Adding User to a Group not reflecting in subsequent tasks

[salecharohit]

SUMMARY

Privileges of the user donot take effect after adding users to a group.

ISSUE TYPE

• Bug Report

COMPONENT NAME

user

ANSIBLE VERSION

2.9.4

CONFIGURATION

OS / ENVIRONMENT

Vagrant Version: 2.2.6
vagrant plugin used : vagrant-vbguest (0.22.1, global)
Windows 10
Vagrantfile:

# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure(2) do |config|
  config.vm.box = "ubuntu/bionic64"
  config.vm.network "private_network",  ip: "192.168.33.21"
  config.vm.synced_folder '.', '/vagrant'
  config.vm.box_check_update = false
  config.vbguest.auto_update = false

  config.vm.provider "virtualbox" do |vb|
    vb.name = 'guest'
    vb.memory = 512
    vb.cpus = 1
	  vb.gui = false

  end
 
  config.vm.provision "ansible_local" do |ansible|
    ansible.playbook = "ansible/playbook.yml"
    ansible.verbose = true
  end

end

STEPS TO REPRODUCE

Use the above Vagrant file and the playbook below and then vagrant up

- name: Issue with Ansible Provisioning
  hosts: all
    
  tasks:
  - name: Create a group called test
    group:
      name: test
      state: present
    become: yes

  - name: Print out Command output for groups
    command: groups 

  - name: Add the user 'vagrant' to group test
    user:
      name: vagrant
      append: true
      groups: test
    become: yes

  - name: Print out Command output for groups
    command: groups

EXPECTED RESULTS

1. Create a group called test
2. groups command spool out groups in which current logged-in user (i.e. vagrant) is part of
3. Add the user 'vagrant' to group 'test' which was created in 1st step.
4. groups command must spool out user 'vagrant' belonging to group 'test' but doesnt show as such

This creates plenty of issues as we add vagrant user to a particular group so that we can run the subsequent tasks using the privileges of that group. Without any choice we then have to run the subsequent tasks as root user which creates security issues.

However after the provisioning is complete and i login using 'vagrant ssh' then the groups command very well shows the output as

vagrant@ubuntu-bionic:~$ groups
vagrant test

So there is some issue with Ansible not being able to refresh the new groups to which the user has been added.

ACTUAL RESULTS

Bringing machine 'default' up with 'virtualbox' provider...
==> default: Importing base box 'ubuntu/bionic64'...
==> default: Matching MAC address for NAT networking...
==> default: Checking if box 'ubuntu/bionic64' version '20191218.0.0' is up to date...
==> default: Setting the name of the VM: guest
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
    default: Adapter 2: hostonly
==> default: Forwarding ports...
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Running 'pre-boot' VM customizations...
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 127.0.0.1:2222
    default: SSH username: vagrant
    default: SSH auth method: private key
    default: Warning: Connection aborted. Retrying...
    default:
    default: Vagrant insecure key detected. Vagrant will automatically replace
    default: this with a newly generated keypair for better security.
    default:
    default: Inserting generated public key within guest...
    default: Removing insecure key from the guest if it's present...
    default: Key inserted! Disconnecting and reconnecting using new SSH key...
==> default: Machine booted and ready!
==> default: Waiting for cleanup before exiting...ubuntu@rohit:~/Desktop/vagrant/ansible-issue$
ubuntu@rohit:~/Desktop/vagrant/ansible-issue$
ubuntu@rohit:~/Desktop/vagrant/ansible-issue$
ubuntu@rohit:~/Desktop/vagrant/ansible-issue$ vagrant destroy -f
==> default: Forcing shutdown of VM...
==> default: Destroying VM and associated drives...
ubuntu@rohit:~/Desktop/vagrant/ansible-issue$ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Importing base box 'ubuntu/bionic64'...
==> default: Matching MAC address for NAT networking...
==> default: Setting the name of the VM: guest
==> default: Fixed port collision for 22 => 2222. Now on port 2200.
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
    default: Adapter 2: hostonly
==> default: Forwarding ports...
    default: 22 (guest) => 2200 (host) (adapter 1)
==> default: Running 'pre-boot' VM customizations...
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 127.0.0.1:2200
    default: SSH username: vagrant
    default: SSH auth method: private key
    default: Warning: Connection aborted. Retrying...
    default:
    default: Vagrant insecure key detected. Vagrant will automatically replace
    default: this with a newly generated keypair for better security.
    default:
    default: Inserting generated public key within guest...
    default: Removing insecure key from the guest if it's present...
    default: Key inserted! Disconnecting and reconnecting using new SSH key...
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
    default: The guest additions on this VM do not match the installed version of
    default: VirtualBox! In most cases this is fine, but in rare cases it can
    default: prevent things such as shared folders from working properly. If you see
    default: shared folder errors, please make sure the guest additions within the
    default: virtual machine match the version of VirtualBox you have installed on
    default: your host and reload your VM.
    default:
    default: Guest Additions Version: 5.2.34
    default: VirtualBox Version: 6.0
==> default: Configuring and enabling network interfaces...
==> default: Mounting shared folders...
    default: /vagrant => C:/Users/rohit/Desktop/vagrant/ansible-issue
==> default: Running provisioner: ansible_local...
    default: Installing Ansible...
Vagrant has automatically selected the compatibility mode '2.0'
according to the Ansible version installed (2.9.4).

Alternatively, the compatibility mode can be specified in your Vagrantfile:
https://www.vagrantup.com/docs/provisioning/ansible_common.html#compatibility_mode

    default: Running ansible-playbook...
cd /vagrant && PYTHONUNBUFFERED=1 ANSIBLE_FORCE_COLOR=true ansible-playbook --limit="default" --inventory-file=/tmp/vagrant-ansible/inventory -v ansible/playbook.yml
Using /etc/ansible/ansible.cfg as config file

PLAY [Issue with Ansible Provisioning] *****************************************

TASK [Gathering Facts] *********************************************************
[DEPRECATION WARNING]: Distribution Ubuntu 18.04 on host default should use
/usr/bin/python3, but is using /usr/bin/python for backward compatibility with
prior Ansible releases. A future Ansible release will default to using the
discovered platform python for this host. See https://docs.ansible.com/ansible/
2.9/reference_appendices/interpreter_discovery.html for more information. This
feature will be removed in version 2.12. Deprecation warnings can be disabled
by setting deprecation_warnings=False in ansible.cfg.
ok: [default]

TASK [Create a group called test] **********************************************
changed: [default] => {"changed": true, "gid": 1002, "name": "test", "state": "present", "system": false}

TASK [Print out Command output for groups] *************************************
changed: [default] => {"changed": true, "cmd": ["groups"], "delta": "0:00:00.004796", "end": "2020-01-30 05:23:01.211284", "rc": 0, "start": "2020-01-30 05:23:01.206488", "stderr": "", "stderr_lines": [], "stdout": "vagrant", "stdout_lines": ["vagrant"]}

TASK [Add the user 'vagrant' to group test] ************************************
changed: [default] => {"append": true, "changed": true, "comment": ",,,", "group": 1000, "groups": "test", "home": "/home/vagrant", "move_home": false, "name": "vagrant", "shell": "/bin/bash", "state": "present", "uid": 1000}

TASK [Print out Command output for groups] *************************************
changed: [default] => {"changed": true, "cmd": ["groups"], "delta": "0:00:00.002372", "end": "2020-01-30 05:23:01.968574", "rc": 0, "start": "2020-01-30 05:23:01.966202", "stderr": "", "stderr_lines": [], "stdout": "vagrant", "stdout_lines": ["vagrant"]}

PLAY RECAP *********************************************************************
default                    : ok=5    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[ansibot]

Files identified in the description:

• lib/ansible/modules/system/user.py

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibot]

cc @samdoran @sfromm
click here for bot help

[sivel]

Generally speaking, this is expected. Ansible uses ssh ControlPath for performance, which does not log into the target host between every task. As such, changes to that user like group modifications will not take immediate effect. You may need to use - meta: reset_connection to facilitate your needs: https://docs.ansible.com/ansible/latest/modules/meta_module.html

If you have further questions please stop by IRC or the mailing list:

• IRC: #ansible on irc.freenode.net
• mailing list: https://groups.google.com/forum/#!forum/ansible-project

[salecharohit]

So i tried with the suggested - meta: reset_connection however npt much luck please view the output below

PLAY [Issue with Ansible Provisioning] *****************************************

TASK [Gathering Facts] *********************************************************
[DEPRECATION WARNING]: Distribution Ubuntu 18.04 on host default should use
/usr/bin/python3, but is using /usr/bin/python for backward compatibility with
prior Ansible releases. A future Ansible release will default to using the
discovered platform python for this host. See https://docs.ansible.com/ansible/
2.9/reference_appendices/interpreter_discovery.html for more information. This
feature will be removed in version 2.12. Deprecation warnings can be disabled
by setting deprecation_warnings=False in ansible.cfg.
ok: [default]

TASK [Create a group called test] **********************************************
changed: [default] => {"changed": true, "gid": 1002, "name": "test", "state": "present", "system": false}

TASK [Print out Command output for groups] *************************************
changed: [default] => {"changed": true, "cmd": ["groups"], "delta": "0:00:00.003497", "end": "2020-02-03 06:52:49.968317", "rc": 0, "start": "2020-02-03 06:52:49.964820", "stderr": "", "stderr_lines": [], "stdout": "vagrant", "stdout_lines": ["vagrant"]}

TASK [Add the user 'vagrant' to group test] ************************************
changed: [default] => {"append": true, "changed": true, "comment": ",,,", "group": 1000, "groups": "test", "home": "/home/vagrant", "move_home": false, "name": "vagrant", "shell": "/bin/bash", "state": "present", "uid": 1000}
[WARNING]: Reset is not implemented for this connection


TASK [Print out Command output for groups] *************************************
changed: [default] => {"changed": true, "cmd": ["groups"], "delta": "0:00:00.002220", "end": "2020-02-03 06:52:50.450301", "rc": 0, "start": "2020-02-03 06:52:50.448081", "stderr": "", "stderr_lines": [], "stdout": "vagrant", "stdout_lines": ["vagrant"]}

PLAY RECAP *********************************************************************
default                    : ok=5    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

updated playbook

- name: Issue with Ansible Provisioning
  hosts: all
    
  tasks:
  - name: Create a group called test
    group:
      name: test
      state: present
    become: yes

  - name: Print out Command output for groups
    command: groups    

  - name: Add the user 'vagrant' to group test
    user:
      name: vagrant
      append: true
      groups: test
    become: yes      

  - meta: reset_connection

  - name: Print out Command output for groups
    command: groups