#7041 rbac-playbook can't be run as regular user on batcave, even for '--help'
Closed: Upstream 5 years ago Opened 5 years ago by misc.

Seems rbac-playbook can't be run as a regular user, which is not great when you just want to read the documentation:

$ /bin/rbac-playbook  -h
Traceback (most recent call last):
  File "/bin/rbac-playbook", line 9, in <module>
    load_entry_point('ansible-utils==0.0.6', 'console_scripts', 'rbac-playbook')()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 558, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2682, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2355, in load
    return self.resolve()
  File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2361, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/site-packages/ansible_utils/rbac_playbook.py", line 94, in <module>
    config = get_config()
  File "/usr/lib/python2.7/site-packages/ansible_utils/rbac_playbook.py", line 69, in get_config
    new_settings = read_configfile()
  File "/usr/lib/python2.7/site-packages/ansible_utils/rbac_playbook.py", line 89, in read_configfile
    with open(acl_filename, 'r') as acl_file:
IOError: [Errno 13] Permission denied: '/etc/ansible_utils/rbac.yaml'

The root cause is because the configuration is readable by root only. While I am sure there is a good reason for that, I can't seems to find why this config is private (my bet would be a password for smtp). Not having the configuration is also a issue, since someone can't know what playbooks can be run by what group or anything, so that would be help to have it readable (in the same way that sudo has a option -l is helpful, for example)


The fact that the configuration itself isn't public has the same reason as the sudoers file itself is not publicly readable: you don't want to help people figure out a target group to break in to be able to run a specific command.

rbac-playbook doesn't have a -l option, that would be an upstream RFE.
And having --help not need the config would also be an upstream RFE.

Upstream would be: https://bitbucket.org/tflink/ansible_utils

rbac-playbook help you can get via sudo rbac-playbook --help:

usage: rbac [-h] [-l LIMIT] [-C] [-t TAGS] [-u USER]
            [--start-at-task START_AT_TASK]
            playbook

positional arguments:
  playbook              playbook to use

optional arguments:
  -h, --help            show this help message and exit
  -l LIMIT, --limit LIMIT
                        Hostnames to limit ansible to
  -C, --check           don't make any changes; instead, try to predict some
                        of the changes that may occur
  -t TAGS, --tags TAGS  only run plays and tasks tagged with these values
  -u USER, --user USER  connect as this user
  --start-at-task START_AT_TASK
                        start the playbook at the task matching this name

Metadata Update from @puiterwijk:
- Issue close_status updated to: Upstream
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata