From 8f453535dcf14bef9eeeace2dafa25af5ad60794 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Fri, 22 Jan 2021 13:10:23 +0100
Subject: [PATCH] ipa/client: Improve naming HBAC, sudo rules

Rename:
- "group/sysadmin-main" to "usergroup/sysadmin-main" to prepare for
  using host groups
- "sudo/all" to "all-users/sudo" likewise to make it apparent that it's
  about users and to put the resource last to which access is granted

Signed-off-by: Nils Philippsen <nils@redhat.com>
---
 roles/ipa/client/tasks/hbac.yml | 10 +++++-----
 roles/ipa/client/tasks/sudo.yml |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/roles/ipa/client/tasks/hbac.yml b/roles/ipa/client/tasks/hbac.yml
index e9eb2da675..d9af9467e7 100644
--- a/roles/ipa/client/tasks/hbac.yml
+++ b/roles/ipa/client/tasks/hbac.yml
@@ -6,7 +6,7 @@
 
 - name: "Give members of group sysadmin-main access to anything, anywhere"
   ipahbacrule:
-    name: "group/sysadmin-main"
+    name: "usergroup/sysadmin-main"
     description: "Give members of group sysadmin-main access to anything, anywhere"
     hostcategory: "all"
     servicecategory: "all"
@@ -15,9 +15,9 @@
     group:
       - sysadmin-main
 
-- name: "Enable group/sysadmin-main HBAC rule"
+- name: "Enable usergroup/sysadmin-main HBAC rule"
   ipahbacrule:
-    name: "group/sysadmin-main"
+    name: "usergroup/sysadmin-main"
     ipaadmin_password: "{{ ipa_admin_password }}"
     state: enabled
 
@@ -29,7 +29,7 @@
 
 - name: "Let everybody run sudo"
   ipahbacrule:
-    name: "sudo/all"
+    name: "all-users/sudo"
     description: "Allow all users to execute the sudo command"
     state: present
     ipaadmin_password: "{{ ipa_admin_password }}"
@@ -74,7 +74,7 @@
 
 - name: "Give certain groups shell access on {{ ansible_fqdn }}"
   ipahbacrule:
-    name: "shell-access/host/{{ ansible_fqdn }}"
+    name: "host/{{ ansible_fqdn }}/shell-access"
     description: "Give members of groups shell access on {{ ansible_fqdn }}"
     ipaadmin_password: "{{ ipa_admin_password }}"
     hbacsvcgroup:
diff --git a/roles/ipa/client/tasks/sudo.yml b/roles/ipa/client/tasks/sudo.yml
index e20e91075a..0bc25eca21 100644
--- a/roles/ipa/client/tasks/sudo.yml
+++ b/roles/ipa/client/tasks/sudo.yml
@@ -5,7 +5,7 @@
 
 - name: "Give members of `sysadmin-main` sudo access to anything, anywhere"
   ipasudorule:
-    name: "group/sysadmin-main"
+    name: "usergroup/sysadmin-main"
     description: "Allow members of `sysadmin-main` to use sudo to do anything, anywhere"
     ipaadmin_password: "{{ ipa_admin_password }}"
     state: present