在本文中,我们将详细介绍1_0-ansible-authorized_root.yml的各个方面,同时,我们也将为您带来关于AmbariUnauthorizedconnectionforsuper-u
在本文中,我们将详细介绍1_0-ansible-authorized_root.yml的各个方面,同时,我们也将为您带来关于Ambari Unauthorized connection for super-user: root from IP、android – 401 Unauthorized error.Failed将授权代码升级为凭证对象、ansible 002 连接被控端 inventory ansible.cfg ansible-adhoc ansible 原理、ansible Failed to connect to the host via ssh: no such identity: /root/.ssh/id_rsa.bak的有用知识。
本文目录一览:- 1_0-ansible-authorized_root.yml
- Ambari Unauthorized connection for super-user: root from IP
- android – 401 Unauthorized error.Failed将授权代码升级为凭证对象
- ansible 002 连接被控端 inventory ansible.cfg ansible-adhoc ansible 原理
- ansible Failed to connect to the host via ssh: no such identity: /root/.ssh/id_rsa.bak
1_0-ansible-authorized_root.yml
---
- name: set public key on remote hosts & set reomte hosts sudoers file
hosts: all
# 此脚本要求所有的主机 root 用户密码相同
become: no
remote_user: root
vars:
- remoteuser:
user1: rhce
tasks:
- name: set secondary group for rhce
user:
name: "{{ remoteuser['user1'] }}"
groups: wheel
append: yes
register: new_user
- name: Set authorized key taken from file
ansible.posix.authorized_key:
user: "{{ new_user['name'] }}"
state: present
key: "{{ lookup('file', '/home/student/.ssh/id_rsa.pub') }}"
- name: Change file ownership, group and permissions
ansible.builtin.file:
path: /etc/sudoers
mode: '0644'
- name: Ensure /etc/suders no passwd
ansible.builtin.lineinfile:
path: /etc/sudoers
insertafter: '^%sudo '
line: '%wheel ALL=(ALL:ALL) nopASSWD: ALL'
- name: Change file ownership, group and permissions
ansible.builtin.file:
path: /etc/sudoers
owner: root
group: root
mode: '0440'
Ambari Unauthorized connection for super-user: root from IP
- 问题
在 ambari 的 hive view 中执行 sql 报错 Unauthorized connection for super-user: root from IP
- 解决方法
-
Ambari Web UI 上选择 Services > HDFS > Configs.
-
Advanced 选项的 core-site 部分
-
添加如下两行,如已存在,则修改对应值
hadoop.proxyuser.root.groups=* hadoop.proxyuser.root.hosts=* -
重启相应服务
android – 401 Unauthorized error.Failed将授权代码升级为凭证对象
我在我的Android应用程序中使用oauth 2.0与混合流程进行谷歌登录https://developers.google.com/identity/sign-in/web/server-side-flow.我将一次授权代码放入android应用程序并通过postman将其发布到我的flask api.当我在api中将flow.step2_exchange应用于此一次auth代码时,它会给我流量交换错误.我已经检查了到达api的auth代码与我在应用程序中获得的代码相同.我找不到错误的原因.
我的一次授权代码如下所示:4 / qXilPdy7xOVe5swCBlVRrxjuVu8zEzfcmidlooo7_ls
我的烧瓶api的代码片段:
# IMPORTS FOR THIS STEP
from oauth2client.client import flow_from_clientsecrets
from oauth2client.client import FlowExchangeError
import httplib2
import json
from flask import make_response
import requests
app = Flask(__name__)
CLIENT_ID = json.loads(
open('client_secrets.json', 'r').read())['web']['client_id']
APPLICATION_NAME = "OAUTH_SERVER"
ScopES = [
'https://www.googleapis.com/auth/gmail.readonly',
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/userinfo.profile',
# Add other requested scopes.
]
# Connect to Database and create database session
engine = create_engine('sqlite:///restaurantmenu.db')
Base.Metadata.bind = engine
DBSession = sessionmaker(bind=engine)
session = DBSession()
@app.route('/gconnect', methods=['POST'])
def gconnect():
request.get_data()
code = request.data.decode('utf-8')
print (code)
# Upgrade the authorization code into a credentials object
oauth_flow = flow_from_clientsecrets('client_secrets.json', scope = ScopES)
oauth_flow.redirect_uri = 'postmessage'
try:
credentials = oauth_flow.step2_exchange(code)
if credentials is None:
print ("it is empty")
except FlowExchangeError:
response = make_response(
json.dumps('Failed to upgrade the authorization code.'), 401)
response.headers['Content-Type'] = 'application/json'
return response
我对Api的client_secret.json命名为OAUTH_SERVER,它如下:
{"web":
{"client_id":"matches the one in console.apps.googleusercontent.com",
"project_id":"oauthapi",
"auth_uri":"https://accounts.google.com/o/oauth2/auth",
"token_uri":"https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
"client_secret":"###########",
"redirect_uris["http://localhost:5000/gconnect","http://localhost:5000/"],
"javascript_origins":["http://localhost:5000"]}
}
解决方法:
我认为这是来自Udacity课程 – 身份验证&授权.请检查login.html是否包含正确的data-clientid值.我有同样的问题,因为复制后忘了改变我的.
ansible 002 连接被控端 inventory ansible.cfg ansible-adhoc ansible 原理
转:
ansible 002 连接被控端 inventory ansible.cfg ansible-adhoc ansible 原理
ssh 用普通用户连接被控端
配置主机清单 (/etc/hosts 域名解析为前提)
[root@workstation ansible]# cat hosts
servera
serverb
[root@workstation ansible]# pwd
/etc/ansible
[root@workstation ansible]#
建立免密
[root@workstation ansible]# ssh-keygen
使被控端创建用户
[root@workstation ansible]# ansible all -m shell -a ''useradd ansible'' -k
SSH password:
servera | CHANGED | rc=0 >>
serverb | CHANGED | rc=0 >>
[root@workstation ansible]# ansible all -m shell -a ''echo redhat | passwd --stdin ansible'' -k
SSH password:
serverb | CHANGED | rc=0 >>
Changing password for user ansible.
passwd: all authentication tokens updated successfully.
servera | CHANGED | rc=0 >>
Changing password for user ansible.
passwd: all authentication tokens updated successfully.
配置与 ansible 用户的免密
[root@workstation ansible]# ssh-copy-id ansible@servera
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ansible@servera''s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ''ansible@servera''"
and check to make sure that only the key(s) you wanted were added.
[root@workstation ansible]# ssh-copy-id ansible@serverb
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ansible@serverb''s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ''ansible@serverb''"
and check to make sure that only the key(s) you wanted were added.
[root@workstation ansible]#
[root@workstation ansible]# ansible all -m shell -a ''pwd'' -k -u ansible
SSH password:
servera | CHANGED | rc=0 >>
/home/ansible
serverb | CHANGED | rc=0 >>
/home/ansible
[root@workstation ansible]#
默认改为 ansible 用户连接
[root@workstation ansible]# ansible all -m shell -a ''pwd''
servera | CHANGED | rc=0 >>
/home/ansible
serverb | CHANGED | rc=0 >>
/home/ansible
[root@workstation ansible]#
设置被控端提权
[root@workstation ansible]# ansible all -m shell -a ''echo ansible ALL=(ALL) NOPASSWD: ALL > /etc/sudoers.d/ansible'' -u root -k
SSH password:
servera | CHANGED | rc=0 >>
serverb | CHANGED | rc=0 >>
ansible 这边并没有提权
[root@workstation ansible]# ansible all -m shell -a ''id''
servera | CHANGED | rc=0 >>
uid=1001(ansible) gid=1001(ansible) groups=1001(ansible) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
serverb | CHANGED | rc=0 >>
uid=1000(ansible) gid=1000(ansible) groups=1000(ansible) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@workstation ansible]#
修改配置文件
成功提权
[root@workstation ansible]# ansible all -m shell -a ''id''
servera | CHANGED | rc=0 >>
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
serverb | CHANGED | rc=0 >>
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@workstation ansible]#
[root@workstation ansible]# ansible all -m shell -a ''pwd''
servera | CHANGED | rc=0 >>
/home/ansible
serverb | CHANGED | rc=0 >>
/home/ansible
[root@workstation ansible]#
定义 inventory
列出当前选择的主机
[root@workstation ansible]# ansible servera --list-hosts
hosts (1):
servera
[root@workstation ansible]# ansible servera,serverb --list-hosts
hosts (2):
servera
serverb
[root@workstation ansible]# ansible httpd,mysql --list-hosts
hosts (3):
servera
serverb
abc
[root@workstation ansible]# cat hosts
[httpd]
servera
serverb
[mysql]
abc
[root@workstation ansible]#
这里hosts为ini格式和那个yum差不多
不想加入组的用户得写在第一排。
[root@workstation ansible]# ansible ungrouped --list-hosts
hosts (1):
servere
[root@workstation ansible]# head -n3 hosts
servere
[httpd]
servera
[root@workstation ansible]#
servere不属于任何组
组包含组
[root@workstation ansible]# vi hosts
[root@workstation ansible]# ansible web --list-hosts
hosts (3):
servera
serverb
abc
[root@workstation ansible]# cat hosts
servere
[httpd]
servera
serverb
[mysql]
abc
[web:children]
httpd
mysql #那么这里就只能写组,不可以写主机
[root@workstation ansible]#
[web:children]
httpd
mysql
[web]
fox #这样才可以添加fox主机
ansible选择了两边主机,ansible会自动去重。
支持通配符
组和主机都通配
[root@workstation ansible]# ansible ''server*'' --list-hosts
hosts (3):
servere
servera
serverb
[root@workstation ansible]#
hosts 也可以连续定义
[root@workstation ansible]# ansible ''server*,!*server1'' --list-hosts
hosts (14):
server2
server3
server4
server5
server6
server7
server8
server9
server10
server11
server12
servere
servera
serverb
[root@workstation ansible]#
唯独不要 server1
[root@workstation ansible]# ansible ''httpd,&mysql'' --list-hosts
hosts (1):
server10
[root@workstation ansible]# cat hosts
server[1:12]
servere
[httpd]
servera
serverb
server10
[mysql]
abc
server10
[web:children]
httpd
mysql
[root@workstation ansible]#
既属于 web 又属于 httpd
boston,londor,&prod,!lb
在 boston 与 londor 同时也在 prod 但是去除 lb
正则表达式
有 s 或 h 字母 尾巴为 example.com 的
没带 ^ 就不是开头为 s 或 h
另外指定新的主机清单。读新的 hosts
[root@workstation ansible]# echo servera > file
[root@workstation ansible]# ansible servera -i file --list-hosts
hosts (1):
servera
[root@workstation ansible]#
有关 ansible 常用参数
-m 指定模块
-a 指定模块参数
-u 指定被控端的连接用户 2
-k 密码验证,不指定就是秘钥验证
-i 指定主机清单 ansible servera -i file --list-hosts
--list-hosts 列出所选的主机
yaml 格式定义主机清单
比较完整的 yaml 写法
ini 格式转换 yaml
yaml 语法对程序更友好
配置文件
默认配置文件位置
[root@workstation ansible]# pwd
/etc/ansible
[root@workstation ansible]# ls
ansible.cfg file file.yaml hosts roles
[root@workstation ansible]#
配置文件有优先级读取顺序
ANSIBLE_CONFIG = /tmp/ansible.cfg
当前目录下的ansible.cfg ./
家目录 ~/.ansible.cfg
/etc/ansible/ansible.cfg
更改运行主机清单的路径
ansible.cfg 的参数
inventory = ./hosts
#library = /usr/share/my_modules/
#module_utils = /usr/share/my_module_utils/
#remote_tmp = ~/.ansible/tmp
#local_tmp = ~/.ansible/tmp
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
#forks = 5
inventory = ./hosts
#library = /usr/share/my_modules/
#module_utils = /usr/share/my_module_utils/
#remote_tmp = ~/.ansible/tmp 被控端路径 py的临时运行目录的位置
#local_tmp = ~/.ansible/tmp 主控端临时存储目录
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
#forks = 5 并发数 一次性连5台,再连5台
#poll_interval = 15 探测任务执行如何 每15秒探测
#ask_pass = True 密码验证 -k 默认false
#remote_port = 22 被控端,端口号
remote_user = ansible 远程主机用什么连
[privilege_escalation]
become=True 要提权
become_method=sudo
become_user=root 提权用户
become_ask_pass=False 不问提权密码
#host_key_checking = False 自动接受公钥 (好用)
log_path=/var/log/ansible.log 普通用户得改这个路径
普通用户写不了var/log
module_name = command 不指定模块默认为command模块
ad-hoc 指令
官方文档
https://docs.ansible.com/
搜索模块时搜索 builtin 内置模块
shell 模块
优点:功能强大
缺点:无法保证幂等性
ansible servera -m shell -a '' 命令''
来自官方文档的教诲 (狗头)
[root@workstation maosible]# ansible servera -m shell -a ''chdir=/tmp pwd''
servera | CHANGED | rc=0 >>
/tmp
[root@workstation maosible]#
[root@workstation maosible]# ansible servera -m shell -a ''creates=/tmp/file pwd''
servera | SUCCESS | rc=0 >>
skipped, since /tmp/file exists
[root@workstation maosible]#
文件存在,则不执行pwd
removes相反
command 模块为默认模块
ansible servera -a ''pwd''
command 不允许 > < | 之类。 他会当成字符串
raw 模块就是被削弱的 shell
script 模块
让脚本在被控端执行
这个脚本可以不需要执行权限,因为他会被解析成 py 文件,被控端通过执行 py 文件执行脚本
其他常用模块
authorized_keys 分发公钥
[root@workstation .ssh]# ansible-galaxy collection install ansible.posix -vvv
ansible-galaxy 2.9.11
config file = /etc/ansible/ansible.cfg
configured module search path = [''/root/.ansible/plugins/modules'', ''/usr/share/ansible/plugins/modules'']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible-galaxy
python version = 3.6.8 (default, Mar 18 2021, 08:58:41) [GCC 8.4.1 20200928 (Red Hat 8.4.1-1)]
Using /etc/ansible/ansible.cfg as config file
Process install dependency map
Opened /root/.ansible/galaxy_token
Processing requirement collection ''ansible.posix''
Collection ''ansible.posix'' obtained from server default https://galaxy.ansible.com/api/
Starting collection install process
Installing ''ansible.posix:1.4.0'' to ''/root/.ansible/collections/ansible_collections/ansible/posix''
Downloading https://galaxy.ansible.com/download/ansible-posix-1.4.0.tar.gz to /root/.ansible/tmp/ansible-local-5179_oikgerz/tmpqxvizmuo
2.9 没有此内置模块
那么使用 galaxy 从网上下载
通过官方文档发现名字为 ansible.posix.authorized_key
[root@workstation modules]# ansible all -m ansible.posix.authorized_key -a ''user=root key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCkQdrj0fMPRQiC7f+1I4N23k/OdwAqt0ONpNDmChbD/ehrJ5lrEspinVtolwBdR5lKnhnWpb9iC29QlR4epd0EdLrId1wRwZ1pMteZuAwR7IlfCCzzSo2ND6gBl1KSIPV4aZhigspFC1JyGAuoB4HIjeZ9NI6w1XP+U/hoGNLjKZtEhPK+H5ijXpb9pVMPvCa0uLYta0qqIMSpIkLlNFUQ1hNd4g4b+aj2y+BzBG/+kYS/7+vDuiBw0GoZ18zmY0ueQjeafg00RNLM/qU90soo29T9tRPc67PozFw20RB8z4LH8Iwe3jzOzGEOWFQ0frJyOg8CgOwDoqMTk4oNjwx4HEOSjv9SsaWYQGZxOkJ5iVZ3MLQt1MkEzhJjibCTMIDlQQ+Dj16hFTMRmM7EXc4AHq1gwURqRv96e0pvmC7RIAFWiPd9IvSSmt4HJB/qGmQjCmvvy84FAGddbEiYGOH2YShzoppBVpxQEsCbHxvZQXJbpwb0uAvn22Pxd5AsH6M= root@workstation" state=present''
参考文档:https://docs.ansible.com/ansible/latest/collections/ansible/posix/authorized_key_module.html
可是 2.9 拥有 authorized_key
[root@workstation modules]# ansible all -m authorized_key -a ''user=root key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCkQdrj0fMPRQiC7f+1I4N23k/OdwAqt0ONpNDmChbD/ehrJ5lrEspinVtolwBdR5lKnhnWpb9iC29QlR4epd0EdLrId1wRwZ1pMteZuAwR7IlfCCzzSo2ND6gBl1KSIPV4aZhigspFC1JyGAuoB4HIjeZ9NI6w1XP+U/hoGNLjKZtEhPK+H5ijXpb9pVMPvCa0uLYta0qqIMSpIkLlNFUQ1hNd4g4b+aj2y+BzBG/+kYS/7+vDuiBw0GoZ18zmY0ueQjeafg00RNLM/qU90soo29T9tRPc67PozFw20RB8z4LH8Iwe3jzOzGEOWFQ0frJyOg8CgOwDoqMTk4oNjwx4HEOSjv9SsaWYQGZxOkJ5iVZ3MLQt1MkEzhJjibCTMIDlQQ+Dj16hFTMRmM7EXc4AHq1gwURqRv96e0pvmC7RIAFWiPd9IvSSmt4HJB/qGmQjCmvvy84FAGddbEiYGOH2YShzoppBVpxQEsCbHxvZQXJbpwb0uAvn22Pxd5AsH6M= root@workstation" state=present''
所以没必要去下载 ansible.posix.authorized_key
但是可以显示出参考文档的重要性
那么遇到问题,可以直接去寻找官方的英文文档,会更有效率。
以下为转载
https://cloud.tencent.com/developer/news/327468
ansible 原理
Ansible 是一个模型驱动的配置管理器,支持多节点发布、远程任务执行。默认使用 SSH 进行远程连接。无需在被管理节点上安装附加软件,可使用各种编程语言进行扩展。
一、Ansible 基本架构
上图为 ansible 的基本架构,从上图可以了解到其由以下部分组成:
核心:ansible
核心模块(Core Modules):这些都是 ansible 自带的模块
扩展模块(Custom Modules):如果核心模块不足以完成某种功能,可以添加扩展模块
插件(Plugins):完成模块功能的补充
剧本(Playbooks):ansible 的任务配置文件,将多个任务定义在剧本中,由 ansible 自动执行
连接插件(Connectior Plugins):ansible 基于连接插件连接到各个主机上,虽然 ansible 是使用 ssh 连接到各个主机的,但是它还支持其他的连接方法,所以需要有连接插件
主机群(Host Inventory):定义 ansible 管理的主机
二、Ansible 工作原理
以上是从网上找到的两张 ansible 工作原理图,两张图基本都是在架构图的基本上进行的拓展。从上面的图上可以了解到:
1、管理端支持 local 、ssh、zeromq 三种方式连接被管理端,默认使用基于 ssh 的连接---这部分对应基本架构图中的连接模块;
2、可以按应用类型等方式进行 Host Inventory(主机群)分类,管理节点通过各类模块实现相应的操作---单个模块,单条命令的批量执行,我们可以称之为 ad-hoc;
3、管理节点可以通过 playbooks 实现多个 task 的集合实现一类功能,如 web 服务的安装部署、数据库服务器的批量备份等。playbooks 我们可以简单的理解为,系统通过组合多条 ad-hoc 操作的配置文件 。
转:
ansible 002 连接被控端 inventory ansible.cfg ansible-adhoc ansible 原理
--Posted from Rpc
ansible Failed to connect to the host via ssh: no such identity: /root/.ssh/id_rsa.bak
中控机和远端主机配置完密钥后,在中控台上通过ansible检测联通性
ansible -i inventory.cfg all -m ping
10.1.1.1 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: no such identity: /root/.ssh/id_rsa.bak: No such file or directory\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n",
"unreachable": true
}通过调试选项查看
ansible -vvv -i inventory.cfg all -m ping
ansible 2.6.2
config file = /home/bichenchen001/mongodb_auto_deploy/ansible.cfg
configured module search path = [u''/root/.ansible/plugins/modules'', u''/usr/share/ansible/plugins/modules'']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /bin/ansible
python version = 2.7.5 (default, Apr 11 2018, 07:36:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
Using /home/bichenchen001/mongodb_auto_deploy/ansible.cfg as config file
Parsed /home/bichenchen001/mongodb_auto_deploy/inventory.cfg inventory source with ini plugin
META: ran handlers
<10.1.1.1> ESTABLISH SSH CONNECTION FOR USER: None
<10.1.1.1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o ''IdentityFile="/root/.ssh/id_rsa.bak"'' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o发现会指定 /root/.ssh/id_rsa.bak 手动创建文件解决问题
cp /root/.ssh/id_rsa /root/.ssh/id_rsa.bak
我们今天的关于1_0-ansible-authorized_root.yml的分享就到这里,谢谢您的阅读,如果想了解更多关于Ambari Unauthorized connection for super-user: root from IP、android – 401 Unauthorized error.Failed将授权代码升级为凭证对象、ansible 002 连接被控端 inventory ansible.cfg ansible-adhoc ansible 原理、ansible Failed to connect to the host via ssh: no such identity: /root/.ssh/id_rsa.bak的相关信息,可以在本站进行搜索。
本文标签:
