Add documentation for Ansible become feature
Change-Id: I657ff1427908610a8aa2397b4ce1115be0ac8ace Partial-Implements: blueprint ansible-specific-task-become
This commit is contained in:
parent
badf67ddf1
commit
04fa7c039c
@ -60,3 +60,19 @@ and store its data in a named volume without the security risk and
|
|||||||
other downsides of host bind mounts. The downside to this is selinux
|
other downsides of host bind mounts. The downside to this is selinux
|
||||||
blocks those sudo commands and it will do so until we make explicit
|
blocks those sudo commands and it will do so until we make explicit
|
||||||
policies to allow those operations.
|
policies to allow those operations.
|
||||||
|
|
||||||
|
Kolla-ansible users
|
||||||
|
===================
|
||||||
|
|
||||||
|
Prior to Queens, when users want to connect using non-root user, they must add
|
||||||
|
extra option ``ansible_become=True`` which is inconvenient and add security
|
||||||
|
risk. In Queens, almost all services have support for escalation for only
|
||||||
|
necessary tasks. In Rocky, all services have this capability, so users do not
|
||||||
|
need to add ``ansible_become`` option if connection user has passwordless sudo
|
||||||
|
capability.
|
||||||
|
|
||||||
|
Prior to Rocky, ``ansible_user`` (the user which Ansible uses to connect via SSH)
|
||||||
|
is default configuration owner and group in target nodes.
|
||||||
|
From Rocky release, Kolla support connection using any user which has
|
||||||
|
passwordless sudo capability. For setting custom owner user and group, user can
|
||||||
|
set ``config_owner_user`` and ``config_owner_group`` in ``globals.yml``
|
||||||
|
Loading…
x
Reference in New Issue
Block a user