revamped become page
its not only for the 'upgrade from 1.8' anymore, become is the official way to do things and now presents as such, no need to know about previous options, but still keep info there for those that were using them..
This commit is contained in:
parent
18094d8595
commit
597638c401
1 changed files with 27 additions and 25 deletions
|
@ -7,49 +7,53 @@ Ansible can use existing privilege escalation systems to allow a user to execute
|
|||
|
||||
Become
|
||||
``````
|
||||
Before 1.9 Ansible mostly allowed the use of `sudo` and a limited use of `su` to allow a login/remote user to become a different user
|
||||
and execute tasks, create resources with the 2nd user's permissions. As of 1.9 `become` supersedes the old sudo/su, while still
|
||||
being backwards compatible. This new system also makes it easier to add other privilege escalation tools like `pbrun` (Powerbroker),
|
||||
`pfexec` and others.
|
||||
Ansible allows you 'become' another user, different from the user that logged into the machine (remote user). This is done existing
|
||||
privilege escalation tools, which you probably already use or have configured, like 'sudo', 'su', 'pfexec', 'doas', 'pbrun' and others.
|
||||
|
||||
|
||||
New directives
|
||||
--------------
|
||||
.. note:: Before 1.9 Ansible mostly allowed the use of `sudo` and a limited use of `su` to allow a login/remote user to become a different user
|
||||
and execute tasks, create resources with the 2nd user's permissions. As of 1.9 `become` supersedes the old sudo/su, while still being backwards compatible.
|
||||
This new system also makes it easier to add other privilege escalation tools like `pbrun` (Powerbroker), `pfexec` and others.
|
||||
|
||||
|
||||
Directives
|
||||
-----------
|
||||
These can be set from play to task level, but are overriden by connection variables as they can be host specific.
|
||||
|
||||
become
|
||||
equivalent to adding `sudo:` or `su:` to a play or task, set to 'true'/'yes' to activate privilege escalation
|
||||
set to 'true'/'yes' to activate privilege escalation.
|
||||
|
||||
become_user
|
||||
equivalent to adding 'sudo_user:' or 'su_user:' to a play or task, set to user with desired privileges
|
||||
set to user with desired privileges, the user you 'become', NOT the user you login as.
|
||||
|
||||
become_method
|
||||
at play or task level overrides the default method set in ansible.cfg, set to 'sudo'/'su'/'pbrun'/'pfexec'/'doas'
|
||||
|
||||
|
||||
New ansible\_ variables
|
||||
-----------------------
|
||||
Each allows you to set an option per group and/or host
|
||||
Connection variables
|
||||
--------------------
|
||||
Each allows you to set an option per group and/or host, these are normally defined in inventory but can be used as normal variables.
|
||||
|
||||
ansible_become
|
||||
equivalent to ansible_sudo or ansible_su, allows to force privilege escalation
|
||||
equivalent of the become directive, decides if privilege escalation is used or not.
|
||||
|
||||
ansible_become_method
|
||||
allows to set privilege escalation method
|
||||
|
||||
ansible_become_user
|
||||
equivalent to ansible_sudo_user or ansible_su_user, allows to set the user you become through privilege escalation
|
||||
allows to set the user you become through privilege escalation
|
||||
|
||||
ansible_become_pass
|
||||
equivalent to ansible_sudo_pass or ansible_su_pass, allows you to set the privilege escalation password
|
||||
allows you to set the privilege escalation password
|
||||
|
||||
|
||||
New command line options
|
||||
------------------------
|
||||
|
||||
--ask-become-pass
|
||||
ask for privilege escalation password
|
||||
--ask-become-pass, -K
|
||||
ask for privilege escalation password, does not imply become will be used
|
||||
|
||||
--become,-b
|
||||
--become, -b
|
||||
run operations with become (no password implied)
|
||||
|
||||
--become-method=BECOME_METHOD
|
||||
|
@ -60,16 +64,14 @@ New command line options
|
|||
run operations as this user (default=root)
|
||||
|
||||
|
||||
sudo and su still work!
|
||||
-----------------------
|
||||
For those from Pre 1.9 , sudo and su still work!
|
||||
------------------------------------------------
|
||||
|
||||
Old playbooks will not need to be changed, even though they are deprecated, sudo and su directives will continue to work though it
|
||||
is recommended to move to become as they may be retired at one point. You cannot mix directives on the same object though, Ansible
|
||||
will complain if you try to.
|
||||
|
||||
Become will default to using the old sudo/su configs and variables if they exist, but will override them if you specify any of the
|
||||
new ones.
|
||||
For those using old playbooks will not need to be changed, even though they are deprecated, sudo and su directives, variables and options
|
||||
will continue to work. It is recommended to move to become as they may be retired at one point.
|
||||
ou cannot mix directives on the same object (become and sudo) though, Ansible will complain if you try to.
|
||||
|
||||
Become will default to using the old sudo/su configs and variables if they exist, but will override them if you specify any of the new ones.
|
||||
|
||||
|
||||
.. note:: Privilege escalation methods must also be supported by the connection plugin used, most will warn if they do not, some will just ignore it as they always run as root (jail, chroot, etc).
|
||||
|
|
Loading…
Reference in a new issue