Chapter 28. Using the sudo system role
As an administrator, you can consistently configure the /etc/sudoers
files on multiple systems by using the sudo
RHEL system role.
28.1. Applying custom sudoers
configuration by using RHEL system roles
You can use the sudo
RHEL system role to apply custom sudoers
configuration on your managed nodes. That way, you can define which users can run which commands on which hosts, with better configuration efficiency and more granular control.
Prerequisites
- You have prepared the control node and the managed nodes.
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them.
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: "Configure sudo" hosts: managed-node-01.example.com tasks: - name: "Apply custom /etc/sudoers configuration" ansible.builtin.include_role: name: rhel-system-roles.sudo vars: sudo_sudoers_files: - path: "/etc/sudoers" user_specifications: - users: - <user_name> hosts: - <host_name> commands: - <path_to_command_binary>
The settings specified in the playbook include the following:
users
- The list of users that the rule applies to.
hosts
-
The list of hosts that the rule applies to. You can use
ALL
for all hosts. commands
The list of commands that the rule applies to. You can use
ALL
for all commands.For details about all variables used in the playbook, see the
/usr/share/ansible/roles/rhel-system-roles.sudo/README.md
file on the control node.
Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Verification
On the managed node, verify that the playbook applied the new rules.
# cat /etc/sudoers | tail -n1 <user_name> <host_name>= <path_to_command_binary>
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.sudo/README.md
file -
/usr/share/doc/rhel-system-roles.sudo/sudo/
directory