you can change SSH user too by modifying the remote_execution_ssh_user 
parameter as mentioned at [1]. The granularity is per host/host 
group/subnet/domain/os/organization/location. Unfortunately it's impossible to 
configure it per job template (command) right now. The reason for this design 
was that specifying arbitrary user would not work until his/her SSH key is 
installed on target. That's why we prefer changing effective user using sudo on 
target host. Maybe a puppet module that would configure sudoers based on some 
policy would be good solution.

We could also improve this on host side where we could have a Foreman script 
that would handle the authorization. There were some discussion on this topic, 
but there's no clear roadmap.


Hope this helps


On Wednesday 12 of October 2016 02:09:15 Duncan Innes wrote:
> Is it possible to alter the SSH user on a role basis within Foreman?
> We have a situation where the granularity of control provided by Foreman
> doesn't quite fit our requirements.  We would like to be able to use a
> 'read-only' SSH user for executing some commands, then a more privileged
> user for executing commands that will change the system.
> e.g.
> read-only SSH user used to run a yum list command as this doesn't change
> the system
> ops SSH user used to run yum update commands as these are part of general
> patching requirements
> admin SSH user used to run yum install/remove commands as these shouldn't
> be required as part of normal daily running or patching cycles.
> When we change our Foreman-wide SSH User, we then have to craft sudo rules
> to allow escalation of yum as that user.  But we don't have the ability to
> then separate out the read-only, update, and install/remove functions of
> yum to different users.
> I've looked at trying to do this by changing the effective_user for the
> job, but this leaves us having to create sudo rules that allow the
> escalation of the "/remote_working_dir/foreman-ssh-cmd-{UUID}/script"
> command, which then covers all types of remote execution.
> Ideally our Foreman users would be mapped to a different SSH user, or our
> jobs should be able to select the SSH user and not just the effective sudo
> user at the client side.
> Duncan

You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Reply via email to