Added a generated sudoers file to enable the 'pl_monitor' account to also have
Stephen Soltesz [Wed, 9 Apr 2008 16:53:20 +0000 (16:53 +0000)]
limited permission on the system.
I also expect that it's permissions will expand over time to include
restarting some services or killing some commands, etc.

PlanetLabConf/sudoers.php [new file with mode: 0644]

diff --git a/PlanetLabConf/sudoers.php b/PlanetLabConf/sudoers.php
new file mode 100644 (file)
index 0000000..04ca483
--- /dev/null
@@ -0,0 +1,45 @@
+<?php
+// Get admin API handle
+require_once 'plc_config.php';
+
+$user = PLC_SLICE_PREFIX . '_monitor';
+
+echo "# -----------------------------------------------------------------
+# We're assuming that ssh authentication has already been used, this
+# is more risky than I'm comfortable with, but it saves the problem 
+# of managing a separate password file.
+# -----------------------------------------------------------------
+Defaults       !authenticate
+
+# -----------------------------------------------------------------
+# No surpise... root has universal access
+# -----------------------------------------------------------------
+root           ALL = (ALL) ALL
+
+# -----------------------------------------------------------------
+# SITE_CMDS are those available to local site administrators
+# -----------------------------------------------------------------
+Cmnd_Alias     SITE_CMDS =     /usr/sbin/vps, \
+                               /usr/sbin/vpstree, \
+                               /usr/sbin/vtop, \
+                               /bin/ps, \
+                               /usr/bin/pstree, \
+                               /usr/bin/top, \
+                               /usr/sbin/tcpdump, \
+                               /usr/bin/pfgrep, \
+                               /usr/local/planetlab/bin/pl-catlogs, \
+                               /sbin/halt, \
+                               /sbin/reboot, \
+                               /sbin/shutdown, \
+                               /usr/bin/passwd -d site_admin, \
+                               /usr/bin/passwd site_admin, \
+                               /bin/more /var/log/messages, \
+                               /bin/more /var/log/nm
+
+# -----------------------------------------------------------------
+# Site Admins -- accounts with admin privileges on the local nodes
+# -----------------------------------------------------------------
+site_admin     ALL = SITE_CMDS
+$user       ALL = SITE_CMDS
+";
+?>