For the purposes of handover of DNF counting initiative and having uniform deployment. Most probably chanes need to happen in ansible_utils/rbac.yaml on batcave01
A freeze break request has been asked for to enact this change.
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/thread/JPUHGSN2I2BJ4FLIDZPJIZW6MNWAUTIX/
Playbook has been run and this access should be granted
Metadata Update from @mobrien: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Hmm, doesn't work yet:
[nphilipp@batcave01 ~][PROD-IAD2]$ rbac-playbook -C -t wrglbrmpft groups/logserver.yml EXECV: /usr/bin/sudo -i /bin/bash -i -c cd /srv/web/infra/ansible ; /usr/bin/python3 /usr/bin/ansible-playbook /srv/web/infra/ansible/playbooks/groups/logserver.yml -t wrglbrmpft --check [sudo] password for nphilipp: Sorry, user nphilipp is not allowed to execute '/bin/bash -i -c cd /srv/web/infra/ansible ; /usr/bin/python3 /usr/bin/ansible-playbook /srv/web/infra/ansible/playbooks/groups/logserver.yml -t wrglbrmpft --check' as root on batcave01.iad2.fedoraproject.org. [nphilipp@batcave01 ~][PROD-IAD2]$ sudo -l Matching Defaults entries for nphilipp on batcave01: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, env_keep+=GIT_DIR, !requiretty User nphilipp may run the following commands on batcave01: (root) NOPASSWD: /usr/local/bin/syncgittree.sh /srv/git/kickstarts /mnt/fedora/app/fi-repo/rhel/ks (root) NOPASSWD: /usr/local/bin/syncgittree.sh /srv/git/infra-hosts /srv/web/infra/hosts (root) NOPASSWD: /usr/local/bin/syncgittree.sh /srv/git/infra-docs /srv/web/infra/docs (root) NOPASSWD: /usr/local/bin/syncgittree.sh /srv/git/dns /srv/web/infra/dns (root) NOPASSWD: /usr/local/bin/syncgittree.sh /srv/git/ansible /srv/web/infra/ansible (root) NOPASSWD: /usr/local/bin/fedmsg-announce-commits.py (root) NOPASSWD: /usr/local/bin/syncgittree.sh /srv/git/infra-docs /srv/web/infra/docs (root) NOPASSWD: /usr/local/bin/fedmsg-announce-commits.py [nphilipp@batcave01 ~][PROD-IAD2]$
Looks the sysadmin-analysis group (or individual users) need to be configured so they can run ansible-playbook through sudo?
sysadmin-analysis
Metadata Update from @nphilipp: - Issue status updated to: Open (was: Closed)
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-gain, low-trouble, ops
You need to call it with sudo...
sudo rbac-playbook -C -t wrglbrmpft groups/logserver.yml
This was an issue with the ansible playbook no longer running the sudoers task since we switched to ipa. I manually updated the file along with whats in the anible-private repository but a patch to ansible will need to be put through. I think we haven't come across it before now because we didn't add any new groups to rbac
Yeah we might extend ipa to handle these someday, but in the mean time this is fine(tm)
I think this can be closed as it is working with the manual fix. This PR can be merged after freeze for a more long term solution.
https://pagure.io/fedora-infra/ansible/pull-request/807
Login to comment on this ticket.