[Labs-l] Per-project sudo, managed via labsconsole
Ryan Lane
rlane32 at gmail.com
Mon Apr 23 22:06:46 UTC 2012
I've recently added support for managing sudo policies in LDAP in a
per-project manner via labsconsole. In the sidebar, there's a "Manage
sudo policies" link. If you are a sysadmin in a project, you can
modify the sudo policies for that project. A sudo policy, in this
context, lets you define:
1. Sudo users: the users a policy applies to
2. Sudo hosts: the instances a policy applies to
3. Sudo commands: the commands the specified users are allowed to run
on the specified hosts
4. Sudo options: options to modify sudo's behavior
When projects are created, they are also created with a default policy:
1. Sudo users: ALL
2. Sudo hosts: ALL
3. Sudo commands: ALL
4. Sudo options: (none)
All currently existing projects have had this policy added, except for
bastion and testlabs (to match the previous behavior).
This change is being applied across all instances right now, and will
be in effect for all instances that are currently running puppet
properly. I'll follow up with a blog post on how this is implemented.
- Ryan
More information about the Labs-l
mailing list