Comment 5 for bug 681774

Separating nova_sudoers into node-specific files sounds like a good idea too (nova user is more exposed on API nodes, and API nodes actually do not need a nova user that has the power of screwing up your network configuration)