Create a sudoer file
In the below file:
- the service is called service_name
- the user is called user_name
just replace the value with yours.
The file /etc/sudoers.d/service_name contains two entries
- a command alias that list all command permittede
Cmnd_Alias SERVICE_NAME_SERVICES = /usr/bin/systemctl start service_name, /usr/bin/systemctl stop service_name, /usr/bin/systemctl reload service_name, /usr/bin/systemctl restart backend, /usr/bin/systemctl status service_name, /usr/bin/systemctl enable service_name
- and the user specification
user_name ALL = (ALL) NOPASSWD: BACKEND_SERVICES
This user specification means:
- the user user_name
- on all machine ALL
- may run as everybody (ALL) (the command may then be run also as root)
- without specifying a password NOPASSWD: (this is called a tag)
- the command specified by the alias BACKEND_SERVICES
Just copy the file to /etc/sudoers.d/
For instance in Ansible.
- name: Copy the sudoer file template: src: 'myapp.sudoer' dest: '/etc/sudoers.d/myapp' mode: 0750
Login as user_name and run the following command
sudo systemctl restart service_name
The user should be able to execute it without any password.