Thank you Vladimir for your quick and useful answer! I've understood the basis now, but.. it raises the question below:
Let's imagine that I don't have ANSIBLE user on the managed host, as follows: -->Control Node: ANSIBLE - ROOT -->Managed Host: SSHUSER - ROOT Taking into account that I am not overriding any "user" kind variables (either remote_user in playbooks or ansible_user in the inventory)... What would happen if I am ANSIBLE in the Control Node, and I run the ID Command on the Managed Host with no priv. escalation? If ANSIBLE is my default "ansible_user" and It establishes a SSH connection like ansi...@host1.example.com... It would prompt an error because the user does not exists on the managed host, wouldn't it? (I don't want to try deleting Ansible user with the aim of not changing the test environment as much as possible) Thank you very much in advance.. your help is really apreciated. Regards, Vicente. El lunes, 7 de octubre de 2019, 20:41:56 (UTC+2), Vladimir Botka escribió: > > On Mon, 7 Oct 2019 10:57:49 -0700 (PDT) > Vicente Domínguez <vi1...@gmail.com <javascript:>> wrote: > > > I have 2 nodes with the following users: > > Control Node: ANSIBLE - ROOT > > Managed Host: ANSIBLE - SSHUSER - ROOT > > [...] > > So my question is, why is the user ANSIBLE (managed host's user) the one > > executing the task in HOST1.EXAMPLE.COM, *if I didn't specify > REMOTE_USER= > > ANSIBLE?* > > *Why ANSIBLE, and not SSHUSER??* > > See "Ansible remote_user vs ansible_user" for clarification of the > plethora > of users > > https://stackoverflow.com/questions/36668756/ansible-remote-user-vs-ansible-user > > > Couple notes: > > * Best practice is to run ansible on controller as unprivileged user (not > root) who will automatically become "ansible_user" (if not overridden in > the inventory). > > * ansible will ssh ansible_user@remote if not overridden by --user option > on > the command line, or in the play (remote_user) > > * In most cases the privileges are escalated with "become_*" options after > unprivileged user (ansible_user or remote_user) establishes connection > to > the remote host. "See Understanding Privilege Escalation" > > https://docs.ansible.com/ansible/latest/user_guide/become.html#understanding-privilege-escalation > > > * The standard chain is: ansible_user -> remote_user -> become_user > > Cheers, > > -vlado > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/45b9c09d-c6a3-42d1-a7de-075f13843af2%40googlegroups.com.
