full image - Repost: Elegant way to run commands on behalf of a list of non-sudo users? `become_flags`? (from Reddit.com, Elegant way to run commands on behalf of a list of non-sudo users? `become_flags`?)
Mining:
Exchanges:
Donations:
Team,I'm a network engineer first, developer second, so my Ansible usage is geared towards the network devices side usually, but I am in a situation where I need to administer a RHEL 8+ dev box for my peers, specifically, a multi-user environment, and I am not as familiar with become in the context of a linux host, like I am on the network modules.I have tried to be as detailed as possible with my ask, and what I have tried, my apologies in advance for the verbosity.My goal is to create bootstrapped dev environments for the users, in their home directories, versus giving them sudo, so I can keep it somewhat deterministic as I teach them. They are also network engineers, and comfortable in linux, but not ready for the jump to containers, so meeting them half way with this dev box, so we can get them using Ansible, and grow their NetDevOps chops, without overwhelming them upfront. I get it, Docker is great for this, but not if I run them all off, so I'm willing to lower the barrier to entry in exchange for larger participation.Scenario:AdminUser has sudo access to the dev box, and is running the playbook from an external control node, authenticated to the dev box using an ssh key.AdminUser would like to install and setup libraries like (pyenv | pipx | poetry, etc) that do not require escalation, because they are meant to be in the users home directory, and not installed as root, nor system-wide, for a list of many users.For examples sake, we will refer to a singular user from that list of users as UserB.While UserB does not have sudo access, AdminUser does have UserB's private ssh key on the control node available if required.What I've tested so far:become: true | become_user: UserBSeems to assume that UserB has sudo, because it asks for UserB's credentials as if UserAdmin was trying to escalate as UserB prior to running the command.Am I missing something here, or is this intended? This seems to be useful if I was UserB on the control node without sudo running the playbook, and wanted to become_user: AdminUser who does have sudo, so a many-users-to-one situation, but not for a one-to-many-users type administration, where you are doing something on behalf of many users.become: truePredictably, does let AdminUser do whatever they want for UserB, but also sets every permission, group, etc to root unless the module has group, owner contexts, and since most of these installs are done with ansible.builtin.command, I would have to chown and chmod excessively in subsequent tasks to give everything back to UserB, so not ideal.After many hours of searching, I found mention of how to use the become_flags for this, and two ways were mentioned, but since its not documented really well, it felt like a hack, but perhaps is the only way to achieve what I am after, so I wanted to get a second opinion from you all, is this the way? Assuming, I would then loop at the task level over the list of users and commands:become: true | become_flags: "su - -c"become: true | become_flags: "runuser --session-command"
Social Media Icons