible脚本模块 [英] Restrict Ansible script module using sudoers on the remote node

问题描述

我有一本剧本，以Oracle用户的身份对数据库执行一些预检查.远程节点是AIX服务器，因此我创建了一个通过剧本运行的Shell脚本.

I have a playbook that performs some prechecks on the database as the Oracle user. The remote node is an AIX server and so I created a shell script that is ran via the playbook.

---
- hosts: db
  var_files:
    - ansible_var.yml

  tasks:
    - name: "DB Checks"
    become: True
    become_user: oracle
    script: "{ db_prechk }"

在AIX服务器上，我将以下条目添加到sudoers文件中

On the AIX server, I added the below entry to the sudoers file

 ansible ALL=(oracle) NOPASSWD: /tmp/ansible-tmp-*/db_prechecks.sh

但是该剧本由于等待特权升级提示而失败.

But the playbook fails with the error that it's waiting for the privilege escalation prompt.

如果以root身份运行，则运行良好.但是，我们不希望Ansible控制器和远程节点之间具有无密码的根.因此，我们在控制器和远程节点上创建了一个ansible用户，并交换了SSH密钥.

This runs fine if it is ran as root. However we do not want passwordless root between the Ansible controller and the remote nodes. So we created ansible user on the controller and remote nodes and exchanged the SSH keys.

如果sudoers条目只是

This also runs if the sudoers entry is just

ansible ALL=(oracle) NOPASSWD: ALL

我们也不想通过ansible用户ID提供对oracle用户ID的完全访问权限.

We do not want to provide full access to the oracle userid via the ansible user id too.

我以详细模式运行了剧本，可以看到Ansible正在将脚本复制到remote_tmp目录中，并以oracle用户ID的身份执行.在那种情况下，sudoers行应该允许它运行?

I ran the playbook in the verbose mode and can see that Ansible is copying the script to the remote_tmp dir and is executing it as the oracle userid. In that case the sudoers line should've allowed it to run?

推荐答案

如果查看详细的模式输出，您会发现实际命令与您在sudoers文件中指定的命令不同:

If you look at the verbose mode output, you will see that the actual command differs from the one you specified in the sudoers file:

< 127.0.0.1> SSH:EXEC ssh -o ForwardAgent =是-o StrictHostKeyChecking =否-o UserKnownHostsFile =/dev/null -o IdentitiesOnly =是-o ControlMaster =自动-o ControlPersist = 60s -o StrictHostKeyChecking =否-o端口= 2202 -o'IdentityFile ="/Users/techraf/devops/testground/debian/.vagrant/machines/debian/virtualbox/private_key"'-o KbdInteractiveAuthentication = no -o PreferredAuthentications = gssapi-with-mic， gssapi-keyex，基于主机，公钥-o PasswordAuthentication = no -o User = ansible -o ConnectTimeout = 120 -o ControlPath =/Users/techraf/.ansible/cp/ansible-ssh-％h-％p-％r -tt 127.0.0.1'/bin/sh -c''"' sudo -H -S -n -u oracle/bin/sh -c''"'""""" 'echo BECOME-SUCCESS-xoamupogqwtteubvedoscaghzmfascsr;  /tmp/ansible-tmp-1488508771.72-271591203197790/db_prechecks.sh''"""""" ;睡觉0''"''

<127.0.0.1> SSH: EXEC ssh -o ForwardAgent=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2202 -o 'IdentityFile="/Users/techraf/devops/testground/debian/.vagrant/machines/debian/virtualbox/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=120 -o ControlPath=/Users/techraf/.ansible/cp/ansible-ssh-%h-%p-%r -tt 127.0.0.1 '/bin/sh -c '"'"'sudo -H -S -n -u oracle /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-xoamupogqwtteubvedoscaghzmfascsr;  /tmp/ansible-tmp-1488508771.72-271591203197790/db_prechecks.sh '"'"'"'"'"'"'"'"' && sleep 0'"'"''

所以sudo -u oracle之后执行的操作实际上是从/bin/sh -c开始的.

So what is executed after sudo -u oracle starts actually with /bin/sh -c.

我设法将工作字符串过滤为:

I managed to filter a working string to:

ansible ALL=(oracle) NOPASSWD: /bin/sh -c echo BECOME-SUCCESS*; * /tmp/ansible-tmp-*/db_prechecks.sh*

但这是基于反复试验的.我不确定为什么在;和/tmp/...之间以及最后都需要*，但是否则它不起作用.

But it is based on trial-and-error. I'm not sure yet why * is required between ; and /tmp/... and at the end, but otherwise it does not work.

Ansible在两个地方都添加了多余的空格字符，这似乎是原因，因为在shell命令(在sudoers文件中指定)中添加空格确实会影响sudo的功能.

In both places Ansible added superfluous space characters and it seems to be the reason, as adding a space to a shell command (specified in the sudoers file) does affect the ability to sudo.

^{您可以尝试使用?而不是*，稍后再测试}

^{You might try with ? instead of *, I will test later}

这篇关于在远程节点上使用sudoer限制Ansible脚本模块的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！