Last modified: 2014-08-29 15:56:17 UTC
Currently, the sudoers per-project interface allows creation of sudo rules with individual users or "all project users" as targets. There is no provision for a "ALL" target as project admins may wish to use. Adding this option should be fairly trivial.
What is an example of a user who is a member of ALL yet not a member of 'all project users'?
All system users?
Also, 'all project users' excludes root. :-)
Having sudo policies in ldap doesn't preclude setting up sudo policies directly on the box... To the extent that system users are puppetized, it seems like their sudo policy should derive from puppet as well.
Oh, my mistake, I misunderstood what we meant by 'target' here. This makes sense after all :)
https://gerrit.wikimedia.org/r/#/c/153723
Change 153723 had a related patch set uploaded by Tim Landscheidt: Replace support for 'ALL' in the 'Allow running as' sudo column. https://gerrit.wikimedia.org/r/153723