Is it possible to alter the SSH user on a role basis within Foreman?

We have a situation where the granularity of control provided by Foreman 
doesn't quite fit our requirements.  We would like to be able to use a 
'read-only' SSH user for executing some commands, then a more privileged 
user for executing commands that will change the system.


read-only SSH user used to run a yum list command as this doesn't change 
the system
ops SSH user used to run yum update commands as these are part of general 
patching requirements
admin SSH user used to run yum install/remove commands as these shouldn't 
be required as part of normal daily running or patching cycles.

When we change our Foreman-wide SSH User, we then have to craft sudo rules 
to allow escalation of yum as that user.  But we don't have the ability to 
then separate out the read-only, update, and install/remove functions of 
yum to different users.

I've looked at trying to do this by changing the effective_user for the 
job, but this leaves us having to create sudo rules that allow the 
escalation of the "/remote_working_dir/foreman-ssh-cmd-{UUID}/script" 
command, which then covers all types of remote execution.

Ideally our Foreman users would be mapped to a different SSH user, or our 
jobs should be able to select the SSH user and not just the effective sudo 
user at the client side.


You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
Visit this group at
For more options, visit

Reply via email to