Separating nova_sudoers into node-specific files sounds like a good idea too (nova user is more exposed on API nodes, and API nodes actually do not need a nova user that has the power of screwing up your network configuration)
Separating nova_sudoers into node-specific files sounds like a good idea too (nova user is more exposed on API nodes, and API nodes actually do not need a nova user that has the power of screwing up your network configuration)