[doc][yba] sudo whitelist ynp (#26140)

* sudo whitelist

* review comment

* clarify SSH requirement

* format DOC-651

docs/content/preview/deploy/multi-dc/async-replication/async-deployment.md

@@ -40,7 +40,7 @@ After you created the required tables, you can set up unidirectional replication
       ./bin/yb-admin -master_addresses <source_universe_master_addresses> list_tables include_table_id
       ```
 
-      The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows:
+      The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows:
 
       ```sh
       ./bin/yb-admin -master_addresses <source_universe_master_addresses> list_tables include_table_id | grep table_name

docs/content/preview/yugabyte-platform/prepare/networking.md

@@ -23,7 +23,7 @@ The following ports need to be open.
 | From | To | Requirements |
 | :--- | :--- | :--- |
 | DB&nbsp;nodes | DB&nbsp;nodes | Open the following ports for communication between nodes in clusters. They do not need to be exposed to your application. For universes with [Node-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted.<ul><li>7000 - YB-Master HTTP(S)</li><li>7100 - YB-Master RPC</li><li>9000 - YB-TServer HTTP(S)</li><li>9100 - YB-TServer RPC</li><li>18018 - YB Controller RPC</li></ul> |
-| YBA&nbsp;node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.<ul><li>22 - SSH</li><li>5433 - YSQL server</li><li>7000/7100 - YB-Master HTTP/RPC</li><li>9000/9100 - YB-TServer HTTP/RPC</li><li>9042 - YCQL server</li><li>9070 - Node agent RPC</li><li>9300 - Prometheus Node Exporter HTTP</li><li>12000 - YCQL API</li><li>13000 - YSQL API</li><li>18018 - YB Controller RPC</li></ul>SSH is not required after initial setup and configuration, but is recommended for subsequent troubleshooting. If you disallow SSH entirely, you must manually set up each DB node (see [Provisioning on-premises nodes](../server-nodes-software/software-on-prem-manual/)). |
+| YBA&nbsp;node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.<ul><li>22 - SSH ([legacy provisioning](../server-nodes-software/software-on-prem-legacy/) only)</li><li>5433 - YSQL server</li><li>7000/7100 - YB-Master HTTP/RPC</li><li>9000/9100 - YB-TServer HTTP/RPC</li><li>9042 - YCQL server</li><li>9070 - Node agent RPC</li><li>9300 - Prometheus Node Exporter HTTP</li><li>12000 - YCQL API</li><li>13000 - YSQL API</li><li>18018 - YB Controller RPC</li></ul> |
 | Application | DB nodes | Open the following ports on database cluster nodes so that applications can connect via APIs. For universes with [Client-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted. Universes can also be configured with database [authorization](../../security/authorization-platform/) and [authentication](../../security/authentication/) to manage access.<ul><li>5433 - YSQL server</li><li>9042 - YCQL server</li></ul> |
 | DB nodes | YBA&nbsp;node | Open the following port on the YugabyteDB Anywhere node so that node agents can communicate.<ul><li>443 - HTTPS</li></ul> |
 | Operator | YBA&nbsp;node | Open the following ports on the YugabyteDB Anywhere node so that administrators can access the YBA UI and monitor the system and node metrics. These ports are also used by standby YBA instances in [high availability](../../administer-yugabyte-platform/high-availability/) setups.<ul><li>443 - HTTPS</li><li>9090 - Served by Prometheus, for metrics</li></ul>Port 5432 serves a local PostgreSQL instance, and is not exposed outside of localhost.<br>Port 6433 serves built-in connection pooling (if enabled). |

docs/content/preview/yugabyte-platform/prepare/server-nodes-software/_index.md

@@ -36,7 +36,7 @@ AlmaLinux OS 8 disk images are used by default, but you can specify a custom dis
 
 YugabyteDB Anywhere requires the following additional software to be pre-installed on nodes:
 
-- OpenSSH Server. Allowing SSH is recommended but optional. Using SSH can be skipped in some on-premises deployment approaches; all other workflows require it. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported.
+- OpenSSH Server. Allowing SSH is optional. Using SSH is required in some [legacy on-premises deployment](../server-nodes-software/software-on-prem-legacy/) approaches. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported.
 - tar
 - unzip
 - policycoreutils-python-utils

docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md

@@ -136,27 +136,67 @@ The following options are used for logging the provisioning itself.
 | `logging directory` | Set the directory where node provisioning log files will be stored. |
 | `logging file` | Name of the node provisioning log file. |
 
+### Preflight check
+
+Run the preflight checks either as a root user, or via sudo as follows:
+
+```sh
+sudo ./node-agent-provision.sh --preflight_check
+```
+
+Address any issues highlighted by the preflight checks.
+
 ### Run the provisioning script
 
-1. Run the preflight checks either as a root user, or via sudo as follows:
+When the preflight checks pass, run the script either as a root user, or via sudo as follows:
+
+```sh
+sudo ./node-agent-provision.sh
+```
+
+The script provisions the node and installs node agent.
+
+If specified, node agent creates the on-premises provider configuration; or, if the provider already exists, adds the instance to the provider.
+
+After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node.
+
+## sudo whitelist
+
+If security restrictions require you to explicitly list the commands that you'll be running as root under sudo, you can add the following commands to the sudo whitelist:
+
+```sh
+sudo ./node-agent-provision.sh --preflight_check
+sudo ./node-agent-provision.sh
+```
+
+The underlying fine-grained commands that the script runs during provisioning depend on the version of YugabyteDB Anywhere, and are updated as newer capabilities are incorporated.
+
+To audit the commands that are run by the script, do the following:
+
+1. [Run the preflight check](#preflight-check).
+
+    The preflight check renders templates containing all the bash commands that the script will execute for provisioning.
+
+1. Identify the rendered templates using grep as follows:
 
     ```sh
-    sudo ./node-agent-provision.sh --preflight_check
+    sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$"
     ```
 
-1. Address any issues highlighted by the preflight checks.
+    You should see output similar to the following:
 
-1. When the preflight checks pass, run the script either as a root user, or via sudo as follows:
+    ```output
+    2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmp0ey61a1c
 
-    ```sh
-    sudo ./node-agent-provision.sh
+    2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmppri1g4r_
     ```
 
-The script provisions the node and installs node agent.
+1. Use `cat` or any other CLI tool to inspect the content of these files to understand the code that the script will execute when provisioning a node.
 
-If specified, node agent creates the on-premises provider configuration; or, if the provider already exists, adds the instance to the provider.
+    - The first file in the log is the precheck template.
+    - The second file in the log is the actual execution template.
 
-After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node.
+    Note that these files are specific to the operating system and YugabyteDB Anywhere release, and can vary between releases.
 
 ## Next steps
 

docs/content/stable/deploy/multi-dc/async-replication/async-deployment.md

@@ -38,7 +38,7 @@ After you created the required tables, you can set up unidirectional replication
       ./bin/yb-admin -master_addresses <source_universe_master_addresses> list_tables include_table_id
       ```
 
-      The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows:
+      The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows:
 
       ```sh
       ./bin/yb-admin -master_addresses <source_universe_master_addresses> list_tables include_table_id | grep table_name

docs/content/stable/yugabyte-platform/prepare/networking.md

@@ -23,7 +23,7 @@ The following ports need to be open.
 | From | To | Requirements |
 | :--- | :--- | :--- |
 | DB&nbsp;nodes | DB&nbsp;nodes | Open the following ports for communication between nodes in clusters. They do not need to be exposed to your application. For universes with [Node-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted.<ul><li>7000 - YB-Master HTTP(S)</li><li>7100 - YB-Master RPC</li><li>9000 - YB-TServer HTTP(S)</li><li>9100 - YB-TServer RPC</li><li>18018 - YB Controller RPC</li></ul> |
-| YBA&nbsp;node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.<ul><li>22 - SSH</li><li>5433 - YSQL server</li><li>7000/7100 - YB-Master HTTP/RPC</li><li>9000/9100 - YB-TServer HTTP/RPC</li><li>9042 - YCQL server</li><li>9070 - Node agent RPC</li><li>9300 - Prometheus Node Exporter HTTP</li><li>12000 - YCQL API</li><li>13000 - YSQL API</li><li>18018 - YB Controller RPC</li></ul>SSH is not required after initial setup and configuration, but is recommended for subsequent troubleshooting. If you disallow SSH entirely, you must manually set up each DB node (see [Provisioning on-premises nodes](../server-nodes-software/software-on-prem-manual/)). |
+| YBA&nbsp;node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.<ul><li>22 - SSH ([legacy provisioning](../server-nodes-software/software-on-prem-legacy/) only)</li><li>5433 - YSQL server</li><li>7000/7100 - YB-Master HTTP/RPC</li><li>9000/9100 - YB-TServer HTTP/RPC</li><li>9042 - YCQL server</li><li>9070 - Node agent RPC</li><li>9300 - Prometheus Node Exporter HTTP</li><li>12000 - YCQL API</li><li>13000 - YSQL API</li><li>18018 - YB Controller RPC</li></ul> |
 | Application | DB nodes | Open the following ports on database cluster nodes so that applications can connect via APIs. For universes with [Client-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted. Universes can also be configured with database [authorization](../../security/authorization-platform/) and [authentication](../../security/authentication/) to manage access.<ul><li>5433 - YSQL server</li><li>9042 - YCQL server</li></ul> |
 | DB nodes | YBA&nbsp;node | Open the following port on the YugabyteDB Anywhere node so that node agents can communicate.<ul><li>443 - HTTPS</li></ul> |
 | Operator | YBA&nbsp;node | Open the following ports on the YugabyteDB Anywhere node so that administrators can access the YBA UI and monitor the system and node metrics. These ports are also used by standby YBA instances in [high availability](../../administer-yugabyte-platform/high-availability/) setups.<ul><li>443 - HTTPS</li><li>9090 - Served by Prometheus, for metrics</li></ul>Port 5432 serves a local PostgreSQL instance, and is not exposed outside of localhost.<br>Port 6433 serves built-in connection pooling (if enabled). |

docs/content/stable/yugabyte-platform/prepare/server-nodes-software/_index.md

@@ -33,7 +33,7 @@ AlmaLinux OS 8 disk images are used by default, but you can specify a custom dis
 
 YugabyteDB Anywhere requires the following additional software to be pre-installed on nodes:
 
-- OpenSSH Server. Allowing SSH is recommended but optional. Using SSH can be skipped in some on-premises deployment approaches; all other workflows require it. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported.
+- OpenSSH Server. Allowing SSH is optional. Using SSH is required in some [legacy on-premises deployment](../server-nodes-software/software-on-prem-legacy/) approaches. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported.
 - tar
 - unzip
 - policycoreutils-python-utils

docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md

@@ -158,6 +158,44 @@ If specified, node agent creates the on-premises provider configuration; or, if
 
 After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node.
 
+## sudo whitelist
+
+If security restrictions require you to explicitly list the commands that you'll be running as root under sudo, you can add the following commands to the sudo whitelist:
+
+```sh
+sudo ./node-agent-provision.sh --preflight_check
+sudo ./node-agent-provision.sh
+```
+
+The underlying fine-grained commands that the script runs during provisioning depend on the version of YugabyteDB Anywhere, and are updated as newer capabilities are incorporated.
+
+To audit the commands that are run by the script, do the following:
+
+1. [Run the preflight check](#preflight-check).
+
+    The preflight check renders templates containing all the bash commands that the script will execute for provisioning.
+
+1. Identify the rendered templates using grep as follows:
+
+    ```sh
+    sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$"
+    ```
+
+    You should see output similar to the following:
+
+    ```output
+    2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmp0ey61a1c
+
+    2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmppri1g4r_
+    ```
+
+1. Use `cat` or any other CLI tool to inspect the content of these files to understand the code that the script will execute when provisioning a node.
+
+    - The first file in the log is the precheck template.
+    - The second file in the log is the actual execution template.
+
+    Note that these files are specific to the operating system and YugabyteDB Anywhere release, and can vary between releases.
+
 ## Next steps
 
 If you did not provide details for the provider configuration, you will need to do the following:

docs/content/v2.14/deploy/multi-dc/async-replication.md

@@ -41,7 +41,7 @@ After you created the required tables, you can set up unidirectional replication
       ./bin/yb-admin -master_addresses <source master ips comma separated> list_tables include_table_id
       ```
 
-      The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows:
+      The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows:
 
       ```sh
       ./bin/yb-admin -master_addresses <source master ips comma separated> list_tables include_table_id | grep table_name

docs/content/v2.18/deploy/multi-dc/async-replication.md

@@ -42,7 +42,7 @@ After you created the required tables, you can set up unidirectional replication
       ./bin/yb-admin -master_addresses <source_universe_master_addresses> list_tables include_table_id
       ```
 
-      The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows:
+      The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows:
 
       ```sh
       ./bin/yb-admin -master_addresses <source_universe_master_addresses> list_tables include_table_id | grep table_name

docs/content/v2.20/deploy/multi-dc/async-replication/async-deployment.md

@@ -38,7 +38,7 @@ After you created the required tables, you can set up unidirectional replication
       ./bin/yb-admin -master_addresses <source_universe_master_addresses> list_tables include_table_id
       ```
 
-      The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows:
+      The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows:
 
       ```sh
       ./bin/yb-admin -master_addresses <source_universe_master_addresses> list_tables include_table_id | grep table_name

docs/content/v2.20/yugabyte-platform/prepare/networking.md

@@ -23,7 +23,7 @@ The following ports need to be open.
 | From | To | Requirements |
 | :--- | :--- | :--- |
 | DB&nbsp;nodes | DB&nbsp;nodes | Open the following ports for communication between nodes in clusters. They do not need to be exposed to your application. For universes with [Node-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted.<ul><li>7000 - YB-Master HTTP(S)</li><li>7100 - YB-Master RPC</li><li>9000 - YB-TServer HTTP(S)</li><li>9100 - YB-TServer RPC</li><li>18018 - YB Controller RPC</li></ul> |
-| YBA&nbsp;node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.<ul><li>22 - SSH</li><li>5433 - YSQL server</li><li>7000/7100 - YB-Master HTTP/RPC</li><li>9000/9100 - YB-TServer HTTP/RPC</li><li>9042 - YCQL server</li><li>9070 - Node agent RPC</li><li>9300 - Prometheus Node Exporter HTTP</li><li>12000 - YCQL API</li><li>13000 - YSQL API</li><li>18018 - YB Controller RPC</li></ul>SSH is not required after initial setup and configuration, but is recommended for subsequent troubleshooting. If you disallow SSH entirely, you must manually set up each DB node (see [Provisioning on-premises nodes](../server-nodes-software/software-on-prem-manual/)). |
+| YBA&nbsp;node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.<ul><li>22 - SSH ([legacy provisioning](../server-nodes-software/software-on-prem-legacy/) only)</li><li>5433 - YSQL server</li><li>7000/7100 - YB-Master HTTP/RPC</li><li>9000/9100 - YB-TServer HTTP/RPC</li><li>9042 - YCQL server</li><li>9070 - Node agent RPC</li><li>9300 - Prometheus Node Exporter HTTP</li><li>12000 - YCQL API</li><li>13000 - YSQL API</li><li>18018 - YB Controller RPC</li></ul> |
 | Application | DB nodes | Open the following ports on database cluster nodes so that applications can connect via APIs. For universes with [Client-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted. Universes can also be configured with database [authorization](../../security/authorization-platform/) and [authentication](../../security/authentication/) to manage access.<ul><li>5433 - YSQL server</li><li>9042 - YCQL server</li></ul> |
 | DB nodes | YBA&nbsp;node | Open the following port on the YugabyteDB Anywhere node so that node agents can communicate.<ul><li>443 - HTTPS</li></ul> |
 | Operator | YBA&nbsp;node | Open the following ports on the YugabyteDB Anywhere node so that administrators can access the YBA UI and monitor the system and node metrics. These ports are also used by standby YBA instances in [high availability](../../administer-yugabyte-platform/high-availability/) setups.<ul><li>443 - HTTPS</li><li>9090 - Served by Prometheus, for metrics</li></ul>Port 5432 serves a local PostgreSQL instance, and is not exposed outside of localhost.<br>Port 6433 serves built-in connection pooling (if enabled). |

docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/_index.md

@@ -33,7 +33,7 @@ AlmaLinux OS 8 disk images are used by default, but you can specify a custom dis
 
 YugabyteDB Anywhere requires the following additional software to be pre-installed on nodes:
 
-- OpenSSH Server. Allowing SSH is recommended but optional. Using SSH can be skipped in some on-premises deployment approaches; all other workflows require it. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported.
+- OpenSSH Server. Allowing SSH is optional. Using SSH is required in some [legacy on-premises deployment](../server-nodes-software/software-on-prem-legacy/) approaches. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported.
 - tar
 - unzip
 - policycoreutils-python-utils