Add support for separate /etc/sudoers files #29
Comments
|
hi, I don't really see the point of splitting the files up since you're not supposed to look at them on the servers when you're using a provisioning tool, right!? you should only be looking at the ansible configuration files... if you really want to have multiple files you could also call the role multiple times with different settings while changing the |
|
Calling the role multiple times wouldn't work if you wanted to ensure that the /etc/sudoers.d directory was cleaned of non-Ansible-managed files. My sudoers file is 800+ lines long and splitting them up into individual files makes sense for me. |
|
oh wow. ok. what about being able to set a - name: "Creating sudoers configurations"
template:
src: "etc/sudoers.d/ansible.j2"
dest: "{{ sudo_sudoers_d_path }}/{{ item.sudoers_file|default(sudo_sudoers_file) }}"
validate: "/usr/sbin/visudo -cf %s"
owner: root
group: "{{ sudo_sudoers_group }}"
mode: "0440"
loop: "{{ sudo_users }}"
- name: "Create sudoers file whitelist"
set_fact:
sudoers_whitelist: "{{ sudoers_whitelist | default([]) | union([item.sudoers_file|default(sudo_sudoers_file)]) | unique }}"
when: purge_other_sudoers_files | bool
loop: "{{ sudo_users }}"
- name: "List sudoers files"
find:
paths: "{{ sudo_sudoers_d_path }}"
patterns: "*"
register: sudoers_contents
when: purge_other_sudoers_files | bool
changed_when: false
- name: "Remove unmanaged {{ sudo_sudoers_d_path }} files"
file:
path: "{{ sudo_sudoers_d_path }}/{{ item.path|basename }}"
state: absent
loop: "{{ sudoers_contents.files }}"
loop_control:
label: "{{ item.path }}"
when:
- purge_other_sudoers_files | bool
- (item.path|basename) not in sudoers_whitelist |
|
I really would love to have that implemented. |
|
I think we're getting closer with your recommendation, @franklinkim , however do your proposed changes support the ability to run the role more than once and purge the sudoers.d directory? I'm coming from a Puppet background so keeping a directory clean of non-managed files is super simple, but Ansible doesn't keep a catalog of all files it manages like Puppet does. Perhaps the custom fact could be appended to every time the role runs and then on the last run, you'd supply the purge_other_sudoers_files variable with a TRUE value. That doesn't seem as idempotent as it should be IMHO. I really do need the ability to run your role multiple times and keep the directory clean. Unfortunately, cleaning the directory first before running your role will only break sudo functionality on the OS itself leading to a cascade of failures. |
We would need to implement it and run it to see if it works, but so far I don't see why you couldn't run it multiple times and keep the directory clean....
yes, Ansible is "just" a tool for "configuration management" and not a full tool for "infrastructure as code" ... meaning it's not sth like terraform (or I guess puppet) that keeps track of the deployed state. This is just how ansible works. |
Instead of writing to a monolithic file, it's nice to be able to consolidate like-minded sudo tasks into individual /etc/sudoers files. For example, it's much easier to find sudoers files for oracle stuff if the name of the file is /etc/sudoers.d/oracle.
I think a simple loop in the config.yml task would take care of that.
The text was updated successfully, but these errors were encountered: