Hello Jason,
Jason Edgecombe schrieb:
Hi everyone,
I work at a university, and we are currently using cfengine in our
college to manage some linux and Mac machines. In our college, there
are two admins including myself who are trusted and have total
control of the cfengine config.
Using cfengine has been proposed as being adopted by the entire
University for Mac administration. My concern is how do we inherit
the campus config and only let people in our college modify the
config that affects our machines.
For example, I am in the College of Arts & Sciences and I can only
change the cfengine configs for machines in my college. The college
of Architecture would only have access to their machines, but we both
inheirt the changes pushed out by central IT.
I simply want to limit the effects of accidental changes made by
different admins. It's not just newbieness that I'm worried about. I
don't have a full understanding of what my changes might do to
another college's computers.
Basically, how can we partition the cfengine set up between admins,
but still inherit a config from central it? Do we have to use
different cfengine servers for this?
What about using imports for this?
import:
any::
global.conf
college1::
college1.conf
college2::
college2.conf
The files that are imported have set their ownerships appropriately,
so that e.g. only the admins of college1 are allowed to edit
college1.conf. This example can be improved with unique directories
for each "administrational unit". Of course the groups have to be
defined, this depends on your network infrastructure and can be done
e.g. by IP ranges.
Hope this helps
Alex