added su capability #744
added su capability #744
Conversation
password, that gets requested automatically.
|
Results: [will@tangerine ansible]$ ansible fake -m shell -a 'whoami | tr "a-z" "A-Z"' -S -U ansitest -u will ansitest password: 127.0.0.2 | success | rc=0 >> ANSITEST |
|
I don't want to encourage any usage of "su" when sudo is available for that purpose. Feels redundant. |
|
It's not redundant. I have no sudo access to the servers I use (I only have certain permissions - if I had full control ansible wouldn't be as compelling as it is!). I can log onto the servers using my account, then su to the account that runs whatever service it is and manage the software that way. I cannot do the same with sudo, I just don't have the privileges. |
|
That's annoying. Please tell your admins/users/customers/etc that I said they have their security priorities messed up. What we may want to do instead is make connections (more) pluggable to where you could easily fork the connection type. I'm also not really comfortable with removal of the random sudo prompt code as it took us a while to get there to where it was decently reliable. |
I have tested this to a reasonable degree, it seems to work well with my use cases.
There are some definite improvements to be made to how configurations are applied, but I've seen you allude to that elsewhere. That would reduce the repeated code in ansible and ansible-playbook. Anyway, one for another time.
This adds a -S command line flag, it currently reuses --sudo_user (-U). It automatically asks for a password for the relevant user.
The one area of contention might be the change to paramiko_ssh - I've removed the random prompt used in the -p argument to sudo so that the same code can be used for sudo and su. If there was a compelling reason for the randbits, it might make sense to use slightly different code paths at that point.