Hi Jeff, There's a reference to this in the documentation on http://docs.ansible.com/intro_adhoc.html where it says "Rarely, some users have security"...
In any case, it's usually not something valuable for the security team to enforce, because it also means you wouldn't be able to install any packages (they contain %post scripts), use the shell module, or use the command module --- because all of these would be able to run arbitrary commands. We'd recommend using a specific user or key with Ansible, and controlling who gets that key, and constraining sudo differently (less) for them. Further, use of Ansible Tower can keep the SSH private keys known only to admins and Tower, allowing people to be easily removed from the system without rekeying any of the remote hosts. By comparison, it may also be useful to inform your security team that many other tools actually require full root level agents, so Ansible is one of the few options with a really strong sudo implementation (and su is also supported). I'd recommend talking to them about how you can protect keys with Tower if needed, and also not give full access to users logging in normally. --Michael On Thu, Sep 11, 2014 at 12:19 AM, Jeff Weber <jwe...@cofront.net> wrote: > I'm working on finalizing an implementation of an ansible poc for a new > project, and as part of this poc our security team has asked for a minimal > sudoers configuration for the ansible automation user. > > I'm currently using a "anything anywhere" type configuration, but looking > at sudo logs I don't believe I need this. Is there a project recommended > minimal configuration for sudoers to allow only ansible commands? Browsing > the > documentation and mailing list nothing stood out, but maybe I missed it. > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ansible-project+unsubscr...@googlegroups.com. > To post to this group, send email to ansible-project@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/3e27dec6-b218-4722-a961-5d91afe0213e%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/3e27dec6-b218-4722-a961-5d91afe0213e%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyizbUTt5SNM3gvH8B75gpVOp7tq999be48qzupHL4Hzg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
