Seems rbac-playbook can't be run as a regular user, which is not great when you just want to read the documentation:
$ /bin/rbac-playbook -h Traceback (most recent call last): File "/bin/rbac-playbook", line 9, in <module> load_entry_point('ansible-utils==0.0.6', 'console_scripts', 'rbac-playbook')() File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 558, in load_entry_point return get_distribution(dist).load_entry_point(group, name) File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2682, in load_entry_point return ep.load() File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2355, in load return self.resolve() File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2361, in resolve module = __import__(self.module_name, fromlist=['__name__'], level=0) File "/usr/lib/python2.7/site-packages/ansible_utils/rbac_playbook.py", line 94, in <module> config = get_config() File "/usr/lib/python2.7/site-packages/ansible_utils/rbac_playbook.py", line 69, in get_config new_settings = read_configfile() File "/usr/lib/python2.7/site-packages/ansible_utils/rbac_playbook.py", line 89, in read_configfile with open(acl_filename, 'r') as acl_file: IOError: [Errno 13] Permission denied: '/etc/ansible_utils/rbac.yaml'
The root cause is because the configuration is readable by root only. While I am sure there is a good reason for that, I can't seems to find why this config is private (my bet would be a password for smtp). Not having the configuration is also a issue, since someone can't know what playbooks can be run by what group or anything, so that would be help to have it readable (in the same way that sudo has a option -l is helpful, for example)
The fact that the configuration itself isn't public has the same reason as the sudoers file itself is not publicly readable: you don't want to help people figure out a target group to break in to be able to run a specific command.
rbac-playbook doesn't have a -l option, that would be an upstream RFE. And having --help not need the config would also be an upstream RFE.
Upstream would be: https://bitbucket.org/tflink/ansible_utils
rbac-playbook help you can get via sudo rbac-playbook --help:
usage: rbac [-h] [-l LIMIT] [-C] [-t TAGS] [-u USER] [--start-at-task START_AT_TASK] playbook positional arguments: playbook playbook to use optional arguments: -h, --help show this help message and exit -l LIMIT, --limit LIMIT Hostnames to limit ansible to -C, --check don't make any changes; instead, try to predict some of the changes that may occur -t TAGS, --tags TAGS only run plays and tasks tagged with these values -u USER, --user USER connect as this user --start-at-task START_AT_TASK start the playbook at the task matching this name
Metadata Update from @puiterwijk: - Issue close_status updated to: Upstream - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.