Red Hat SummitChapter 21. Managing sudo access using an Ansible playbook
Learn more about managing sudo access of users in RHEL Identity Management using an Ansible playbook. For details about granting sudo access to users in RHEL Identity Management, see Granting sudo access to an IdM user on an IdM client.
21.1. Using an Ansible playbook to ensure sudo access for an IdM user on an IdM client
In RHEL Identity Management (IdM), you can ensure sudo access to a specific command is granted to an IdM user account on a specific IdM host.
Complete this procedure to ensure a sudo rule named idm_user_reboot exists. The rule grants idm_user the permission to run the /usr/sbin/reboot command on the idmclient machine.
Prerequisites
You have configured your Ansible control node to meet the following requirements:
- You are using Ansible version 2.15 or later.
-
You have installed the
freeipa.ansible_freeipacollection. - The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
-
The example assumes that the secret.yml Ansible vault stores your
ipaadmin_passwordand that you have access to a file that stores the password protecting the secret.yml file.
-
The target node, that is the node on which the
freeipa.ansible_freeipamodule is executed, is part of the IdM domain as an IdM client, server or replica. - You have ensured the presence of a user account for idm_user in IdM and unlocked the account by creating a password for the user. For details on adding a new IdM user using the command line, see Adding users using the command line.
-
No local idm_user account exists on idmclient. The idm_user user is not listed in the
/etc/passwdfile on idmclient.
Procedure
Add one or more
sudocommands:Create an
ensure-reboot-sudocmd-is-present.ymlAnsible playbook that ensures the presence of the/usr/sbin/rebootcommand in the IdM database ofsudocommands. To simplify this step, you can copy and modify the example in the/usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/sudocmd/ensure-sudocmd-is-present.ymlfile:--- - name: Playbook to manage sudo command hosts: ipaserver vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: # Ensure sudo command is present - freeipa.ansible_freeipa.ipasudocmd: ipaadmin_password: "{{ ipaadmin_password }}" name: /usr/sbin/reboot state: present--- - name: Playbook to manage sudo command hosts: ipaserver vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: # Ensure sudo command is present - freeipa.ansible_freeipa.ipasudocmd: ipaadmin_password: "{{ ipaadmin_password }}" name: /usr/sbin/reboot state: presentCopy to Clipboard Copied! Run the playbook:
ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-reboot-sudocmd-is-present.yml
$ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-reboot-sudocmd-is-present.ymlCopy to Clipboard Copied!
Create a
sudorule that references the commands:Create an
ensure-sudorule-for-idmuser-on-idmclient-is-present.ymlAnsible playbook that uses thesudocommand entry to ensure the presence of a sudo rule. The sudo rule allows idm_user to reboot the idmclient machine. To simplify this step, you can copy and modify the example in the/usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/sudorule/ensure-sudorule-is-present.ymlfile:--- - name: Tests hosts: ipaserver vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: # Ensure a sudorule is present granting idm_user the permission to run /usr/sbin/reboot on idmclient - freeipa.ansible_freeipa.ipasudorule: ipaadmin_password: "{{ ipaadmin_password }}" name: idm_user_reboot description: A test sudo rule. allow_sudocmd: /usr/sbin/reboot host: idmclient.idm.example.com user: idm_user state: present--- - name: Tests hosts: ipaserver vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: # Ensure a sudorule is present granting idm_user the permission to run /usr/sbin/reboot on idmclient - freeipa.ansible_freeipa.ipasudorule: ipaadmin_password: "{{ ipaadmin_password }}" name: idm_user_reboot description: A test sudo rule. allow_sudocmd: /usr/sbin/reboot host: idmclient.idm.example.com user: idm_user state: presentCopy to Clipboard Copied! Run the playbook:
ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-sudorule-for-idmuser-on-idmclient-is-present.yml
$ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-sudorule-for-idmuser-on-idmclient-is-present.ymlCopy to Clipboard Copied!
Verification
Test that the sudo rule whose presence you have ensured on the IdM server works on idmclient by verifying that idm_user can reboot idmclient using sudo. Note that it can take a few minutes for the changes made on the server to take effect on the client.
- Log in to idmclient as idm_user.
Reboot the machine using
sudo. Enter the password for idm_user when prompted:sudo /usr/sbin/reboot
$ sudo /usr/sbin/reboot [sudo] password for idm_user:Copy to Clipboard Copied!
If sudo is configured correctly, the machine reboots.
21.2. Managing multiple IdM sudo rules in a single Ansible task
Using the sudorules option available in the freeipa.ansible_freeipa.ipasudorule collection module, you can ensure the presence or absence of multiple Identity Management (IdM) sudo rules in a single Ansible task. Using the option, you can thus define your sudo rules more easily, and execute them more efficiently.
Prerequisites
On the control node:
- You are using Ansible version 2.15 or later.
-
You have installed the
ansible-freeipapackage. - The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
-
The example assumes that the secret.yml Ansible vault stores your
ipaadmin_passwordand that you have access to a file that stores the password protecting the secret.yml file.
-
The target node, that is the node on which the
freeipa.ansible_freeipamodule is executed, is part of the IdM domain as an IdM client, server or replica.
The example further assumes the following:
- The user01 and user02 users exist in IdM.
- The usergroup01 user group exists in IdM.
- The hostgroup01 and hostgroup02 host groups exist in IdM.
Procedure
Navigate to the ~/MyPlaybooks/ directory:
cd ~/MyPlaybooks/
$ cd ~/MyPlaybooks/Copy to Clipboard Copied! Create an ensure-presence-of-multiple-sudorules-in-a-task.yml file with the following content:
--- - name: Playbook to handle sudorules hosts: ipaserver become: true tasks: # Ensure sudo command name: /usr/sbin/dmidecode is present - freeipa.ansible_freeipa.ipasudocmd: ipaadmin_password: "{{ ipaadmin_password }}" name: /usr/sbin/dmidecode # Ensure sudo command /usr/sbin/reboot is present - freeipa.ansible_freeipa.ipasudocmd: ipaadmin_password: "{{ ipaadmin_password }}" name: /usr/sbin/reboot # Ensure sudo command /usr/bin/yum is present - freeipa.ansible_freeipa.ipasudocmd: ipaadmin_password: "{{ ipaadmin_password }}" name: /usr/bin/yum # Ensure a sudo command group is present - freeipa.ansible_freeipa.ipasudocmdgroup: ipaadmin_password: "{{ ipaadmin_password }}" name: sudogroup01 sudocmd: - /usr/sbin/dmidecode - /usr/sbin/reboot - name: Ensure multiple sudo rules are present using batch mode freeipa.ansible_freeipa.ipasudorule: ipaadmin_password: "{{ ipaadmin_password }}" sudorules: - name: testrule01 user: - user01 - user02 group: - usergroup01 allow_sudocmd: - /usr/bin/yum allow_sudocmdgroup: - sudogroup01 - name: testrule02 hostgroup: - hostgroup01 - hostgroup02--- - name: Playbook to handle sudorules hosts: ipaserver become: true tasks: # Ensure sudo command name: /usr/sbin/dmidecode is present - freeipa.ansible_freeipa.ipasudocmd: ipaadmin_password: "{{ ipaadmin_password }}" name: /usr/sbin/dmidecode # Ensure sudo command /usr/sbin/reboot is present - freeipa.ansible_freeipa.ipasudocmd: ipaadmin_password: "{{ ipaadmin_password }}" name: /usr/sbin/reboot # Ensure sudo command /usr/bin/yum is present - freeipa.ansible_freeipa.ipasudocmd: ipaadmin_password: "{{ ipaadmin_password }}" name: /usr/bin/yum # Ensure a sudo command group is present - freeipa.ansible_freeipa.ipasudocmdgroup: ipaadmin_password: "{{ ipaadmin_password }}" name: sudogroup01 sudocmd: - /usr/sbin/dmidecode - /usr/sbin/reboot - name: Ensure multiple sudo rules are present using batch mode freeipa.ansible_freeipa.ipasudorule: ipaadmin_password: "{{ ipaadmin_password }}" sudorules: - name: testrule01 user: - user01 - user02 group: - usergroup01 allow_sudocmd: - /usr/bin/yum allow_sudocmdgroup: - sudogroup01 - name: testrule02 hostgroup: - hostgroup01 - hostgroup02Copy to Clipboard Copied! - NOTE
-
Using the
sudorulesoption, you can specify multiplesudorule variables that only apply to a particularsudorule. Thissudorule is defined by thenamevariable, which is the only mandatory variable for thesudorulesoption. In the example, theuser,group,allow_sudocmd, andallow_sudocmdgroupvariables are applied to the testrule01sudorule.
- Save the file.
Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file:
ansible-playbook --vault-password-file=password_file -v -i inventory ensure-presence-of-multiple-sudorules-in-a-task.yml
$ ansible-playbook --vault-password-file=password_file -v -i inventory ensure-presence-of-multiple-sudorules-in-a-task.ymlCopy to Clipboard Copied!
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}