Ansible – Avoid duplicates between group and host vars

ansibleansible-playbook

I'm new at using ansible for server management and I need some help managing users and group's membership definition according to host and hosts-group, with a minimum of duplication and a maximum of scalability.
(25 users/20 groups over 50 hosts, with differents "sudo" and " groups membership" at the end).
The idea is to have:

"groups_vars" files defining the users (list or hash) to create on each host of the hostgroup.
"host_vars" files defining users for a specific host. (At the end, I will need nested groups, more than specific host_vars files)

I need these "*_vars files" contents to be merged and not to be replaced (I understand how "vars precedence" work) because I want to avoid user declaration duplication.
To achieve this, I used hash syntax in "*_vars" files and set "hash_behaviour=merge" in /etc/ansible/ansible.cfg.
Here are my files :
My inventory :

all:
  children:
    type_a:
      hosts:
        vm1:
        vm2:

My debugging playbook :

- hosts: type_a
  tasks:
    - name: Debugging
      debug:
        msg: "{{ users }}"

group_vars/type_a.yaml :

users:
  user1:
    name: user1
  user2:
    name: user2

host_vars/vm1.yaml

users:
  user3_vm1_specific:
    name: user3_vm1_specific

At the end, I need the 3 users on the "vm1" and only "user1" and "user2" on "vm2" and then I will use the vars for the user creation.
Using the merge option (that will be deprecated in newer version of ansible) is working, but doesn't seem to be a best practice.
I searched here on ServFault and on other web sites, and most of the time the solutions are:

to duplicate the user definition
(more than 8 properties for each user and too many hostsgroup: unacceptable.)
to use an other name for the second user list, then to assemble both using "{{ user_list1 + user_list2 }}".
Not very scalable if we want to add many nested groups. You will need to add custom named list each time. It also, makes duplicates if "host_vars" and "group_vars" have the same user defined: it does not merge the content, but declares it twice with a different content each time.

My first solution is working, but using a near-deprecated option.
So what are the best practices in managing vars in this kind of situation ? (already have read the ansible documentation about vars but it didn't really helped me).

Also, maybe ansible tower or foreman could solve this problem ?

Regards
M.

Best Answer

Ansible Jinja2 has a combine() filter, that can be used to merge two dicts together.

In your case, you would have:

group_vars/type_a.yaml

group_users:
  user1:
    name: user1
  user2:
    name: user2

host_vars/vm1.yaml

host_users:
  user3_vm1_specific:
    name: user3_vm1_specific

And debugging playbook:

- hosts: type_a
  tasks:
    - name: Debugging
      debug:
        msg: "{{ group_users | combine(host_users) }}"

I think the merge strategy is deprecated because it is all or nothing and it can cause undesired side-effects.

Related Solutions

Security – How to implement ansible with per-host passwords, securely

You've certainly done your research...

From all of my experience with ansible what you're looking to accomplish, isn't supported. As you mentioned, ansible states that it does not require passwordless sudo, and you are correct, it does not. But I have yet to see any method of using multiple sudo passwords within ansible, without of course running multiple configs.

So, I can't offer the exact solution you are looking for, but you did ask...

"So... how are people using Ansible in situations like these? Setting NOPASSWD in /etc/sudoers, reusing password across hosts or enabling root SSH login all seem rather drastic reductions in security."

I can give you one view on that. My use case is 1k nodes in multiple data centers supporting a global SaaS firm in which I have to design/implement some insanely tight security controls due to the nature of our business. Security is always balancing act, more usability less security, this process is no different if you are running 10 servers or 1,000 or 100,000.

You are absolutely correct not to use root logins either via password or ssh keys. In fact, root login should be disabled entirely if the servers have a network cable plugged into them.

Lets talk about password reuse, in a large enterprise, is it reasonable to ask sysadmins to have different passwords on each node? for a couple nodes, perhaps, but my admins/engineers would mutiny if they had to have different passwords on 1000 nodes. Implementing that would be near impossible as well, each user would have to store there own passwords somewhere, hopefully a keypass, not a spreadsheet. And every time you put a password in a location where it can be pulled out in plain text, you have greatly decreased your security. I would much rather them know, by heart, one or two really strong passwords than have to consult a keypass file every time they needed to log into or invoke sudo on a machine.

So password resuse and standardization is something that is completely acceptable and standard even in a secure environment. Otherwise ldap, keystone, and other directory services wouldn't need to exist.

When we move to automated users, ssh keys work great to get you in, but you still need to get through sudo. Your choices are a standardized password for the automated user (which is acceptable in many cases) or to enable NOPASSWD as you've pointed out. Most automated users only execute a few commands, so it's quite possible and certainly desirable to enable NOPASSWD, but only for pre-approved commands. I'd suggest using your configuration management (ansible in this case) to manage your sudoers file so that you can easily update the password-less commands list.

Now, there are some steps you can take once you start scaling to further isolate risk. While we have 1000 or so nodes, not all of them are 'production' servers, some are test environments, etc. Not all admins can access production servers, those than can though use their same SSO user/pass|key as they would elsewhere. But automated users are a bit more secure, for instance an automated tool that non-production admins can access has a user & credentials that cannot be used in production. If you want to launch ansible on all nodes, you'd have to do it in two batches, once for non-production and once for production.

We also use puppet though, since it's an enforcing configuration management tool, so most changes to all environments would get pushed out through it.

Obviously, if that feature request you cited gets reopened/completed, what you're looking to do would be entirely supported. Even then though, security is a process of risk assessment and compromise. If you only have a few nodes that you can remember the passwords for without resorting to a post-it note, separate passwords would be slightly more secure. But for most of us, it's not a feasible option.

Ansible: Run 1 task on 1 host under several users

That won't work, because:

Within any section, redefining a var will overwrite the previous instance. If multiple groups have the same variable, the last one loaded wins. If you define a variable twice in a play’s vars: section, the 2nd one wins.

Ansible doc: playbooks_variables

In my understanding of the documentation app_user under group_vars/app2/vars.yml should overwrite app_user under group_vars/app1/vars.yml.

What should work would be to call each hostgroup in a separate play:

---
- hosts: app1
  tasks:
  - name: Copy config
    become: true
    become_user: {{ app_user }}
    template: ....

- hosts: app2
  tasks:
  - name: Copy config
    become: true
    become_user: {{ app_user }}
    template: ....

Also:

It is not necessary or a good practise to use becom_user for a template task. Use the template module like this:

---
- hosts: app1
  tasks:
  - name: Copy config
    template:
      src: template.j2
      dest: /some/remote/path
      owner: "{{ app_user }}"
      group: "{{ app_user }}"
      mode: 0755

Best Answer

Related Solutions

Security – How to implement ansible with per-host passwords, securely

Ansible: Run 1 task on 1 host under several users

Related Topic