What user will Ansible run my commands as?

46
votes

Background

My question seems simple, but it gets more complex really fast.

Basically, I got really tired of maintaining my servers manually (screams in background) and I decided it was time to find a way to make being a server admin much more liveable. That's when I found Ansible. Great huh? Sure beats making bash scripts (louder scream) for everything I wanted to automate.

What's the problem?

I'm having a lot of trouble figuring out what user my Ansible playbook will run certain things as. I also need the ability to specify what user certain tasks will run as. Here are some specific use cases:

Cloning a repo as another user:

My purpose with this is it run my node.js webapp from another user, who we'll call bill (that can only use sudo to run a script that I made that starts the node server, as opposed to root or my user that can use sudo for all commands). To do this, I need the ability to have Ansible's git module clone my git repo as bill. How would I do that?

Knowing how Ansible will gain root:

As far as I understand, you can set what user Ansible will connect to the server you're maintaining by defining 'user' and the beginning of the playbook file. Here's what I don't understand: if I tell it to connect via my username, joe, and ask it to update a package via the apt module, how will it gain root? Sudo usually prompts me for my password, and I'd prefer keeping it that way (for security).

Final request

I've scoured the Ansible docs, done some (what I thought was thorough) Googling, and generally just tried to figure it out on my own, but this information continues to elude me.

I am very new to Ansible, and while it's mostly straight-forwards, I would benefit greatly if I could understand exactly how Ansible runs, on which users it runs, and how/where I can specify what user to use at different times.

Thank you tons in advance

3
node.jslinuxgitansible
As you may have noticed, I tagged this with python, which may not be clear immediately. The reason I did that is because a very large portion of all Ansible modules are written in python.Michael

3 Answers

51
votes

You may find it useful to read the Hosts and Users section on Ansible's documentation site:

http://docs.ansible.com/playbooks_intro.html#hosts-and-users

In summary, ansible will run all commands in a playbook as the user specified in the remote_user variable (assuming you're using ansible >= 1.4, user before that). You can specify this variable on a per-task basis as well, in case a task needs to run as a certain user.

Use sudo: true in any playbook/task to use sudo to run it. Use the sudo_user variable to specify a user to sudo to if you don't want to use root.

In practice, I've found it easiest to run my playbook as a deploy user that has sudo privileges. I set up my SSH keys so I can SSH into any host as deploy without using a password. This means that I can run my playbook without using a password and even use sudo if I need to.

I use this same user to do things like cloning git repos and starting/stopping services. If a service needs to run as a lower-privileged user, I let the init script take care of that. A quick Google search for a node.js init.d script revealed this one for CentOS:

https://gist.github.com/nariyu/1211413

Doing things this way helps to keep it simple, which I like.

Hope that helps.

7
votes

My 2 cents:

  1. Ansible uses your local user (eg Mike) to ssh to the remote machine. (That required Mike to be able to ssh to the machine)
  2. From there it can change to a remote user if needed
  3. It can also sudo if needed and if Mike is allowed. If no user is specified then root will be selected via your ~/.ansible.cfg on your local machine.
  4. If you supply a remote_user with the sudo param then like no.3 it will not use root but that user.

You can specify different situations and different users or sudo via the playbooks.

Playbook's define which roles will be run into each machine that belongs to the inventory selected.

I suggest you read Ansible best practices for some explanation on how to setup your infrastructure.

Oh and btw since you are not referring to a specific module that ansible uses and your question is not related to python, then I don't find any use your question having the python tag.

4
votes

Just a note that Ansible>=1.9 uses privilege escalation commands so you can execute tasks and create resources as that secondary user if need be:

- name: Install software
  shell: "curl -s get.dangerous_software.install | sudo bash"
  become_user: root

http://docs.ansible.com/ansible/become.html#become-privilege-escalation