New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
postgresql_user & become_user fails #28433
Comments
Could you run it like this and then run an
|
I just ran this test:
Actual output:
|
Huh. Try it with |
|
Yep... to highlight the relevant line from the above snippet:
sudo -H -S -p "[sudo via ansible, key=imgajdoprytcwdrqvrhxwqcaznxqipgu] password: " -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-imgajdoprytcwdrqvrhxwqcaznxqipg I'm going to continue to follow this in the hopes that someone more experienced with Ansible privilege escalation can enlighten me. The docs don't cover this scenario and I've been unable to replicate it on my system. It's only attempting to become root; it's never attempting to become postgres user. Unless it's an issue with sudo rules. |
@nrwahl2 Thanks for your help so far |
sudoers... I connect to the target machines as user ansible and become root
|
One last question from me: Is that the last line in /etc/sudoers? If not, could you try the playbook again after moving it to the bottom to ensure nothing is taking precedence over it? I doubt that would cause the behavior you're seeing it; however, I want to rule out as many procedural/system config issues as possible until someone smarter than I am can jump in and fix this :) |
It's not a ordering issue in sudoers, it something in our inventory (I used a fresh Ansible inventory and the |
Was in one of the group_vars files which appears to have been causing the problem. This is surely a bug?, if a role specifically sets become_user why is it overridden by a group_var value? |
tl;dr: Not a bug, but counter-intuitive. From what I can tell, this behavior is not explicitly documented for privilege escalation. The closest thing I can find in the Privilege Escalation doc is this:
(http://docs.ansible.com/ansible/latest/become.html#only-one-method-may-be-enabled-per-host) But that's not really what we're dealing with here, is it? Further, the Variables doc suggests exactly what you were thinking -- that the role- or task-specific setting should override the host- or group-specific setting:
Shortly after that list, there's a brief aside about
As you can see above, you can still override connection variables like Welp, I've learned a lot tonight. See my own test cases below:
|
Thanks for persisting with this, your comments have been very helpful.
Indeed, not very intuitive at all.... But a lesson learnt. Thanks again for your help. |
notabug |
ISSUE TYPE
COMPONENT NAME
postgresql_user
ANSIBLE VERSION
OS / ENVIRONMENT
CentOS 7.3 - CentOS 7.3
SUMMARY
STEPS TO REPRODUCE
EXPECTED RESULTS
PostgreSQL user foreman created
ACTUAL RESULTS
Doesn't become postgres user and fails to connect to database
PostgreSQL server log:
The text was updated successfully, but these errors were encountered: