跳到内容

partial-become

此规则检查在更改用户时是否启用了权限提升。

要使用become_user指令以其他用户身份执行操作,必须设置become: true

此规则可能会产生以下消息

  • partial-become[play]: 在 playbook 级别,become_user 需要 become 才能正常工作。
  • partial-become[task]: 在任务级别,become_user 需要 become 才能正常工作。

警告

虽然 Ansible 继承了来自上层(如 playbook 级别或命令行)的becomebecome_user,但我们不会查看这些值。此规则要求您明确地始终在同一位置定义两者,主要是为了防止某些任务从一个位置移动到另一个位置时发生意外。

问题代码

---
- name: Example playbook
  hosts: localhost
  become: true # <- Activates privilege escalation.
  tasks:
    - name: Start the httpd service as the apache user
      ansible.builtin.service:
        name: httpd
        state: started
      become_user: apache # <- Does not change the user because "become: true" is not set.

正确代码

- name: Example playbook
  hosts: localhost
  tasks:
    - name: Start the httpd service as the apache user
      ansible.builtin.service:
        name: httpd
        state: started
      become: true # <- Activates privilege escalation.
      become_user: apache # <- Changes the user with the desired privileges.

# Stand alone playbook alternative, applies to all tasks

- name: Example playbook
  hosts: localhost
  become: true # <- Activates privilege escalation.
  become_user: apache # <- Changes the user with the desired privileges.
  tasks:
    - name: Start the httpd service as the apache user
      ansible.builtin.service:
        name: httpd
        state: started

问题代码

---
- name: Example playbook 1
  hosts: localhost
  become: true # <- Activates privilege escalation.
  tasks:
    - name: Include a task file
      ansible.builtin.include_tasks: tasks.yml

---
- name: Example playbook 2
  hosts: localhost
  tasks:
    - name: Include a task file
      ansible.builtin.include_tasks: tasks.yml

# tasks.yml
- name: Start the httpd service as the apache user
  ansible.builtin.service:
    name: httpd
    state: started
  become_user: apache # <- Does not change the user because "become: true" is not set.

正确代码

---
- name: Example playbook 1
  hosts: localhost
  tasks:
    - name: Include a task file
      ansible.builtin.include_tasks: tasks.yml

---
- name: Example playbook 2
  hosts: localhost
  tasks:
    - name: Include a task file
      ansible.builtin.include_tasks: tasks.yml

# tasks.yml
- name: Start the httpd service as the apache user
  ansible.builtin.service:
    name: httpd
    state: started
  become: true # <- Activates privilege escalation.
  become_user: apache # <- Does not change the user because "become: true" is not set.

注意

可以使用--fix选项自动修复此规则。