在远程节点上使用 sudoers 限制 Ansible 脚本模块 [英] Restrict Ansible script module using sudoers on the remote node

问题描述

我有一个剧本，可以作为 Oracle 用户对数据库执行一些预检查.远程节点是 AIX 服务器，因此我创建了一个通过剧本运行的 shell 脚本.

I have a playbook that performs some prechecks on the database as the Oracle user. The remote node is an AIX server and so I created a shell script that is ran via the playbook.

---
- hosts: db
  var_files:
    - ansible_var.yml

  tasks:
    - name: "DB Checks"
    become: True
    become_user: oracle
    script: "{ db_prechk }"

在 AIX 服务器上，我将以下条目添加到 sudoers 文件中

On the AIX server, I added the below entry to the sudoers file

 ansible ALL=(oracle) NOPASSWD: /tmp/ansible-tmp-*/db_prechecks.sh

但是 playbook 失败了，错误是它正在等待提权提示.

But the playbook fails with the error that it's waiting for the privilege escalation prompt.

如果以 root 身份运行，它运行良好.但是，我们不希望 Ansible 控制器和远程节点之间无密码 root.所以我们在控制器和远程节点上创建了 ansible 用户并交换了 SSH 密钥.

This runs fine if it is ran as root. However we do not want passwordless root between the Ansible controller and the remote nodes. So we created ansible user on the controller and remote nodes and exchanged the SSH keys.

如果 sudoers 条目只是

This also runs if the sudoers entry is just

ansible ALL=(oracle) NOPASSWD: ALL

我们也不想通过 ansible 用户 ID 提供对 oracle 用户 ID 的完全访问权限.

We do not want to provide full access to the oracle userid via the ansible user id too.

我以详细模式运行剧本，可以看到 Ansible 正在将脚本复制到 remote_tmp 目录并作为 oracle 用户 ID 执行它.在这种情况下，sudoers 行应该允许它运行吗?

I ran the playbook in the verbose mode and can see that Ansible is copying the script to the remote_tmp dir and is executing it as the oracle userid. In that case the sudoers line should've allowed it to run?

推荐答案

如果您查看详细模式输出，您将看到实际命令与您在 sudoers 文件中指定的不同:

If you look at the verbose mode output, you will see that the actual command differs from the one you specified in the sudoers file:

<127.0.0.1> SSH:执行 ssh -o ForwardAgent=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2202 -o 'IdentityFile="/Users/techraf/devops/testground/debian/.vagrant/machines/debian/virtualbox/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=120 -o ControlPath=/Users/techraf/.ansible/cp/ansible-ssh-%h-%p-%r -tt127.0.0.1 '/bin/sh -c '"'"'sudo -H -S -n -u oracle/bin/sh -c '"'"'"'"'"'"'"'"'回声成为成功-xoamupogqwtteubvedoscaghzmfascsr;   /tmp/ansible-tmp-1488508771.72-271591203197790/db_prechecks.sh           ;睡眠 0'"'"''

<127.0.0.1> SSH: EXEC ssh -o ForwardAgent=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2202 -o 'IdentityFile="/Users/techraf/devops/testground/debian/.vagrant/machines/debian/virtualbox/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=120 -o ControlPath=/Users/techraf/.ansible/cp/ansible-ssh-%h-%p-%r -tt 127.0.0.1 '/bin/sh -c '"'"'sudo -H -S -n -u oracle /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-xoamupogqwtteubvedoscaghzmfascsr;  /tmp/ansible-tmp-1488508771.72-271591203197790/db_prechecks.sh '"'"'"'"'"'"'"'"' && sleep 0'"'"''

那么在sudo -u oracle 开始之后执行的实际上是/bin/sh -c.

So what is executed after sudo -u oracle starts actually with /bin/sh -c.

我设法将工作字符串过滤为:

I managed to filter a working string to:

ansible ALL=(oracle) NOPASSWD: /bin/sh -c echo BECOME-SUCCESS*; * /tmp/ansible-tmp-*/db_prechecks.sh*

但它基于反复试验.我还不确定为什么在 ; 和 /tmp/... 和最后需要 * ，否则它不会工作.

But it is based on trial-and-error. I'm not sure yet why * is required between ; and /tmp/... and at the end, but otherwise it does not work.

Ansible 在这两个地方都添加了多余的空格字符，这似乎是原因，因为向 shell 命令(在 sudoers 文件中指定)添加空格确实会影响 sudo 的能力.

In both places Ansible added superfluous space characters and it seems to be the reason, as adding a space to a shell command (specified in the sudoers file) does affect the ability to sudo.

^{你可以试试用?代替*，我稍后再测试}

^{You might try with ? instead of *, I will test later}

这篇关于在远程节点上使用 sudoers 限制 Ansible 脚本模块的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！