Bug 2269390

Summary: Ansible Remote Execution Is Not Honoring SSH User From Advanced Fields in Job Template
Product: Red Hat Satellite Reporter: myoder
Component: Ansible - Remote ExecutionAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED MIGRATED QA Contact: Gaurav Talreja <gtalreja>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.14.1CC: ahumbe, aruzicka, nalfassi, rlavi, shwsingh, tharring, zhunting
Target Milestone: streamKeywords: EasyFix, MigratedToJIRA, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rubygem-foreman_ansible-13.0.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-06-06 17:25:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description myoder 2024-03-13 15:49:58 UTC 
Description of problem:

When using Ansible based Remote Execution, the option to change the "SSH user" from the "Advanced fields" section of a job template is not being honored.  

This works as expected with regular ssh remote execution.


Version-Release number of selected component (if applicable):
Red Hat Satellite 6.14

How reproducible:
always

Steps to Reproduce:
1. Set ssh_user and effective_user to root from the "Administer => Settings", "Remote Execution" tab
2. On the Hosts page, select a host, and run "Schedule Remote Job"
3. Select job category "Ansible Playbook" and Job Template "Ansible Roles - Ansible Default"
3. From the Advanced Fields, select "SSH User" to a non-root user (a user that exists on the client, and the foreman-proxy public key has been shared with)


Actual results:

From the /var/log/secure logs on the client, we see the ssh connection to the client is using the root user, and not the non-root user we selected in the Advanced Fields for "SSH User"


Expected results:

The "SSH user" selected in the Advanced Fields of the Job Template should be used.


Additional info:

WORKAROUND:

If we set the "remote_execution_ssh_user" parameter on the host, it will be honored for Ansible REX.  Or if we set the "remote_execution_ssh_user" on a hostgroup and assign it to the host, the parameter will be honored for Ansible REX.

NOTE:

The "Effective user" IS being honored from the "Advanced fields" in the job template.  It is only the "SSH user" that is not being honoroed.
Comment 1 tharring 2024-03-14 17:08:06 UTC 
customer in 03757734 also reported that the override value for the ssh_user password (password field in the "Advanced fields" section) will not work when he uses "remote_execution_ssh_user" parameter on the host.  I confirmed this also with my satellite.

This seem to leave the only workable solution for Ansible REX with the override value for non-ssh user is to: 

1) "remote_execution_ssh_user" parameter on the host
2) deploy the ssh key to the non-root user (passwdless ssh) 

Unless there is a different workaround like "remote_execution_ssh_user_password" parameter on the host which I tested and did not work.
Comment 2 Gaurav Talreja 2024-05-15 21:39:30 UTC 
Verified.

Tested on Satellite Stream Snap 56.0
Version: rubygem-foreman_ansible-14.0.0-1.el9sat.noarch

Steps:
1. Ensure ssh_user and effective_user to root from the "Administer => Settings", "Remote Execution" tab
2. Register a host, and on the Hosts page, select a host, and run "Schedule Remote Job"
3. Select job category "Ansible Playbook" and Job Template "Ansible Roles - Ansible Default"
4. From the Advanced Fields, select "SSH User" to a non-root user (a user that exists on the client, and the foreman-proxy public key has been shared with)
5. verify /var/log/secure on the client to check ssh connection using which user

OR
3. Use "Ansible Playbook - Ansible Run Playbook" job with below playbook to validate ansible_user, 
---
- name: Verify Ansible user
  hosts: all
  gather_facts: false
  tasks:
    - name: Display Ansible user
      debug:
        msg: "Ansible is running as user {{ ansible_user }}"

4. From the Advanced Fields, Select "SSH User" to a non-root user, check stdout for executed job and verify /var/log/secure on the client.

Observation: 
The "SSH user" selected in the Advanced Fields of the Job Template is used correctly
Comment 3 nalfassi 2024-05-22 11:30:47 UTC 
I can verify that configuring the "SSH user" and the "Effective user" within the Advanced Fields of the Job Template functions correctly. However, the provided values for the "SSH password" and the "Effective user password" in the Advanced Fields of the Job Template do not work as expected.

Please note that with the recent updates, if the `remote_execution_ssh_user` is defined as a host parameter, it will only be utilized if the "SSH user" is not specified in the Advanced Fields of the Job Template.
Comment 4 Eric Helms 2024-06-06 17:25:51 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "SAT-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.