Djerk Geurts via FreeIPA-users wrote:
This is a topic that I've spent way too much time on recently.
The reason is I'm trying to manage sudo rights for teams and the sudo ruleset is
getting out of hand as no globs I've tried are working except for maybe an '*'
in a pathname. I'm trying to keep things secure I'd like to allow members of a
certain group to manage the services they're responsible for. These are dev guys so
there's a fair bit of management involved.
Initially, I would create a rule for systemctl start, another for stop, etc for status,
reload and restart. Then I have to add the journalctl rules for seeing the current logs
and the tail options for those.
In trying to make thing easier when adding rules, and knowing glob should be supported I
was hoping to simplify things to:
/usr/bin/journalctl --unit nodejs@+([a-zA-Z]) @(-t)
/usr/bin/systemctl (start|stop|status|reload|restart) nodejs@+([a-zA-Z])
But alas, none of this is working, what does work is a long list of rules specific to
each separate instantiated service, which is getting really tiresome and error-prone. Is
there anything I can do to ease maintaining these rules, or do I give up and look at using
Ansible to automate FreeIPA sudo rules?
It may very well depend on the version of sudo you have on the client(s)
whether regular expressions are supported or not.
IPA is only a container for the rules. It just passes them along to
sudo. I'd suggest checking with the sudo team as well.
There may also be distribution-based idiosyncrasies.
rob