Yeah, this is along the lines of "constrained sudo" on the Linux side. We haven't spent any time working on this yet, but it's on the 2.3 roadmap to explore. I won't say it's impossible to make it work with a constrained configuration, but as you've alluded, it's very difficult, and at least in the Linux case, you have to give so many privileges (eg, launching arbitrary processes) that the "jail" is very escapable anyway. The way we do things on Windows, I suspect the same will be true. Switching out the underlying WinRM protocol to PSRP is actually the easy part.
I've thought through a couple of ways that we *might* be able to make this work, but they'd require a lot of infrastructure that's currently missing, so I wouldn't count on it for at least the next couple of releases... -Matt On Thursday, April 6, 2017 at 8:27:40 AM UTC-7, Vincent Desjardins wrote: > > Hi Jordan, > > This is a custom configuration created by one of our Windows admin to > control what Ansible could do on the server. Personally I have some doubts > about the maintainability and the usefulness of managing these > configurations since the purpose of Ansible is to configure the server... > Ansible needs to have Admin right to do anything meaningful in my opinion. > > Do you know if an upgrade to the protocol implementation in Ansible is on > the roadmap? > > Thanks, > Vincent > > On Wednesday, April 5, 2017 at 10:03:12 PM UTC-4, Jordan Borean wrote: >> >> Hi Vincent >> >> I don't believe this is possible right now as Ansible uses an older >> protocol than Enter-PSSession. What is the configuration that you need to >> use, potentially it can be covered with different arugments. >> >> Thanks >> >> Jordan >> >> On Thursday, April 6, 2017 at 10:08:48 AM UTC+10, Vincent Desjardins >> wrote: >>> >>> Hi, >>> >>> I wrote a small powershell module for Ansible. My Windows Admin wants me >>> to use a specific configuration when connecting to the server for security. >>> So I would like to know if Ansible can be configured to have a session >>> initialized like this: >>> >>> Enter-PSSession -ComputerName myhostname -ConfigurationName Ansible >>> >>> I did some digging and found nothing. >>> >>> Thanks! >>> Vincent >>> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d001c99e-8754-4cb5-acac-97bbcd337d99%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
