Well, ssh access to the nodes doesn't automatically mean sudo access, so if they could read the logs as their normal users, they wouldn't have access to koji credentials.

Without sudo on the nodes they would need to commit and then run playbooks to do any changes.

Or perhaps sudo could be constrained to just the things they might need to do, and leave the koji credentials still secure?

Anyhow, I am ok to just make the group and add them to it and add privs as they are needed.

This is part of our normal RFR for new applications anyhow to add a group for it and make sure all the folks who know how to maintain the application are added.

Is there any further discussion we want to have here?

:heavy_check_mark:

Or perhaps sudo could be constrained to just the things they might need to do, and leave the koji credentials still secure?

Yeah! The main thing I would want is for them to be able to read logs.. so a sudoers rule just for journalctl should do it. (Although the apache logs require tail in /var/log/httpd/error_log....)

If we are supposed to just read logs, the super-secure way is a chrooted SFTP, and we would access those logfiles with just sftp/sshfs without any bash prompt.

Here's a guide for inspiration:
https://wiki.archlinux.org/index.php/SFTP_chroot

The ChrootDirectory would be for the apache log files directory or some other directory. In case of multiple directories, I used to mount --bind them to one "umbrella" directory chroot,

Well, I don't think we really need to go to extreme measures, just compartmentalize as makes sense.

OK - the groups are created and they have rbac-playbook access now.

I'll educate the new guys on how to access batcave01, etc.