ipa/client: configure global shell access and sudo

Almost global anyway, i.e. inside the VPN.

The ipa/client-based shell access and sudo rules are only effective for
staging right now, the respective playbook bits are masked out for prod.

- Assign Ansible host groups to IPA host groups, the latter don't care
  about 'stg' in the name and use dashes rather than underscores.
- Distill shell access groups from fas_client_groups in group and host
  vars.
- Let all `sysadmin-*` groups in the previous list run anything via sudo
  in the host group (except bastion & batcave).
- Remove `fas_client_groups` from staging host and group vars.
- Remove sudoers from staging host and group vars if only `sysadmin-*`
  groups have shell access.
- Set up `ipa_client_shell_groups` on bastion to be a super set of the
  same on batcave.

Newly created IPA host groups:
- autosign
- badges
- basset
- bastion
- batcave
- blockerbugs
- bodhi
- bugzilla2fedmsg
- busgateway
- datagrepper
- dbserver
- dns
- fedimg
- github2fedmsg
- ipa
- kernel-qa
- kerneltest
- kojibuilder
- kojihub
- kojipkgs
- logging
- mailman
- memcached
- mirrormanager
- nagios
- notifs
- oci-registry
- odcs
- openqa
- openqa-workers
- osbs
- packages
- pdc-web
- pkgs
- proxies
- rabbitmq
- releng-compose
- resultsdb
- secondary
- sign-bridge
- sundries
- value
- wiki

Signed-off-by: Nils Philippsen <nils@redhat.com>

inventory/group_vars/memcached

@@ -10,3 +10,15 @@ num_cpus: 2
 tcp_ports: [ 11211 ]
 
 fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran
+
+ipa_host_group: memcached
+ipa_host_group_desc: Distributed Memory Caching service
+ipa_client_shell_groups:
+- fi-apprentice
+- sysadmin-noc
+- sysadmin-veteran
+- sysadmin-web
+ipa_client_sudo_groups:
+- sysadmin-noc
+- sysadmin-veteran
+- sysadmin-web