Ansible can use existing privilege escalation systems to allow a user to execute tasks as another.
Before 1.9 Ansible mostly allowed the use of sudo and a limited use of su to allow a login/remote user to become a different user and execute tasks, create resources with the 2nd user’s permissions. As of 1.9 become supersedes the old sudo/su, while still being backwards compatible. This new system also makes it easier to add other privilege escalation tools like pbrun (Powerbroker), pfexec and others.
- equivalent to adding sudo: or su: to a play or task, set to ‘true’/’yes’ to activate privilege escalation
- equivalent to adding ‘sudo_user:’ or ‘su_user:’ to a play or task, set to user with desired privileges
- at play or task level overrides the default method set in ansible.cfg, set to ‘sudo’/’su’/’pbrun’/’pfexec’/’doas’
Each allows you to set an option per group and/or host
- equivalent to ansible_sudo or ansible_su, allows to force privilege escalation
- allows to set privilege escalation method
- equivalent to ansible_sudo_user or ansible_su_user, allows to set the user you become through privilege escalation
- equivalent to ansible_sudo_pass or ansible_su_pass, allows you to set the privilege escalation password
|ask for privilege escalation password|
- run operations with become (no password implied)
|privilege escalation method to use (default=sudo), valid choices: [ sudo | su | pbrun | pfexec | doas ]|
|run operations as this user (default=root)|
Old playbooks will not need to be changed, even though they are deprecated, sudo and su directives will continue to work though it is recommended to move to become as they may be retired at one point. You cannot mix directives on the same object though, Ansible will complain if you try to.
Become will default to using the old sudo/su configs and variables if they exist, but will override them if you specify any of the new ones.
Privilege escalation methods must also be supported by the connection plugin used, most will warn if they do not, some will just ignore it as they always run as root (jail, chroot, etc).
Methods cannot be chained, you cannot use ‘sudo /bin/su -‘ to become a user, you need to have privileges to run the command as that user in sudo or be able to su directly to it (the same for pbrun, pfexec or other supported methods).
Privilege escalation permissions have to be general, Ansible does not always use a specific command to do something but runs modules (code) from a temporary file name which changes every time. So if you have ‘/sbin/service’ or ‘/bin/chmod’ as the allowed commands this will fail with ansible.