Ansible：维护sudoers列表的最佳实践

In the documentation, there is an example of using the lineinfile module to edit /etc/sudoers.

在文档中,有一个使用lineinfile模块编辑/ etc / sudoers的示例。

- lineinfile: "dest=/etc/sudoers state=present regexp='^%wheel' line='%wheel ALL=(ALL) NOPASSWD: ALL'"

Feels a bit hackish.

感觉有点hackish。

I assumed there would be something in the user module to handle this but there doesn't appear to be any options.

我假设用户模块中有一些东西可以处理这个问题,但似乎没有任何选择。

What are the best practices for adding and removing users to /etc/sudoers?

向/ etc / sudoers添加和删除用户的最佳做法是什么?

1 个解决方案

#1

That line isn't actually adding an users to sudoers, merely making sure that the wheel group can have passwordless sudo for all command.

该行实际上并没有将用户添加到sudoers,只是确保wheel组可以为所有命令提供无密码sudo。

As for adding users to /etc/sudoers this is best done by adding users to necessary groups and then giving these groups the relevant access to sudo. This holds true when you aren't using Ansible too.

至于将用户添加到/ etc / sudoers,最好通过将用户添加到必要的组,然后为这些组提供对sudo的相关访问。当你不使用Ansible时也是如此。

The user module allows you to specify an exclusive list of group or to simply append the specified groups to the current ones that the user already has. This is naturally idempotent as a user cannot be defined to be in a group multiple times.

用户模块允许您指定组的独占列表,或者只是将指定的组附加到用户已有的当前组。这自然是幂等的,因为用户不能被定义为多次在组中。

An example play might look something like this:

一个示例游戏可能看起来像这样:

- hosts: all
  vars:
    sudoers:
      - user1
      - user2
      - user3
  tasks:
    - name: Make sure we have a 'wheel' group
      group:
        name: wheel
        state: present

    - name: Allow 'wheel' group to have passwordless sudo
      lineinfile:
        dest: /etc/sudoers
        state: present
        regexp: '^%wheel'
        line: '%wheel ALL=(ALL) NOPASSWD: ALL'
        validate: visudo -cf %s

    - name: Add sudoers users to wheel group
      user:
        name: "{{ item }}"
        groups: wheel
        append: yes
      with_items: "{{ sudoers }}"

1 个解决方案

#1

更多相关文章

随机推荐