Creating an Ansible user with sudo access

Edit online

You can create an Ansible user with password-less root access on all nodes in the IBM Storage Ceph to run the cephadm-ansible playbooks.

Before you begin

Before you begin, make sure that you have the following prerequisites in place:

About this task

The Ansible user must be able to log into all the IBM Storage Ceph nodes as a user that has root privileges to install software and create configuration files without prompting for a password.
Important: If you are using Red Hat Enterprise Linux 9 only use these steps if you are a non-root user. If you are a root user, see the Enabling SSH login as root user on Red Hat Enterprise Linux 9 section.
For more information about creating user accounts, see Configuring basic system settings > Getting started with managing user accounts in the Red Hat Enterprise Linux documentation on the Red Hat Customer Portal.

Procedure

Complete these steps on each node in the storage cluster.
  1. Log in to the node as the root user.
    ssh root@HOST_NAME
    Replace HOST_NAME with the host name of the Ceph node.
    For example,
    [root@admin ~]# ssh root@host01
    Enter the root password when prompted.
  2. Create a new Ansible user.
    adduser USER_NAME
    Replace USER_NAME with the new user name for the Ansible user.
    Important: Do not use ceph as the user name. The ceph user name is reserved for the Ceph daemons. A uniform user name across the cluster can improve ease of use, but avoid using obvious user names, because intruders typically use them for brute-force attacks.
    For example,
    [root@host01 ~]# adduser ceph-admin
  3. Set a new password for this user.
    passwd USER_NAME
    Replace USER_NAME with the new user name for the Ansible user.
    For example,
    [root@host01 ~]# passwd ceph-admin
    Enter the new password twice when prompted.
  4. Configure sudo access for the newly created user.
    cat << EOF >/etc/sudoers.d/USER_NAME
$USER_NAME ALL = (root) NOPASSWD:ALL
EOF
    Replace USER_NAME with the user name for the Ansible user, created in step 3.
    For example,
    [root@host01 ~]# cat << EOF >/etc/sudoers.d/ceph-admin
ceph-admin ALL = (root) NOPASSWD:ALL
EOF
  5. Assign the correct file permissions to the new file.
    chmod 0440 /etc/sudoers.d/USER_NAME
    Replace USER_NAME with the user name for the Ansible user, created in step 3.
    For example,
    [root@host01 ~]# chmod 0440 /etc/sudoers.d/ceph-admin