I'm setting up a new FreeIPA cluster/environment, and have one host that I do not want included in my sudo rule that normally allows sudo to all hosts.
Basically this machine is holding highly sensitive data, and will be used by multiple people who normally have sudo to all hosts, but I do not want them to have sudo on this host.
I do not see a way to exclude a host, is the only option to add every other host manually to a rule or is there a way to "blacklist" a certain host in a sudo rule.
--Russ
Russ Long via FreeIPA-users wrote:
I'm setting up a new FreeIPA cluster/environment, and have one host that I do not want included in my sudo rule that normally allows sudo to all hosts.
Basically this machine is holding highly sensitive data, and will be used by multiple people who normally have sudo to all hosts, but I do not want them to have sudo on this host.
I do not see a way to exclude a host, is the only option to add every other host manually to a rule or is there a way to "blacklist" a certain host in a sudo rule.
HBAC and sudo rules are opt-in only with the exception of the categories (usercat, hostcat, etc) which has an "all" option.
So unfortunately you'll probably end up with a hostgroup of "everyone but secure.example.test"
An automember hostgroup rule would be useful to ensure new hosts are automatically added to this rule.
rob
Thanks Rob,
I got this setup with an automember rule and it seems to be working.
--Russ
freeipa-users@lists.fedorahosted.org