Russ Long via FreeIPA-users wrote: > I'm setting up a new FreeIPA cluster/environment, and have one host that I do > not want included in my sudo rule that normally allows sudo to all hosts. > > Basically this machine is holding highly sensitive data, and will be used by > multiple people who normally have sudo to all hosts, but I do not want them > to have sudo on this host. > > I do not see a way to exclude a host, is the only option to add every other > host manually to a rule or is there a way to "blacklist" a certain host in a > sudo rule.
HBAC and sudo rules are opt-in only with the exception of the categories (usercat, hostcat, etc) which has an "all" option. So unfortunately you'll probably end up with a hostgroup of "everyone but secure.example.test" An automember hostgroup rule would be useful to ensure new hosts are automatically added to this rule. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
