[Freeipa-users] Naming conventions/practices for HBAC/sudo/etc

[Baird, Josh]

Hi all,

I realize that this with vary from instance to instance, but I'm curious on how others are handling naming conventions for things like HBAC rules, sudo rules, etc.

Here is how I am handling things today:

* External groups have an 'external' prefix (eg, external_groupname)
* Hostgroups have a $group prefix (eg, groupX_webservers)
* sudo rules are classified by the group name (eg, EmailAdmins)

This example sudo rule would allow members of the 'EmailAdmins' group access to run certain commands/command-groups on specific host-groups (eg, groupX_webservers).

* HBAC rules are classified by the group name (eg, allow_EmailAdmins)

This example HBAC rule would allow members of the 'EmailAdmins' group access to certain host-groups (eg, groupX_webservers).  When this group needs to access additional groups of servers, I just modify the existing HBAC rule and add the new group.  There are many different ways to handle this.  I have thought about classifying HBAC rules by hostgroup instead of user group.  In this case, I would have an HBAC rule named 'allow_Webservers' where I would specify individual user-groups that require access to the host(s).  My opinion on this is likely to change as our environment (and use cases) continues to expand.

What is working in your environment?  What would you change if you could start over?  It would be great if this discussion could eventually lead to a 'best practices' document/wiki-page for naming conventions and practices.

Thanks,

Josh