Plugins » Foreman Remote Execution

Current design allows a global or host-based remote_execution_ssh_user.

Customer would like to be able to map specific Foreman users to specific SSH Users.

i.e.

foreman-read-only user uses client-read-only user to SSH to client and execute job. Sudo rules can then be used to permit 'yum list' for example.
foreman-operations user uses client-operations user to SSH to client and execute job. Sudo rules can then be used to permit 'yum update' for example.
foreman-sysadmin user uses client-sysadmin user to SSH to client and execute job. Sudo rules can then be used to permit 'yum install' or 'yum remove' for example.

In the specific case of yum actions, an edit is also required to the "Package Action - SSH Default" template to run the yum -y line through sudo.

To map this example to the "Service Action - SSH Default" template, the client-read-only user would have sudo rules to run 'systemctl status', but the client-operations user would have sudo rules to run 'systemctl restart application.service'.

Without being able to change the remote_execution_ssh_user, I can't see how remote execution can be controlled on a read-only basis, with variable levels of write ability on the client.