Hello, you can change SSH user too by modifying the remote_execution_ssh_user parameter as mentioned at [1]. The granularity is per host/host group/subnet/domain/os/organization/location. Unfortunately it's impossible to configure it per job template (command) right now. The reason for this design was that specifying arbitrary user would not work until his/her SSH key is installed on target. That's why we prefer changing effective user using sudo on target host. Maybe a puppet module that would configure sudoers based on some policy would be good solution.
We could also improve this on host side where we could have a Foreman script that would handle the authorization. There were some discussion on this topic, but there's no clear roadmap. [1] https://theforeman.org/plugins/foreman_remote_execution/0.3/index.html#2.2RemoteHostsConfiguration Hope this helps -- Marek On Wednesday 12 of October 2016 02:09:15 Duncan Innes wrote: > Is it possible to alter the SSH user on a role basis within Foreman? > > We have a situation where the granularity of control provided by Foreman > doesn't quite fit our requirements. We would like to be able to use a > 'read-only' SSH user for executing some commands, then a more privileged > user for executing commands that will change the system. > > e.g. > > read-only SSH user used to run a yum list command as this doesn't change > the system > ops SSH user used to run yum update commands as these are part of general > patching requirements > admin SSH user used to run yum install/remove commands as these shouldn't > be required as part of normal daily running or patching cycles. > > When we change our Foreman-wide SSH User, we then have to craft sudo rules > to allow escalation of yum as that user. But we don't have the ability to > then separate out the read-only, update, and install/remove functions of > yum to different users. > > I've looked at trying to do this by changing the effective_user for the > job, but this leaves us having to create sudo rules that allow the > escalation of the "/remote_working_dir/foreman-ssh-cmd-{UUID}/script" > command, which then covers all types of remote execution. > > Ideally our Foreman users would be mapped to a different SSH user, or our > jobs should be able to select the SSH user and not just the effective sudo > user at the client side. > > Duncan -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscr...@googlegroups.com. To post to this group, send email to foreman-users@googlegroups.com. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
