add missing become: on task demanding root priv

Author: rpelisse

molecule/prepare.yml

@@ -1,10 +1,33 @@
 ---
 - name: Prepare
   hosts: all
+  gather_facts: yes
+  vars:
+    sudo_pkg_name: 'sudo'
   tasks:
 
+    - name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
+      ansible.builtin.yum:
+        name: "{{ sudo_pkg_name }}"
+      when:
+        - ansible_user_id == 'root'
+
+    - name: Gather the package facts
+      ansible.builtin.package_facts:
+        manager: auto
+
+    - name: "Check if {{ sudo_pkg_name }} is installed."
+      ansible.builtin.assert:
+        that:
+          - sudo_pkg_name in ansible_facts.packages
+
     - name: "Ensure required packages are installed."
+      become: yes
       ansible.builtin.yum:
         name:
           - sudo
         state: present
+
+    - name: Display Ansible version
+      ansible.builtin.debug:
+        msg: "Ansible version is  {{ ansible_version.full }}"

roles/amq_streams_broker/defaults/main.yml

@@ -7,6 +7,7 @@ amq_streams_broker_server_start: "{{ amq_streams_common_home }}/bin/kafka-server
 amq_streams_broker_config: "/etc/amq_streams_broker.properties"
 amq_streams_broker_service_name: 'amq_streams_broker'
 amq_streams_broker_user: 'amq_streams_broker'
+amq_streams_broker_config_files_requires_privilege_escalation: yes
 amq_streams_broker_listener_port: 9092
 amq_streams_broker_listener_internal_port: 9091
 amq_streams_broker_listener_tls_port: 9093

roles/amq_streams_broker/tasks/main.yml

@@ -35,75 +35,78 @@
   when:
     - ansible_distribution == "RedHat"
 
-- name: "Ensure broker home dir belongs to appropriate user - if user is defined."
-  ansible.builtin.file:
-    path: "{{ amq_streams_common_home }}"
-    state: directory
-    owner: "{{ amq_streams_broker_user | default(omit) }}"
-    group: "{{ amq_streams_broker_group | default(omit) }}"
-    mode: 0755
-  changed_when: false   # TODO: find a better way to deal with that
+- name: "Escalade privilge to root"
+  become: "{{ amq_streams_broker_config_files_requires_privilege_escalation }}"
+  block:
+    - name: "Ensure broker home dir belongs to appropriate user - if user is defined."
+      ansible.builtin.file:
+        path: "{{ amq_streams_common_home }}"
+        state: directory
+        owner: "{{ amq_streams_broker_user | default(omit) }}"
+        group: "{{ amq_streams_broker_group | default(omit) }}"
+        mode: 0755
+      changed_when: false   # TODO: find a better way to deal with that
 
-- name: "Ensure Broker data dir exists and belongs to the appropriate user - if user is defined."
-  ansible.builtin.file:
-    path: "{{ amq_streams_broker_data_dir }}"
-    state: directory
-    owner: "{{ amq_streams_broker_user | default(omit) }}"
-    group: "{{ amq_streams_broker_group | default(omit) }}"
-    mode: 0755
-  when:
-    - amq_streams_broker_data_dir is defined
+    - name: "Ensure Broker data dir exists and belongs to the appropriate user - if user is defined."
+      ansible.builtin.file:
+        path: "{{ amq_streams_broker_data_dir }}"
+        state: directory
+        owner: "{{ amq_streams_broker_user | default(omit) }}"
+        group: "{{ amq_streams_broker_group | default(omit) }}"
+        mode: 0755
+      when:
+        - amq_streams_broker_data_dir is defined
 
-- name: "Set server_id for {{ amq_streams_broker.service_name }} service."
-  ansible.builtin.set_fact:
-    server_id: "{{ amq_streams_broker_broker_id | default('0') }}"
-  when:
-    - not server_id is defined
+    - name: "Set server_id for {{ amq_streams_broker.service_name }} service."
+      ansible.builtin.set_fact:
+        server_id: "{{ amq_streams_broker_broker_id | default('0') }}"
+      when:
+        - not server_id is defined
 
-- name: "Configure Broker-Zookeeper authentication"
-  ansible.builtin.template:
-    src: "{{ amq_streams_broker_zookeeper_auth_config_template }}"
-    dest: "{{ amq_streams_broker_zookeeper_auth_config }}"
-    owner: "{{ amq_streams_broker_user | default(omit) }}"
-    group: "{{ amq_streams_broker_group | default(omit) }}"
-    mode: 0644
-  when:
-    - amq_streams_zookeeper_auth_enabled is defined and amq_streams_zookeeper_auth_enabled
+    - name: "Configure Broker-Zookeeper authentication"
+      ansible.builtin.template:
+        src: "{{ amq_streams_broker_zookeeper_auth_config_template }}"
+        dest: "{{ amq_streams_broker_zookeeper_auth_config }}"
+        owner: "{{ amq_streams_broker_user | default(omit) }}"
+        group: "{{ amq_streams_broker_group | default(omit) }}"
+        mode: 0644
+      when:
+        - amq_streams_zookeeper_auth_enabled is defined and amq_streams_zookeeper_auth_enabled
 
-- name: "Enable Broker-Zookeeper authentication environment variable"
-  ansible.builtin.set_fact:
-    amq_streams_broker_java_opts: "-Djava.security.auth.login.config={{ amq_streams_broker_zookeeper_auth_config }}"
-  when:
-    - amq_streams_zookeeper_auth_enabled is defined and amq_streams_zookeeper_auth_enabled
+    - name: "Enable Broker-Zookeeper authentication environment variable"
+      ansible.builtin.set_fact:
+        amq_streams_broker_java_opts: "-Djava.security.auth.login.config={{ amq_streams_broker_zookeeper_auth_config }}"
+      when:
+        - amq_streams_zookeeper_auth_enabled is defined and amq_streams_zookeeper_auth_enabled
 
-- name: "Wait for Zookeeper to be available - if enabled ({{ amq_streams_broker_zookeeper_host }}:{{ amq_streams_broker_zookeeper_port }})."
-  ansible.builtin.wait_for:
-    host: "{{ amq_streams_broker_zookeeper_host }}"
-    port: "{{ amq_streams_broker_zookeeper_port }}"
-  when:
-    - amq_streams_broker_zookeeper_wait is defined and amq_streams_broker_zookeeper_wait
-    - amq_streams_broker_zookeeper_host is defined
-    - amq_streams_broker_zookeeper_port is defined
+    - name: "Wait for Zookeeper to be available - if enabled ({{ amq_streams_broker_zookeeper_host }}:{{ amq_streams_broker_zookeeper_port }})."
+      ansible.builtin.wait_for:
+        host: "{{ amq_streams_broker_zookeeper_host }}"
+        port: "{{ amq_streams_broker_zookeeper_port }}"
+      when:
+        - amq_streams_broker_zookeeper_wait is defined and amq_streams_broker_zookeeper_wait
+        - amq_streams_broker_zookeeper_host is defined
+        - amq_streams_broker_zookeeper_port is defined
 
-- name: "Copy Server Keystore with certificates"
-  ansible.builtin.copy:
-    src: "{{ amq_streams_broker_tls_keystore_dir }}/{{ amq_streams_broker_tls_keystore }}"
-    dest: "{{ amq_streams_broker_tls_keystore_location }}/{{ amq_streams_broker_tls_keystore }}"
-    force: true
-    owner: "{{ amq_streams_broker_user | default(omit) }}"
-    group: "{{ amq_streams_broker_group | default(omit) }}"
-  when:
-    - amq_streams_broker_tls_enabled is defined and amq_streams_broker_tls_enabled
+    - name: "Copy Server Keystore with certificates"
+      ansible.builtin.copy:
+        src: "{{ amq_streams_broker_tls_keystore_dir }}/{{ amq_streams_broker_tls_keystore }}"
+        dest: "{{ amq_streams_broker_tls_keystore_location }}/{{ amq_streams_broker_tls_keystore }}"
+        force: true
+        owner: "{{ amq_streams_broker_user | default(omit) }}"
+        group: "{{ amq_streams_broker_group | default(omit) }}"
+      when:
+        - amq_streams_broker_tls_enabled is defined and amq_streams_broker_tls_enabled
 
-- name: "Copy Server Truststore with certificates"
-  ansible.builtin.copy:
-    src: "{{ amq_streams_broker_tls_truststore_dir }}/{{ amq_streams_broker_tls_truststore }}"
-    dest: "{{ amq_streams_broker_tls_truststore_location }}/{{ amq_streams_broker_tls_truststore }}"
-    force: true
-    owner: "{{ amq_streams_broker_user | default(omit) }}"
-    group: "{{ amq_streams_broker_group | default(omit) }}"
-  when:
-    - amq_streams_broker_tls_enabled is defined and amq_streams_broker_tls_enabled
+    - name: "Copy Server Truststore with certificates"
+      ansible.builtin.copy:
+        src: "{{ amq_streams_broker_tls_truststore_dir }}/{{ amq_streams_broker_tls_truststore }}"
+        dest: "{{ amq_streams_broker_tls_truststore_location }}/{{ amq_streams_broker_tls_truststore }}"
+        force: true
+        owner: "{{ amq_streams_broker_user | default(omit) }}"
+        group: "{{ amq_streams_broker_group | default(omit) }}"
+      when:
+        - amq_streams_broker_tls_enabled is defined and amq_streams_broker_tls_enabled
 
-- name: "Configure service for Broker (if enable)."
-  ansible.builtin.include_tasks: service.yml
+    - name: "Configure service for Broker (if enable)."
+      ansible.builtin.include_tasks: service.yml

roles/amq_streams_common/defaults/main.yml

@@ -11,14 +11,20 @@ amq_streams_common_archive_file: "kafka_{{ amq_streams_common_version }}.tgz"
 amq_streams_common_rhn_product_archive_file_pattern: '^.*/amq-streams-[0-9.]*-bin.zip$'
 amq_streams_common_download_url: "https://archive.apache.org/dist/kafka/{{ amq_streams_common_product_version }}/kafka_{{ amq_streams_common_version }}.tgz"
 amq_streams_common_download_dir: "{{ lookup('env','PWD') | default('/opt') }}"
-#amq_streams_common_download_user: "{{ lookup('env','USER') | default('root') }}"
+amq_streams_common_archive_extraction_requires_privilege_escalation: yes
 #amq_streams_common_download_group: "{{ lookup('env','USER') | default('root') }}"
+#amq_streams_common_download_user: "{{ lookup('env','USER') | default('root') }}"
+amq_streams_common_escalade_privilege_user_create: yes
+amq_streams_common_escalade_privilege_user_group: yes
+amq_streams_common_escalade_privilege_group_create: yes
+amq_streams_common_escalade_privilege_config_file: yes
 amq_streams_common_install_dir: /opt
 amq_streams_common_offline_install: false
 amq_streams_common_path_to_archive_file: "{{ amq_streams_common_download_dir }}/{{ amq_streams_common_archive_file }}"
 amq_streams_common_download_node: localhost
 amq_streams_common_systctl_update_enabled: false
 amq_streams_common_prereqs_dependencies: ['tar']
+amq_streams_common_dependencies_require_priv: yes
 amq_streams_common_openjdk_version: 17
 
 amq_streams_common_systemd_home: '/usr/lib/systemd/system'

roles/amq_streams_common/tasks/install.yml

@@ -40,6 +40,7 @@
   register: download_target
 
 - name: "Extract artifact {{ amq_streams_common_archive_file }} to {{ amq_streams_common_install_dir }}"
+  become: "{{ amq_streams_common_archive_extraction_requires_privilege_escalation }}"
   ansible.builtin.unarchive:
     src: "{{ amq_streams_common_download_dir }}/{{ amq_streams_common_archive_file }}"
     dest: "{{ amq_streams_common_install_dir }}"

roles/amq_streams_common/tasks/main.yml

@@ -13,6 +13,7 @@
     - openjdk_package_name is defined and openjdk_package_name | length > 0
 
 - name: "Ensure all required system dependencies are present: {{ amq_streams_common_dependencies }}"
+  become: "{{ amq_streams_common_dependencies_require_priv }}"
   ansible.builtin.package:
     name: "{{ amq_streams_common_dependencies }}"
     state: present

roles/amq_streams_common/tasks/systemd.yml

@@ -5,77 +5,74 @@
       - server_name is defined
     quiet: true
 
-- name: "Ensure {{ server_name }} configuration is deployed ({{ server_config_template }} -> {{ server_config }}."
-  ansible.builtin.template:
-    src: "{{ server_config_template }}"
-    dest: "{{ server_config }}"
-    owner: root
-    group: root
-    mode: 0644
-  when:
-    - server_config_template is defined and server_config is defined
-  notify:
-    - "Restart {{ server_name }}"
-  become: yes
+- name: "Switch to root"
+  become: "{{ amq_streams_common_escalade_privilege_group_create }}"
+  block:
+    - name: "Ensure {{ server_name }} configuration is deployed ({{ server_config_template }} -> {{ server_config }}."
+      ansible.builtin.template:
+        src: "{{ server_config_template }}"
+        dest: "{{ server_config }}"
+        owner: root
+        group: root
+        mode: 0644
+      when:
+        - server_config_template is defined and server_config is defined
+      notify:
+        - "Restart {{ server_name }}"
 
-- name: "Ensure log dir belongs to the appropriate user and group - if all provided"
-  ansible.builtin.file:
-    path: "{{ server_log_dir }}"
-    owner: "{{ server_user }}"
-    group: "{{ server_group }}"
-    state: directory
-  when:
-    - server_log_dir is defined
-    - server_user is defined
-    - server_group is defined
-  become: yes
+    - name: "Ensure log dir belongs to the appropriate user and group - if all provided"
+      ansible.builtin.file:
+        path: "{{ server_log_dir }}"
+        owner: "{{ server_user }}"
+        group: "{{ server_group }}"
+        state: directory
+      when:
+        - server_log_dir is defined
+        - server_user is defined
+        - server_group is defined
 
-- name: "Deploy server configuration - if provided."
-  ansible.builtin.template:
-    src: "{{ service_systemd_env_file_template | default('templates/service.conf.j2') }}"
-    dest: "{{ service_systemd_env_file }}"
-    owner: root
-    group: root
-    mode: 0644
-  when:
-    - service_systemd_env_file is defined
-  become: yes
+    - name: "Deploy server configuration - if provided."
+      ansible.builtin.template:
+        src: "{{ service_systemd_env_file_template | default('templates/service.conf.j2') }}"
+        dest: "{{ service_systemd_env_file }}"
+        owner: root
+        group: root
+        mode: 0644
+      when:
+        - service_systemd_env_file is defined
 
-- name: "Deploy Systemd descriptor for service: {{ server_name }}"
-  ansible.builtin.template:
-    src: "{{ server_service_config_file_template | default(amq_streams_common.systemd.service_config_file_template) }}"
-    dest: "{{ server_systemd_home | default(amq_streams_common.systemd.home) }}/{{ server_systemd_name | default(server_name + '.service') }}"
-    group: root
-    owner: root
-    mode: 0644
-  vars:
-    service_description: "{{ server_description | default(server_name) }}"
-    service_user: "{{ server_user | default('root') }}"
-    service_group: "{{ server_group | default('root') }}"
-    service_pidfile: "{{ server_pidfile | default(omit) }}"
-    service_start_sleep: "{{ server_start_sleep | default(0) }}"
-  register: daemon_reload
-  become: yes
+    - name: "Deploy Systemd descriptor for service: {{ server_name }}"
+      ansible.builtin.template:
+        src: "{{ server_service_config_file_template | default(amq_streams_common.systemd.service_config_file_template) }}"
+        dest: "{{ server_systemd_home | default(amq_streams_common.systemd.home) }}/{{ server_systemd_name | default(server_name + '.service') }}"
+        group: root
+        owner: root
+        mode: 0644
+      vars:
+        service_description: "{{ server_description | default(server_name) }}"
+        service_user: "{{ server_user | default('root') }}"
+        service_group: "{{ server_group | default('root') }}"
+        service_pidfile: "{{ server_pidfile | default(omit) }}"
+        service_start_sleep: "{{ server_start_sleep | default(0) }}"
+      register: daemon_reload
 
-- name: "Perform daemon-reload to ensure the changes are picked up"
-  ansible.builtin.systemd:
-    daemon_reload: yes
-  become: yes
-  when:
-    - daemon_reload is defined
-    - daemon_reload.changed
+    - name: "Perform daemon-reload to ensure the changes are picked up"
+      ansible.builtin.systemd:
+        daemon_reload: yes
+      when:
+        - daemon_reload is defined
+        - daemon_reload.changed
 
-- name: "Ensure {{ server_name }} is enabled and running."
-  ansible.builtin.service:
-    name: "{{ server_name }}"
-    enabled: yes
-    state: started
-  become: yes
+    - name: "Ensure {{ server_name }} is enabled and running."
+      ansible.builtin.service:
+        name: "{{ server_name }}"
+        enabled: yes
+        state: started
 
-- name: "Wait for service port {{ server_port }} to be available - (if provided)"
-  ansible.builtin.wait_for:
-    port: "{{ server_port }}"
-    delay: "{{ delay_before_server_port_check | default(omit) }}"
-  when:
-    - skip_wait_for_server_port is defined and not skip_wait_for_server_port
-    - server_port is defined and server_port != ''
+    - name: "Wait for service port {{ server_port }} to be available - (if provided)"
+      ansible.builtin.wait_for:
+        port: "{{ server_port }}"
+        delay: "{{ delay_before_server_port_check | default(omit) }}"
+      when:
+        - skip_wait_for_server_port is defined and not skip_wait_for_server_port
+        - server_port is defined and server_port != ''

roles/amq_streams_common/tasks/user_group.yml

@@ -7,10 +7,12 @@
     quiet: true
 
 - name: "Ensure required group {{ group }} exists."
+  become: "{{ amq_streams_common_escalade_privilege_group_create }}"
   ansible.builtin.group:
     name: "{{ group }}"
 
 - name: "Ensure required user {{ user }} exists."
+  become: "{{ amq_streams_common_escalade_privilege_user_create }}"
   ansible.builtin.user:
     name: "{{ user }}"
     group: "{{ group }}"

roles/amq_streams_connect/defaults/main.yml

@@ -8,7 +8,7 @@ amq_streams_connect_file_connector_data:
 #
 amq_streams_connect_file_source_conf: "{{ amq_streams_common_home }}/config/connect-file-source.properties"
 amq_streams_connect_file_sink: "{{ amq_streams_common_home }}/config/connect-file-sink.properties"
-#
+amq_streams_connect_source_file_require_priv_escalation: yes
 amq_streams_connect_service_name: amq_streams_connect
 amq_streams_connect_logs_dir: "/var/log/{{ amq_streams_connect_service_name }}/"
 amq_streams_connect_server_start: "{{ amq_streams_common_home }}/bin/connect-standalone.sh"