From 198fa4642a146270c04f5e25ee7e06e8d56f1c88 Mon Sep 17 00:00:00 2001
From: Victor Chavez <vdc@stanford.edu>
Date: Thu, 17 Apr 2014 12:01:23 -0700
Subject: [PATCH] release/002.001: new classes to support Oracle DB management
 by AS, Ntirety, or both.

---
 NEWS                     | 17 +++++++++++
 manifests/alldbas.pp     | 11 +++++++
 manifests/as.pp          | 27 +++++------------
 manifests/asdbas.pp      | 16 ++++++++++
 manifests/init.pp        | 31 ++++++++++---------
 manifests/k5login.pp     | 65 ++++++++++++++++++++++++++++++++++++++++
 manifests/ntirety.pp     | 10 ++-----
 manifests/ntiretydbas.pp |  9 ++++++
 manifests/oracleusers.pp |  6 ----
 manifests/rhel5.pp       |  2 ++
 10 files changed, 146 insertions(+), 48 deletions(-)
 create mode 100644 manifests/alldbas.pp
 create mode 100644 manifests/asdbas.pp
 create mode 100644 manifests/k5login.pp
 create mode 100644 manifests/ntiretydbas.pp

diff --git a/NEWS b/NEWS
index 8d77a45..d680607 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,20 @@
+release/002.001 (2014-04-17)
+    
+    Added new classes to support all combinations of AS & Ntirety DBA access.
+    This release takes some migration steps:
+    1. Remove user::ntirety from inclusion in client manifests
+    2. Update these classes from the appsupport (pp-apps) repo:
+       - group::emagent
+       - user::emagent
+       - user::ntirety
+       - user::oracle
+    3. Choose *one* of the following classes for inclusion in client manifests
+       wherever oracledb is included or inherited:
+       - oracledb::alldbas
+       - oracledb::asdbas
+       - oracledb::ntiretydbas
+    (vdc)
+
 release/001.005 (2014-03-27)
     
     Added AS DBA access to oracle k5login, added network range to iptables, and
diff --git a/manifests/alldbas.pp b/manifests/alldbas.pp
new file mode 100644
index 0000000..2994207
--- /dev/null
+++ b/manifests/alldbas.pp
@@ -0,0 +1,11 @@
+# class to handle oracle user .k5login for both AS and Ntirety admins
+
+class oracledb::alldbas {
+
+  include oracledb::as
+  include oracledb::k5login::all
+  include oracledb::ntirety
+  include user::emagent
+  include user::ntirety
+
+}
diff --git a/manifests/as.pp b/manifests/as.pp
index fe7331b..c524510 100644
--- a/manifests/as.pp
+++ b/manifests/as.pp
@@ -1,23 +1,12 @@
-# for AS access
+# AS DBA user list for .k5login files (oracle and emagent users)
 
-class oracledb::as inherits oracledb::oracleusers {
+class oracledb::as {
 
-  include user::emagent
+  $asusers = [
+              'jenhong@stanford.edu',
+              'kmadduri@stanford.edu',
+              'sanjeevk@stanford.edu',
+              'toaivo@stanford.edu',
+             ]
 
-  K5login['/u01/app/oracle/.k5login'] {
-    principals +> [
-                   'jenhong@stanford.edu',
-                   'kmadduri@stanford.edu',
-                   'sanjeevk@stanford.edu',
-                   'toaivo@stanford.edu',
-                  ]
-  }
-
-  base::iptables::rule { 'as_dba_access':
-    description => 'AS VDI range for DBAs to access these systems',
-    source      => ['172.20.200.0/23'],
-    port        => ['1533','1534','1535'],
-    protocol    => 'tcp',
-  }
- 
 }
diff --git a/manifests/asdbas.pp b/manifests/asdbas.pp
new file mode 100644
index 0000000..ac0f2b2
--- /dev/null
+++ b/manifests/asdbas.pp
@@ -0,0 +1,16 @@
+# AS *only* DBA config
+
+class oracledb::asdbas {
+
+  include oracledb::as
+  include oracledb::k5login::as
+  include user::emagent
+
+  base::iptables::rule { 'as_dba_access':
+    description => 'AS VDI range for DBAs to access these systems',
+    source      => ['172.20.200.0/23'],
+    port        => ['1533','1534','1535'],
+    protocol    => 'tcp',
+  }
+
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index b4cabbe..1790fe3 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -3,15 +3,14 @@
 # essentially the same way and this module contains all the standard bits.
 
 class oracledb {
-    include compatlibs
-    include group::dba
-    include base::libstdc
-    include oracledb::directories
-    include oracledb::packages
-    include oracledb::oracleusers
-    include user::ntirety
-    include user::oracle
 
+  include base::libstdc
+  include compatlibs
+  include group::dba
+  include oracledb::directories
+  include oracledb::oracleusers
+  include oracledb::packages
+  include user::oracle
 
   if ($::operatingsystem != 'redhat') {
     fail ('Oracle only runs on Red Hat!')
@@ -20,14 +19,14 @@ class oracledb {
   case $::lsbmajdistrelease {
     ## rhel4
     '4': {
-      package {
-        [ 'glibc-kernheaders',
-          'gnome-libs',
-          'openmotif21',
-          'pdksh',
-          'xorg-x11-deprecated-libs',
-          'xscreensaver', ]:
-            ensure => present;
+      package { [
+        'glibc-kernheaders',
+        'gnome-libs',
+        'openmotif21',
+        'pdksh',
+        'xorg-x11-deprecated-libs',
+        'xscreensaver',
+        ]: ensure => present;
       }
 
       # Old workaround for up2date i386 arch packages on x86_64.
diff --git a/manifests/k5login.pp b/manifests/k5login.pp
new file mode 100644
index 0000000..0593a62
--- /dev/null
+++ b/manifests/k5login.pp
@@ -0,0 +1,65 @@
+# class to handle oracle user .k5logins for all Oracle DBA scenarios
+
+# this is a hack for oracledb::k5login::all
+class oracledb::k5login {
+
+  include oracledb::ntirety
+
+  $allusers = $oracledb::as::asusers
+
+}
+
+class oracledb::k5login::all inherits oracledb::k5login {
+
+  $allusers += $oracledb::ntirety::ntiretyusers
+
+  k5login {
+    '/home/emagent/.k5login':
+      purge      => true,
+      require    => [User[emagent], File['/home/emagent']],
+      principals => $oracledb::as::asusers;
+    '/opt/ntirety/.k5login':
+      purge      => true,
+      require    => [User[ntirety], File['/opt/ntirety']],
+      principals => $oracledb::ntirety::ntiretyusers;
+    '/u01/app/oracle/.k5login':
+      purge      => true,
+      mode       => 664,
+      require    => [User[oracle], File['/u01/app/oracle']],
+      principals => $allusers;
+  }
+
+}
+
+class oracledb::k5login::as {
+
+  k5login {
+    '/u01/app/oracle/.k5login':
+      purge      => true,
+      mode       => 664,
+      require    => [User[oracle], File['/u01/app/oracle']],
+      principals => $oracledb::as::asusers;
+    '/home/emagent/.k5login':
+      purge      => true,
+      require    => [User[emagent], File['/home/emagent']],
+      principals => $oracledb::as::asusers;
+  }
+
+}
+
+class oracledb::k5login::ntirety {
+
+  k5login {
+    '/opt/ntirety/.k5login':
+      purge      => true,
+      require    => [User['ntirety'], File['/opt/ntirety']],
+      principals => $oracledb::ntirety::ntiretyusers;
+    '/u01/app/oracle/.k5login':
+      purge      => true,
+      mode       => 664,
+      require    => File['/u01/app/oracle'],
+      principals => $oracledb::ntirety::ntiretyusers;
+  }
+
+}
+
diff --git a/manifests/ntirety.pp b/manifests/ntirety.pp
index dc39c4f..81d1438 100644
--- a/manifests/ntirety.pp
+++ b/manifests/ntirety.pp
@@ -1,11 +1,8 @@
-#
-# Ntirety admins to access oracle user account
-#
+# Ntirety DBA user list for .k5login files (oracle and ntirety users)
 
-class oracledb::ntirety inherits oracledb::oracleusers {
+class oracledb::ntirety {
 
-  K5login['/u01/app/oracle/.k5login'] {
-    principals +> [
+  $ntiretyusers = [
                    'cgarcia5@stanford.edu',
                    'chapmci1@stanford.edu',
                    'dcampoy@stanford.edu',
@@ -30,6 +27,5 @@ class oracledb::ntirety inherits oracledb::oracleusers {
                    'vkalyana@stanford.edu',
                    #'wsheffie@stanford.edu', # win only
                   ]
-  }
 
 }
diff --git a/manifests/ntiretydbas.pp b/manifests/ntiretydbas.pp
new file mode 100644
index 0000000..66d9ff8
--- /dev/null
+++ b/manifests/ntiretydbas.pp
@@ -0,0 +1,9 @@
+# Ntirety *only* DBA config
+
+class oracledb::ntiretydbas {
+
+  include oracledb::ntirety
+  include oracledb::k5login::ntirety
+  include user::ntirety
+
+}
diff --git a/manifests/oracleusers.pp b/manifests/oracleusers.pp
index 5cd5c5d..d0af705 100644
--- a/manifests/oracleusers.pp
+++ b/manifests/oracleusers.pp
@@ -11,10 +11,4 @@ class oracledb::oracleusers {
       escaped_name => 'oracle  ALL= NOPASSWD: /usr/bin/tdpoconf PassWord \*';
   }
 
-  k5login { '/u01/app/oracle/.k5login':
-    ensure     => present,
-    principals => [ ],
-    mode       => 664,
-    purge      => true,
-  }
 }
diff --git a/manifests/rhel5.pp b/manifests/rhel5.pp
index c739ff8..91bd496 100644
--- a/manifests/rhel5.pp
+++ b/manifests/rhel5.pp
@@ -1,3 +1,5 @@
+#
+
 class oracledb::rhel5 inherits oracledb {
   if (! ( $::operatingsystem == 'redhat' and $::lsbmajdistrelease == '5' )) {
     fail 'Must be running RHEL5 to use oracledb::rhel5 class'
-- 
GitLab