Hi --
We have a number of sudo rules configured that conflict with each other with no defined
"Sudo Order" value. Notably, there is a rule that gives some users sudo on all
IPA hosts, a rule that gives a smaller subset of users sudo on host group A, and a rule
that gives a smaller subset of users sudo on host group B. We are seeing inconsistent sudo
behavior between host groups A and B when a user is a member of the "sudo on all
hosts" rule but not the smaller subset of users for either of the two host groups --
the user in the "sudo on all hosts" rule is able to sudo on hosts in hostgroup A
despite not being in the more narrowly defined sudo rule, but they are not able to sudo on
hosts in hostgroup B.
What is the expected order of precedence here? Is this a race condition or is there some
deterministic logic that is consistently applied to break the tie between rules with
undefined sudo order values? We do plan on assigning order values to all rules to make
this more explicit, but it would help to understand what the expected behavior is here
until we are able to implement those changes. A pointer to the code where this is handled
would be helpful as well, I wasn't able to find it easily.
Thanks!