Bug 569

Summary: Support for host group plugin
Product: Sudo Reporter: Todd C. Miller <Todd.Miller>
Component: SudoersAssignee: Todd C. Miller <Todd.Miller>
Status: NEW ---    
Severity: enhancement    
Priority: low    
Version: 1.8.6   
Hardware: All   
OS: All   

Description Todd C. Miller 2012-09-06 11:33:42 MDT 
The sudoers plugin currently has support for a non-Unix user groups plugin but no way to support arbitrary external groups of hosts.  A simple fix would be to replicate the non-Unix group API but for hosts, using some syntactic sugar (perhaps :hostname?).

A potentially batter approach is to use a URI-based scheme that supports multiple plugins and that can handle groups of users and hosts.  In this schenario, when the data plugin is initialized it would return a URI type (e.g. qas) which is used to identify groups that should be resolved using that plugin.  For instance:

qas://Administrators ALL = ALL

would match any user in the AD Administrators group.  Likewise,

qas://Administrators qas://Servers = ALL

is the same but for hosts in the AD Servers machine group.  The 

In addition to a test for whether a user or host is in a group, the plugin may also support a function to enumerate all groups that a user or host belong to.  This may dramatically reduce the number of queries required but not all plugins may be able to support this.