programmatically create sudo rules for running ansible-playbook

Question

How could I create a list for all possible commands an ansible-playbook is using so that I could create a sudoers file?

For testing the playbooks, temporally I create an entry in the /etc/sudoers.d:

tempuser ALL=(ALL:ALL) NOPASSWD:ALL

But is there a plugin or way to get like the list of commands so that I could later create a list like

tempuser ALL= NOPASSWD:  /bin/systemctl start  mariadb.service
...

Any ideas?

question from:https://stackoverflow.com/questions/66046666/programmatically-create-sudo-rules-for-running-ansible-playbook

Answer 1

If you intend to use privilege escalation with ansible then privilege escalation must be general

You cannot limit privilege escalation permissions to certain commands. Ansible does not always use a specific command to do something but runs modules (code) from a temporary file name which changes every time. If you have ‘/sbin/service’ or ‘/bin/chmod’ as the allowed commands this will fail with ansible as those paths won’t match with the temporary file that Ansible creates to run the module. If you have security rules that constrain your sudo/pbrun/doas environment to running specific command paths only, use Ansible from a special account that does not have this constraint, or use Red Hat Ansible Tower to manage indirect access to SSH credentials.

As demonstrated in the above documentation quote, this is a well known limitation of the tool. If this is a problem in your environment, either look at the above proposed workarounds in documentation quote, or don't use ansible at all.