Hello, you can change SSH user too by modifying the remote_execution_ssh_user parameter as mentioned at [1]. The granularity is per host/host group/subnet/domain/os/organization/location. Unfortunately it's impossible to configure it per job template (command) right now. The reason for this design was that specifying arbitrary user would not work until his/her SSH key is installed on target. That's why we prefer changing effective user using sudo on target host. Maybe a puppet module that would configure sudoers based on some policy would be good solution.
We could also improve this on host side where we could have a Foreman script that would handle the authorization. There were some discussion on this topic, but there's no clear roadmap. [1] https://theforeman.org/plugins/foreman_remote_execution/0.3/index.html#2.2RemoteHostsConfiguration Hope this helps -- Marek On Wednesday 12 of October 2016 02:09:15 Duncan Innes wrote: > Is it possible to alter the SSH user on a role basis within Foreman? > > We have a situation where the granularity of control provided by Foreman > doesn't quite fit our requirements. We would like to be able to use a > 'read-only' SSH user for executing some commands, then a more privileged > user for executing commands that will change the system. > > e.g. > > read-only SSH user used to run a yum list command as this doesn't change > the system > ops SSH user used to run yum update commands as these are part of general > patching requirements > admin SSH user used to run yum install/remove commands as these shouldn't > be required as part of normal daily running or patching cycles. > > When we change our Foreman-wide SSH User, we then have to craft sudo rules > to allow escalation of yum as that user. But we don't have the ability to > then separate out the read-only, update, and install/remove functions of > yum to different users. > > I've looked at trying to do this by changing the effective_user for the > job, but this leaves us having to create sudo rules that allow the > escalation of the "/remote_working_dir/foreman-ssh-cmd-{UUID}/script" > command, which then covers all types of remote execution. > > Ideally our Foreman users would be mapped to a different SSH user, or our > jobs should be able to select the SSH user and not just the effective sudo > user at the client side. > > Duncan -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
