git Ansible:如何以其他用户身份克隆存储库
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31640637/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Ansible: how to clone a repository as other user
提问by Alex Grs
I'm trying to write deployments rules with Ansible. Some of the steps are:
我正在尝试使用 Ansible 编写部署规则。其中一些步骤是:
- Update and Upgrade Server
- Create a user called harry
- Add Public and Private keys to harry
- Clone a Git Repository from bitbucket.org
- 更新和升级服务器
- 创建一个名为 Harry 的用户
- 添加公钥和私钥给哈利
- 从 bitbucket.org 克隆 Git 存储库
I want to clone the repository as harryuser in his home directory (that's why I'm copying it's public and private keys). The issue is that it is not possible to specifiy a user the git clone must be executed as. So Ansible try to clone the repository as root and failed because he doesn't have rights to access the repository.
我想harry在他的主目录中以用户身份克隆存储库(这就是我复制它的公钥和私钥的原因)。问题是无法指定必须作为 git clone 执行的用户。所以 Ansible 尝试以 root 身份克隆存储库并失败,因为他没有访问存储库的权限。
How do you solve this ?
你如何解决这个问题?
回答by Willem van Ketwich
As per Ansible's documentation on Privilege Escalation, Ansible has limitations on becoming an unprivileged user as it exposes a security hole to Harry.
根据 Ansible 关于权限提升的文档,Ansible 对成为非特权用户有限制,因为它向 Harry 暴露了一个安全漏洞。
Using the Ansible gitmodule, you can specify to use Harry's private key from the privileged Ansible user using the key_fileparameter, and using become_userallows the cloned files to be given ownership to Harry. For example:
使用 Ansible git模块,您可以使用key_file参数指定使用来自特权 Ansible 用户的 Harry 的私钥,并且 usingbecome_user允许将克隆文件的所有权授予 Harry。例如:
- name: Clone bitbucket repo
git:
repo: [email protected]:your-repo.git
dest: /var/www/
version: master
accept_hostkey: yes
key_file: /home/harry/.ssh/id_rsa
become_user: harry
回答by udondan
You can specify a user for every task in your playbook:
您可以为剧本中的每个任务指定一个用户:
- name: Clone bitbucket repo
git: ...
become: yes
become_user: harry
For more details see Ansible Privilege Escalation.
有关更多详细信息,请参阅Ansible 权限提升。
A more secure alternative to placing your private key on a remote server is to enable ssh key forwarding in the sshd config on the server and your ssh config locally. The key then never leaves your local box.
将私钥放在远程服务器上的更安全的替代方法是在服务器上的 sshd 配置和本地 ssh 配置中启用 ssh 密钥转发。钥匙永远不会离开您的本地盒子。
回答by George Mogilevsky
yes, you can make it work with ssh forwarding
是的,你可以让它与 ssh 转发一起工作
as long as the user that you become in the git clone is part of sudoers, so he doesn't need to use sudo to execute git
只要你在 git clone 中成为的用户是 sudoers 的一部分,所以他不需要使用 sudo 来执行 git
So, in addition to all the configs required for key forwarding, there is a trick that even mentioned in Ansible docs. High level process is as follows: enable agent forwarding in controlling machine enable accepting agent key in target machine create a user and add him (or her:) into sudoers group use ansible's git module to clone the repo, become: your-sudoer-user
因此,除了密钥转发所需的所有配置之外,还有一个技巧甚至在 Ansible 文档中提到过。高级流程如下: 在控制机器中启用代理转发 在目标机器中启用接受代理密钥 创建一个用户并将他(或她:)添加到 sudoers 组中使用 ansible 的 git 模块克隆 repo,成为:your-sudoer-user
Also, to avoid any permissions denied on the host, just clone it into ~/something You can always copy or symlink to anywhere you want
此外,为了避免在主机上拒绝任何权限,只需将其克隆到 ~/something 您可以随时复制或符号链接到您想要的任何位置
here is the link to where the playbook part to add user to sudoers is shown, it is basically a copy-paste: Ansible: create a user with sudo privileges
这是显示将用户添加到 sudoers 的剧本部分的链接,它基本上是复制粘贴:Ansible:创建具有 sudo 权限的用户
works like a charm
奇迹般有效
Also, make sure you add your SSH public key in the general settings of BitBucket, not in the per project. Otherwise your ssh key will only work on one specific repo. But if you add the ssh key in the bitbucket general settings, it will work on all your repos
另外,请确保在 BitBucket 的常规设置中添加 SSH 公钥,而不是在每个项目中。否则,您的 ssh 密钥将仅适用于一个特定的存储库。但是如果您在 bitbucket 常规设置中添加 ssh 密钥,它将适用于您的所有存储库
below is the code that makes it work, the suduer user is "deployer"
下面是使它工作的代码,suduer 用户是“部署者”
# the tasks to CREATE A SUDOER GROUP
- name: Make sure we have a 'wheel' group
group:
name: wheel
state: present
become: yes
- name: Allow 'wheel' group to have passwordless sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
become: yes
- name: Add sudoers users to wheel group
user: name=deployer groups=wheel append=yes state=present createhome=yes
become: yes
# tasks to ADD REPO with Ansible's GIT MODULE
- name: Add Git Repo - BitBucket
git:
repo: '[email protected]:<your_username>/<your_repo>.git'
dest: ~/code # note this destination, you will avoid permissions issues
accept_hostkey: yes # btw, this is for the ssh key forwarding
recursive: no
become: deployer # this guy (or gal) is a sudoer by now
# Extra "hack" to change permissions on files AND folders in one go, it has to do with the Capital X and what it applies to and what not. Also picked up from another stackoverflow
# 额外的“hack”可以一次性更改文件和文件夹的权限,它与大写 X 及其适用和不适用的内容有关。也是从另一个 stackoverflow 中提取的
- name: Set perms on new Code repo to deployer:deployer dirs-0755 and files-0644
file:
path: ~/code
state: directory
owner: deployer
group: deployer
mode: u=rwX,g=rX,o=rX
recurse: yes
become: yes
回答by Mikl
We can simply make user harry(www-data in my example) accessible by ssh with the same authorized_keys as the root. It will not be security problem, if you can connect to rootyou can do more anyway then if you connect as harry.
我们可以简单地让用户harry(在我的示例中为 www-data)使用与root相同的 authorized_keys 由 ssh 访问。这不会是安全问题,如果您可以连接到root ,那么无论如何您都可以做更多的事情,如果您以Harry 的身份连接。
remote_user: root
tasks:
- name: Create /var/www/.ssh
file:
state: directory
owner: www-data
group: www-data
path: /var/www/.ssh
mode: 0700
- name: Copy authorized_keys to www-data
copy:
remote_src: yes
src: ~/.ssh/authorized_keys
dest: /var/www/.ssh/
mode: 0400
owner: www-data
- name: Ensure www-data has shell
lineinfile:
path: /etc/passwd
regexp: '^www-data:'
line: 'www-data:x:33:33:www-data:/var/www:/bin/bash'
- name: chown -R www-data /var/www
file:
owner: www-data
path: /var/www
recurse: yes
- name: Git checkout application
git:
repo: [email protected]:harry/project.git
dest: "/var/www/project_root_dir"
accept_hostkey: yes
remote_user: www-data
回答by George Mogilevsky
Yes with ssh forwarding it works. If your playbook has “become: yes” turned on globally, make sure you turn that off for the git task. The reason that it doesn't work when you have “become: yes” is because root privilege escalation destroys ssh forwarding. I don't think you need to become a sudoer. Because if your Ansible controlling machine is authenticated with Bitbucket using ssh key (you add ssh key into the repo) then this authentication is passed through ssh forwarding. You can test it by ssh into your target and issuing “ssh -T [email protected]” you will see in the output that the target is accepted by Bitbucket as the user of the Ansible controlling machine. So simply execute the task with explicit “become: no”. I agree about cloning into ~/something on the target. Otherwise it will cause issues of permissions. [Edit:one more thing to make it work - ? Repo URL should be the ssh one not https one, without ssh:// (despite what is written in the Ansible Manual examples)] As far as the security, as mentioned above, ssh forwarding is the best.
是的,使用 ssh 转发它可以工作。如果您的剧本已全局启用“become: yes”,请确保为 git 任务将其关闭。当你有“become: yes”时它不起作用的原因是因为root权限提升破坏了ssh转发。我不认为你需要成为一个 sudoer。因为如果您的 Ansible 控制机器使用 ssh 密钥通过 Bitbucket 进行身份验证(您将 ssh 密钥添加到存储库中),那么此身份验证将通过 ssh 转发传递。您可以通过 ssh 测试它到您的目标并发出“ssh -T [email protected]”,您将在输出中看到目标被 Bitbucket 接受为 Ansible 控制机器的用户。因此,只需使用明确的“become: no”来执行任务。我同意克隆到目标上的 ~/something 。否则会导致权限问题。[编辑:还有一件事让它起作用 - ?Repo URL 应该是 ssh 一个而不是 https 一个,没有 ssh://(尽管 Ansible 手册示例中写了什么)] 就安全性而言,如上所述,ssh 转发是最好的。
