[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Tiered admins with cfengine
|
From: |
Alexander Mattausch |
|
Subject: |
Re: Tiered admins with cfengine |
|
Date: |
Thu, 13 Oct 2005 16:21:38 +0200 |
|
User-agent: |
Mozilla Thunderbird 1.0.6 (X11/20050715) |
Hello Jason,
Jason Edgecombe schrieb:
Hi everyone,
I work at a university, and we are currently using cfengine in our
college to manage some linux and Mac machines. In our college, there
are two admins including myself who are trusted and have total control
of the cfengine config.
Using cfengine has been proposed as being adopted by the entire
University for Mac administration. My concern is how do we inherit the
campus config and only let people in our college modify the config
that affects our machines.
For example, I am in the College of Arts & Sciences and I can only
change the cfengine configs for machines in my college. The college of
Architecture would only have access to their machines, but we both
inheirt the changes pushed out by central IT.
I simply want to limit the effects of accidental changes made by
different admins. It's not just newbieness that I'm worried about. I
don't have a full understanding of what my changes might do to another
college's computers.
Basically, how can we partition the cfengine set up between admins,
but still inherit a config from central it? Do we have to use
different cfengine servers for this?
What about using imports for this?
import:
any::
global.conf
college1::
college1.conf
college2::
college2.conf
The files that are imported have set their ownerships appropriately, so
that e.g. only the admins of college1 are allowed to edit college1.conf.
This example can be improved with unique directories for each
"administrational unit". Of course the groups have to be defined, this
depends on your network infrastructure and can be done e.g. by IP ranges.
Hope this helps
Alex