From f9abb293c0ae60a212b5f09c2e24c9877fb24e1e Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Wed, 24 Mar 2021 17:27:59 +0100
Subject: [PATCH] ipa/client: only warn about essential vars missing

If either `ipa_client_shell_groups` and `ipa_client_sudo_groups` are
unset or empty, sysadmin-main will still be able to login and sudo.

Signed-off-by: Nils Philippsen <nils@redhat.com>
---
 roles/ipa/client/tasks/hbac.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/roles/ipa/client/tasks/hbac.yml b/roles/ipa/client/tasks/hbac.yml
index 74b361cdde..dd9f0ad8f9 100644
--- a/roles/ipa/client/tasks/hbac.yml
+++ b/roles/ipa/client/tasks/hbac.yml
@@ -92,7 +92,7 @@
   when: fas_client_groups is defined
   run_once: false
 
-- name: "Warn if IPA client variables are unset"
+- name: "Warn if essential IPA client variables are unset"
   fail:
     msg: "`{{ item }}` is not defined"
   ignore_errors: true
@@ -100,8 +100,6 @@
   loop:
     - ipa_host_group
     - ipa_host_group_desc
-    - ipa_client_shell_groups
-    - ipa_client_sudo_groups
 
 - name: Ensure shell access HBAC rule exists
   delegate_to: "{{ item[0] }}"