diff --git a/NEWS b/NEWS
index 8d77a45af5aa3a602a222d9889023e044d6b87db..d6806072ae00f4c1887657ec3b997444820f4f89 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,20 @@
+release/002.001 (2014-04-17)
+
+ Added new classes to support all combinations of AS & Ntirety DBA access.
+ This release takes some migration steps:
+ 1. Remove user::ntirety from inclusion in client manifests
+ 2. Update these classes from the appsupport (pp-apps) repo:
+ - group::emagent
+ - user::emagent
+ - user::ntirety
+ - user::oracle
+ 3. Choose *one* of the following classes for inclusion in client manifests
+ wherever oracledb is included or inherited:
+ - oracledb::alldbas
+ - oracledb::asdbas
+ - oracledb::ntiretydbas
+ (vdc)
+
release/001.005 (2014-03-27)
Added AS DBA access to oracle k5login, added network range to iptables, and
diff --git a/manifests/alldbas.pp b/manifests/alldbas.pp
new file mode 100644
index 0000000000000000000000000000000000000000..2994207e6ed0e88d0ed9666b091c856f9a6b9f41
--- /dev/null
+++ b/manifests/alldbas.pp
@@ -0,0 +1,11 @@
+# class to handle oracle user .k5login for both AS and Ntirety admins
+
+class oracledb::alldbas {
+
+ include oracledb::as
+ include oracledb::k5login::all
+ include oracledb::ntirety
+ include user::emagent
+ include user::ntirety
+
+}
diff --git a/manifests/as.pp b/manifests/as.pp
index fe7331b8d8096008c09fe510abca8b2458929677..c524510a9622300beb434f94006b7e26cf01db5a 100644
--- a/manifests/as.pp
+++ b/manifests/as.pp
@@ -1,23 +1,12 @@
-# for AS access
+# AS DBA user list for .k5login files (oracle and emagent users)
-class oracledb::as inherits oracledb::oracleusers {
+class oracledb::as {
- include user::emagent
+ $asusers = [
+ 'jenhong@stanford.edu',
+ 'kmadduri@stanford.edu',
+ 'sanjeevk@stanford.edu',
+ 'toaivo@stanford.edu',
+ ]
- K5login['/u01/app/oracle/.k5login'] {
- principals +> [
- 'jenhong@stanford.edu',
- 'kmadduri@stanford.edu',
- 'sanjeevk@stanford.edu',
- 'toaivo@stanford.edu',
- ]
- }
-
- base::iptables::rule { 'as_dba_access':
- description => 'AS VDI range for DBAs to access these systems',
- source => ['172.20.200.0/23'],
- port => ['1533','1534','1535'],
- protocol => 'tcp',
- }
-
}
diff --git a/manifests/asdbas.pp b/manifests/asdbas.pp
new file mode 100644
index 0000000000000000000000000000000000000000..ac0f2b2e56c951c09f8c9ba83e648796f6d83837
--- /dev/null
+++ b/manifests/asdbas.pp
@@ -0,0 +1,16 @@
+# AS *only* DBA config
+
+class oracledb::asdbas {
+
+ include oracledb::as
+ include oracledb::k5login::as
+ include user::emagent
+
+ base::iptables::rule { 'as_dba_access':
+ description => 'AS VDI range for DBAs to access these systems',
+ source => ['172.20.200.0/23'],
+ port => ['1533','1534','1535'],
+ protocol => 'tcp',
+ }
+
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index b4cabbe77e6792778c37f324d58e4c2f4ef592fd..1790fe385d79ce86c00a0ffdf959468f1786e0f4 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -3,15 +3,14 @@
# essentially the same way and this module contains all the standard bits.
class oracledb {
- include compatlibs
- include group::dba
- include base::libstdc
- include oracledb::directories
- include oracledb::packages
- include oracledb::oracleusers
- include user::ntirety
- include user::oracle
+ include base::libstdc
+ include compatlibs
+ include group::dba
+ include oracledb::directories
+ include oracledb::oracleusers
+ include oracledb::packages
+ include user::oracle
if ($::operatingsystem != 'redhat') {
fail ('Oracle only runs on Red Hat!')
@@ -20,14 +19,14 @@ class oracledb {
case $::lsbmajdistrelease {
## rhel4
'4': {
- package {
- [ 'glibc-kernheaders',
- 'gnome-libs',
- 'openmotif21',
- 'pdksh',
- 'xorg-x11-deprecated-libs',
- 'xscreensaver', ]:
- ensure => present;
+ package { [
+ 'glibc-kernheaders',
+ 'gnome-libs',
+ 'openmotif21',
+ 'pdksh',
+ 'xorg-x11-deprecated-libs',
+ 'xscreensaver',
+ ]: ensure => present;
}
# Old workaround for up2date i386 arch packages on x86_64.
diff --git a/manifests/k5login.pp b/manifests/k5login.pp
new file mode 100644
index 0000000000000000000000000000000000000000..0593a62297f016e007f8543985775106e4e07345
--- /dev/null
+++ b/manifests/k5login.pp
@@ -0,0 +1,65 @@
+# class to handle oracle user .k5logins for all Oracle DBA scenarios
+
+# this is a hack for oracledb::k5login::all
+class oracledb::k5login {
+
+ include oracledb::ntirety
+
+ $allusers = $oracledb::as::asusers
+
+}
+
+class oracledb::k5login::all inherits oracledb::k5login {
+
+ $allusers += $oracledb::ntirety::ntiretyusers
+
+ k5login {
+ '/home/emagent/.k5login':
+ purge => true,
+ require => [User[emagent], File['/home/emagent']],
+ principals => $oracledb::as::asusers;
+ '/opt/ntirety/.k5login':
+ purge => true,
+ require => [User[ntirety], File['/opt/ntirety']],
+ principals => $oracledb::ntirety::ntiretyusers;
+ '/u01/app/oracle/.k5login':
+ purge => true,
+ mode => 664,
+ require => [User[oracle], File['/u01/app/oracle']],
+ principals => $allusers;
+ }
+
+}
+
+class oracledb::k5login::as {
+
+ k5login {
+ '/u01/app/oracle/.k5login':
+ purge => true,
+ mode => 664,
+ require => [User[oracle], File['/u01/app/oracle']],
+ principals => $oracledb::as::asusers;
+ '/home/emagent/.k5login':
+ purge => true,
+ require => [User[emagent], File['/home/emagent']],
+ principals => $oracledb::as::asusers;
+ }
+
+}
+
+class oracledb::k5login::ntirety {
+
+ k5login {
+ '/opt/ntirety/.k5login':
+ purge => true,
+ require => [User['ntirety'], File['/opt/ntirety']],
+ principals => $oracledb::ntirety::ntiretyusers;
+ '/u01/app/oracle/.k5login':
+ purge => true,
+ mode => 664,
+ require => File['/u01/app/oracle'],
+ principals => $oracledb::ntirety::ntiretyusers;
+ }
+
+}
+
diff --git a/manifests/ntirety.pp b/manifests/ntirety.pp
index dc39c4f95368deafbbb9c13567c050e615601335..81d14383cfd8fd69cdba03c06b0f5203517797ae 100644
--- a/manifests/ntirety.pp
+++ b/manifests/ntirety.pp
@@ -1,11 +1,8 @@
-#
-# Ntirety admins to access oracle user account
-#
+# Ntirety DBA user list for .k5login files (oracle and ntirety users)
-class oracledb::ntirety inherits oracledb::oracleusers {
+class oracledb::ntirety {
- K5login['/u01/app/oracle/.k5login'] {
- principals +> [
+ $ntiretyusers = [
'cgarcia5@stanford.edu',
'chapmci1@stanford.edu',
'dcampoy@stanford.edu',
@@ -30,6 +27,5 @@ class oracledb::ntirety inherits oracledb::oracleusers {
'vkalyana@stanford.edu',
#'wsheffie@stanford.edu', # win only
]
- }
}
diff --git a/manifests/ntiretydbas.pp b/manifests/ntiretydbas.pp
new file mode 100644
index 0000000000000000000000000000000000000000..66d9ff88884b4493a8b3d4005e450f999601ebc8
--- /dev/null
+++ b/manifests/ntiretydbas.pp
@@ -0,0 +1,9 @@
+# Ntirety *only* DBA config
+
+class oracledb::ntiretydbas {
+
+ include oracledb::ntirety
+ include oracledb::k5login::ntirety
+ include user::ntirety
+
+}
diff --git a/manifests/oracleusers.pp b/manifests/oracleusers.pp
index 5cd5c5d8300000b4b170daa0338fc79014fb53aa..d0af7056bc285a8c4101696a5f46d740d0037fd1 100644
--- a/manifests/oracleusers.pp
+++ b/manifests/oracleusers.pp
@@ -11,10 +11,4 @@ class oracledb::oracleusers {
escaped_name => 'oracle ALL= NOPASSWD: /usr/bin/tdpoconf PassWord \*';
}
- k5login { '/u01/app/oracle/.k5login':
- ensure => present,
- principals => [ ],
- mode => 664,
- purge => true,
- }
}
diff --git a/manifests/rhel5.pp b/manifests/rhel5.pp
index c739ff8ea533f9dea9d33a2e36a8fb80be14c216..91bd496e21d91ba692e3c3bcc7f48cf6e63c353f 100644
--- a/manifests/rhel5.pp
+++ b/manifests/rhel5.pp
@@ -1,3 +1,5 @@
+#
+
class oracledb::rhel5 inherits oracledb {
if (! ( $::operatingsystem == 'redhat' and $::lsbmajdistrelease == '5' )) {
fail 'Must be running RHEL5 to use oracledb::rhel5 class'