classes:
- system.linux.system.sudo
# L1
- system.openssh.server.team.members.aleksandrdobdin
- system.openssh.server.team.members.aleksandrrubtsov
- system.openssh.server.team.members.anatoliineliubin
- system.openssh.server.team.members.antonrodionov
- system.openssh.server.team.members.collinmay
- system.openssh.server.team.members.danilakhmetov
- system.openssh.server.team.members.deniskostriukov
- system.openssh.server.team.members.dmitrygoloshubov
- system.openssh.server.team.members.javierdiaz
- system.openssh.server.team.members.josuepalmerin
- system.openssh.server.team.members.krzysztoffranckowski
- system.openssh.server.team.members.matthewroark
- system.openssh.server.team.members.maximefimov
- system.openssh.server.team.members.mikhailkraynov
- system.openssh.server.team.members.renesoto
- system.openssh.server.team.members.rsafonov
- system.openssh.server.team.members.scottmachtmes
- system.openssh.server.team.members.zahedkhurasani
# L2OPS
- system.openssh.server.team.members.aepifanov
- system.openssh.server.team.members.apetrenko
- system.openssh.server.team.members.atarasov
- system.openssh.server.team.members.dklepikov
- system.openssh.server.team.members.dsutyagin
- system.openssh.server.team.members.ekozhemyakin
- system.openssh.server.team.members.enikanorov
- system.openssh.server.team.members.fsoppelsa
- system.openssh.server.team.members.manashkin
- system.openssh.server.team.members.nkondra
- system.openssh.server.team.members.nkabanova
- system.openssh.server.team.members.obryndzii
- system.openssh.server.team.members.oliemieshko
- system.openssh.server.team.members.sovsianikov
- system.openssh.server.team.members.cade
- system.openssh.server.team.members.jmosher
- system.openssh.server.team.members.ecantwell
- system.openssh.server.team.members.lmercl
- system.openssh.server.team.members.osmola
- system.openssh.server.team.members.pcizinsky
- system.openssh.server.team.members.pmathews
- system.openssh.server.team.members.pmichalec
parameters:
  _param:
    linux_system_user_sudo: true
  linux:
    system:
      group:
        supportl1:
          enabled: false
          name: supportl1
        supportl2:
          enabled: false
          name: supportl2
        support0:
          enabled: false
          name: support0
        support1:
          enabled: false
          name: support1
        support2:
          enabled: false
          name: support2
        support3:
          enabled: true
          name: support3
          addusers:
            # L1
            - ${linux:system:user:adobdin:name}
            - ${linux:system:user:arubtsov:name}
            - ${linux:system:user:aneliubin:name}
            - ${linux:system:user:arodionov:name}
            - ${linux:system:user:cmay:name}
            - ${linux:system:user:dakhmetov:name}
            - ${linux:system:user:dkostriukov:name}
            - ${linux:system:user:dgoloshubov:name}
            - ${linux:system:user:jdiaz:name}
            - ${linux:system:user:jpalmerin:name}
            - ${linux:system:user:kfranckowski:name}
            - ${linux:system:user:mroark:name}
            - ${linux:system:user:mefimov:name}
            - ${linux:system:user:mkraynov:name}
            - ${linux:system:user:nkabanova:name}
            - ${linux:system:user:rsoto:name}
            - ${linux:system:user:rsafonov:name}
            - ${linux:system:user:smachtmes:name}
            - ${linux:system:user:zkhurasani:name}
            # L2OPS
            - ${linux:system:user:aepifanov:name}
            - ${linux:system:user:apetrenko:name}
            - ${linux:system:user:atarasov:name}
            - ${linux:system:user:dklepikov:name}
            - ${linux:system:user:dsutyagin:name}
            - ${linux:system:user:ekozhemyakin:name}
            - ${linux:system:user:enikanorov:name}
            - ${linux:system:user:fsoppelsa:name}
            - ${linux:system:user:manashkin:name}
            - ${linux:system:user:nkondra:name}
            - ${linux:system:user:nkabanova:name}
            - ${linux:system:user:obryndzii:name}
            - ${linux:system:user:oliemieshko:name}
            - ${linux:system:user:sovsianikov:name}
            - ${linux:system:user:pmichalec:name}
            - ${linux:system:user:pmathews:name}
            - ${linux:system:user:pcizinsky:name}
            - ${linux:system:user:osmola:name}
            - ${linux:system:user:cade:name}
            - ${linux:system:user:jmosher:name}
            - ${linux:system:user:ecantwell:name}
            - ${linux:system:user:lmercl:name}
      sudo:
        enabled: true
        aliases:
          command:
            SUPPORT_SALT: ${_param:sudo_salt_safe}
            SUPPORT_SALT_TRUSTED: ${_param:sudo_salt_trusted}
            SUPPORT_RESTRICTED_SHELLS: ${_param:sudo_shells}
            SUPPORT_RESTRICTED_SU: ${_param:sudo_restricted_su}
            SUPPORT_COREUTILS: ${_param:sudo_coreutils_safe}
            SUPPORT_RABBITMQ: ${_param:sudo_rabbitmq_safe}
            SUPPORT_SALT_TRUSTED: ${_param:sudo_salt_trusted}
            SUPPORT_NETWORKING: ${_param:sudo_networking}
            SUPPORT_CONTRAIL: ${_param:sudo_contrail_utilities}
            SUPPORT_STORAGE: ${_param:sudo_storage_utilities}
            SUPPORT_OPENSTACK_CLIENTS: ${_param:sudo_openstack_clients}
        groups:
          support0:
          # This group should have only RO access to non-sensitive data and commands
          # assumed usage: common operations, non experienced, non technical users.
            commands:
                - SUPPORT_SALT
                - '!SUPPORT_RESTRICTED_SHELLS'
                - '!SUPPORT_RESTRICTED_SU'
          support1:
          # This group should have access to safe, trusted, commands
            commands:
                - SUPPORT_SALT
                - SUPPORT_COREUTILS
                - SUPPORT_RABBITMQ
                - SUPPORT_NETWORKING
                - SUPPORT_CONTRAIL
                - SUPPORT_STORAGE
                - SUPPORT_OPENSTACK_CLIENTS
                - '!SUPPORT_RESTRICTED_SHELLS'
                - '!SUPPORT_RESTRICTED_SU'
          support2:
          # This group should have access to any command using sudo
            commands:
                - SUPPORT_SALT
                - SUPPORT_SALT_TRUSTED
                - SUPPORT_COREUTILS
                - SUPPORT_RABBITMQ
                - SUPPORT_NETWORKING
                - SUPPORT_CONTRAIL
                - SUPPORT_STORAGE
                - SUPPORT_OPENSTACK_CLIENTS
                - '!SUPPORT_RESTRICTED_SHELLS'
                - '!SUPPORT_RESTRICTED_SU'
          support3:
          # It's never safe to run unlimited number of commands with sudo.
          # Use with caution.
            setenv: true
            commands:
                - ALL