I noticed that nova, neutron and cinder's rootwrap exec_dirs include
/usr/local/{sbin,bin} which is a standardised location for admins to
install non-distro executables, and these executables are no less
"trustworthy" than /usr/bin and friends. See neutron and cinder's
rootwrap.conf (and probably others), and typical distro default values
for sudoers/secure_path for extremely similar precedents that all include
/usr/local/*bin.
See the same patch of nova for more information:
https://review.openstack.org/#/c/280052/1
And see I710cf142b834381c00e651cfc062299ae755c33f for brief discussion
of doing this via devstack before.
Change-Id: If5ed1d7d81fdac10fc2b1608aafe20833e0f2980