Almost global anyway, i.e. inside the VPN.
The ipa/client-based shell access and sudo rules are only effective for
staging right now, the respective playbook bits are masked out for prod.
- Assign Ansible host groups to IPA host groups, the latter don't care
about 'stg' in the name and use dashes rather than underscores.
- Distill shell access groups from fas_client_groups in group and host
vars.
- Let all `sysadmin-*` groups in the previous list run anything via sudo
in the host group (except bastion & batcave).
- Remove `fas_client_groups` from staging host and group vars.
- Remove sudoers from staging host and group vars if only `sysadmin-*`
groups have shell access.
- Set up `ipa_client_shell_groups` on bastion to be a super set of the
same on batcave.
Newly created IPA host groups:
- autosign
- badges
- basset
- bastion
- batcave
- blockerbugs
- bodhi
- bugzilla2fedmsg
- busgateway
- datagrepper
- dbserver
- dns
- fedimg
- github2fedmsg
- ipa
- kernel-qa
- kerneltest
- kojibuilder
- kojihub
- kojipkgs
- logging
- mailman
- memcached
- mirrormanager
- nagios
- notifs
- oci-registry
- odcs
- openqa
- openqa-workers
- osbs
- packages
- pdc-web
- pkgs
- proxies
- rabbitmq
- releng-compose
- resultsdb
- secondary
- sign-bridge
- sundries
- value
- wiki
Signed-off-by: Nils Philippsen <nils@redhat.com>
