diff --git a/NEWS b/NEWS index 8d77a45af5aa3a602a222d9889023e044d6b87db..d6806072ae00f4c1887657ec3b997444820f4f89 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,20 @@ +release/002.001 (2014-04-17) + + Added new classes to support all combinations of AS & Ntirety DBA access. + This release takes some migration steps: + 1. Remove user::ntirety from inclusion in client manifests + 2. Update these classes from the appsupport (pp-apps) repo: + - group::emagent + - user::emagent + - user::ntirety + - user::oracle + 3. Choose *one* of the following classes for inclusion in client manifests + wherever oracledb is included or inherited: + - oracledb::alldbas + - oracledb::asdbas + - oracledb::ntiretydbas + (vdc) + release/001.005 (2014-03-27) Added AS DBA access to oracle k5login, added network range to iptables, and diff --git a/manifests/alldbas.pp b/manifests/alldbas.pp new file mode 100644 index 0000000000000000000000000000000000000000..2994207e6ed0e88d0ed9666b091c856f9a6b9f41 --- /dev/null +++ b/manifests/alldbas.pp @@ -0,0 +1,11 @@ +# class to handle oracle user .k5login for both AS and Ntirety admins + +class oracledb::alldbas { + + include oracledb::as + include oracledb::k5login::all + include oracledb::ntirety + include user::emagent + include user::ntirety + +} diff --git a/manifests/as.pp b/manifests/as.pp index fe7331b8d8096008c09fe510abca8b2458929677..c524510a9622300beb434f94006b7e26cf01db5a 100644 --- a/manifests/as.pp +++ b/manifests/as.pp @@ -1,23 +1,12 @@ -# for AS access +# AS DBA user list for .k5login files (oracle and emagent users) -class oracledb::as inherits oracledb::oracleusers { +class oracledb::as { - include user::emagent + $asusers = [ + 'jenhong@stanford.edu', + 'kmadduri@stanford.edu', + 'sanjeevk@stanford.edu', + 'toaivo@stanford.edu', + ] - K5login['/u01/app/oracle/.k5login'] { - principals +> [ - 'jenhong@stanford.edu', - 'kmadduri@stanford.edu', - 'sanjeevk@stanford.edu', - 'toaivo@stanford.edu', - ] - } - - base::iptables::rule { 'as_dba_access': - description => 'AS VDI range for DBAs to access these systems', - source => ['172.20.200.0/23'], - port => ['1533','1534','1535'], - protocol => 'tcp', - } - } diff --git a/manifests/asdbas.pp b/manifests/asdbas.pp new file mode 100644 index 0000000000000000000000000000000000000000..ac0f2b2e56c951c09f8c9ba83e648796f6d83837 --- /dev/null +++ b/manifests/asdbas.pp @@ -0,0 +1,16 @@ +# AS *only* DBA config + +class oracledb::asdbas { + + include oracledb::as + include oracledb::k5login::as + include user::emagent + + base::iptables::rule { 'as_dba_access': + description => 'AS VDI range for DBAs to access these systems', + source => ['172.20.200.0/23'], + port => ['1533','1534','1535'], + protocol => 'tcp', + } + +} diff --git a/manifests/init.pp b/manifests/init.pp index b4cabbe77e6792778c37f324d58e4c2f4ef592fd..1790fe385d79ce86c00a0ffdf959468f1786e0f4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,15 +3,14 @@ # essentially the same way and this module contains all the standard bits. class oracledb { - include compatlibs - include group::dba - include base::libstdc - include oracledb::directories - include oracledb::packages - include oracledb::oracleusers - include user::ntirety - include user::oracle + include base::libstdc + include compatlibs + include group::dba + include oracledb::directories + include oracledb::oracleusers + include oracledb::packages + include user::oracle if ($::operatingsystem != 'redhat') { fail ('Oracle only runs on Red Hat!') @@ -20,14 +19,14 @@ class oracledb { case $::lsbmajdistrelease { ## rhel4 '4': { - package { - [ 'glibc-kernheaders', - 'gnome-libs', - 'openmotif21', - 'pdksh', - 'xorg-x11-deprecated-libs', - 'xscreensaver', ]: - ensure => present; + package { [ + 'glibc-kernheaders', + 'gnome-libs', + 'openmotif21', + 'pdksh', + 'xorg-x11-deprecated-libs', + 'xscreensaver', + ]: ensure => present; } # Old workaround for up2date i386 arch packages on x86_64. diff --git a/manifests/k5login.pp b/manifests/k5login.pp new file mode 100644 index 0000000000000000000000000000000000000000..0593a62297f016e007f8543985775106e4e07345 --- /dev/null +++ b/manifests/k5login.pp @@ -0,0 +1,65 @@ +# class to handle oracle user .k5logins for all Oracle DBA scenarios + +# this is a hack for oracledb::k5login::all +class oracledb::k5login { + + include oracledb::ntirety + + $allusers = $oracledb::as::asusers + +} + +class oracledb::k5login::all inherits oracledb::k5login { + + $allusers += $oracledb::ntirety::ntiretyusers + + k5login { + '/home/emagent/.k5login': + purge => true, + require => [User[emagent], File['/home/emagent']], + principals => $oracledb::as::asusers; + '/opt/ntirety/.k5login': + purge => true, + require => [User[ntirety], File['/opt/ntirety']], + principals => $oracledb::ntirety::ntiretyusers; + '/u01/app/oracle/.k5login': + purge => true, + mode => 664, + require => [User[oracle], File['/u01/app/oracle']], + principals => $allusers; + } + +} + +class oracledb::k5login::as { + + k5login { + '/u01/app/oracle/.k5login': + purge => true, + mode => 664, + require => [User[oracle], File['/u01/app/oracle']], + principals => $oracledb::as::asusers; + '/home/emagent/.k5login': + purge => true, + require => [User[emagent], File['/home/emagent']], + principals => $oracledb::as::asusers; + } + +} + +class oracledb::k5login::ntirety { + + k5login { + '/opt/ntirety/.k5login': + purge => true, + require => [User['ntirety'], File['/opt/ntirety']], + principals => $oracledb::ntirety::ntiretyusers; + '/u01/app/oracle/.k5login': + purge => true, + mode => 664, + require => File['/u01/app/oracle'], + principals => $oracledb::ntirety::ntiretyusers; + } + +} + diff --git a/manifests/ntirety.pp b/manifests/ntirety.pp index dc39c4f95368deafbbb9c13567c050e615601335..81d14383cfd8fd69cdba03c06b0f5203517797ae 100644 --- a/manifests/ntirety.pp +++ b/manifests/ntirety.pp @@ -1,11 +1,8 @@ -# -# Ntirety admins to access oracle user account -# +# Ntirety DBA user list for .k5login files (oracle and ntirety users) -class oracledb::ntirety inherits oracledb::oracleusers { +class oracledb::ntirety { - K5login['/u01/app/oracle/.k5login'] { - principals +> [ + $ntiretyusers = [ 'cgarcia5@stanford.edu', 'chapmci1@stanford.edu', 'dcampoy@stanford.edu', @@ -30,6 +27,5 @@ class oracledb::ntirety inherits oracledb::oracleusers { 'vkalyana@stanford.edu', #'wsheffie@stanford.edu', # win only ] - } } diff --git a/manifests/ntiretydbas.pp b/manifests/ntiretydbas.pp new file mode 100644 index 0000000000000000000000000000000000000000..66d9ff88884b4493a8b3d4005e450f999601ebc8 --- /dev/null +++ b/manifests/ntiretydbas.pp @@ -0,0 +1,9 @@ +# Ntirety *only* DBA config + +class oracledb::ntiretydbas { + + include oracledb::ntirety + include oracledb::k5login::ntirety + include user::ntirety + +} diff --git a/manifests/oracleusers.pp b/manifests/oracleusers.pp index 5cd5c5d8300000b4b170daa0338fc79014fb53aa..d0af7056bc285a8c4101696a5f46d740d0037fd1 100644 --- a/manifests/oracleusers.pp +++ b/manifests/oracleusers.pp @@ -11,10 +11,4 @@ class oracledb::oracleusers { escaped_name => 'oracle ALL= NOPASSWD: /usr/bin/tdpoconf PassWord \*'; } - k5login { '/u01/app/oracle/.k5login': - ensure => present, - principals => [ ], - mode => 664, - purge => true, - } } diff --git a/manifests/rhel5.pp b/manifests/rhel5.pp index c739ff8ea533f9dea9d33a2e36a8fb80be14c216..91bd496e21d91ba692e3c3bcc7f48cf6e63c353f 100644 --- a/manifests/rhel5.pp +++ b/manifests/rhel5.pp @@ -1,3 +1,5 @@ +# + class oracledb::rhel5 inherits oracledb { if (! ( $::operatingsystem == 'redhat' and $::lsbmajdistrelease == '5' )) { fail 'Must be running RHEL5 to use oracledb::rhel5 class'