From 198fa4642a146270c04f5e25ee7e06e8d56f1c88 Mon Sep 17 00:00:00 2001
From: Victor Chavez <vdc@stanford.edu>
Date: Thu, 17 Apr 2014 12:01:23 -0700
Subject: [PATCH] release/002.001: new classes to support Oracle DB management
by AS, Ntirety, or both.
---
NEWS | 17 +++++++++++
manifests/alldbas.pp | 11 +++++++
manifests/as.pp | 27 +++++------------
manifests/asdbas.pp | 16 ++++++++++
manifests/init.pp | 31 ++++++++++---------
manifests/k5login.pp | 65 ++++++++++++++++++++++++++++++++++++++++
manifests/ntirety.pp | 10 ++-----
manifests/ntiretydbas.pp | 9 ++++++
manifests/oracleusers.pp | 6 ----
manifests/rhel5.pp | 2 ++
10 files changed, 146 insertions(+), 48 deletions(-)
create mode 100644 manifests/alldbas.pp
create mode 100644 manifests/asdbas.pp
create mode 100644 manifests/k5login.pp
create mode 100644 manifests/ntiretydbas.pp
diff --git a/NEWS b/NEWS
index 8d77a45..d680607 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,20 @@
+release/002.001 (2014-04-17)
+
+ Added new classes to support all combinations of AS & Ntirety DBA access.
+ This release takes some migration steps:
+ 1. Remove user::ntirety from inclusion in client manifests
+ 2. Update these classes from the appsupport (pp-apps) repo:
+ - group::emagent
+ - user::emagent
+ - user::ntirety
+ - user::oracle
+ 3. Choose *one* of the following classes for inclusion in client manifests
+ wherever oracledb is included or inherited:
+ - oracledb::alldbas
+ - oracledb::asdbas
+ - oracledb::ntiretydbas
+ (vdc)
+
release/001.005 (2014-03-27)
Added AS DBA access to oracle k5login, added network range to iptables, and
diff --git a/manifests/alldbas.pp b/manifests/alldbas.pp
new file mode 100644
index 0000000..2994207
--- /dev/null
+++ b/manifests/alldbas.pp
@@ -0,0 +1,11 @@
+# class to handle oracle user .k5login for both AS and Ntirety admins
+
+class oracledb::alldbas {
+
+ include oracledb::as
+ include oracledb::k5login::all
+ include oracledb::ntirety
+ include user::emagent
+ include user::ntirety
+
+}
diff --git a/manifests/as.pp b/manifests/as.pp
index fe7331b..c524510 100644
--- a/manifests/as.pp
+++ b/manifests/as.pp
@@ -1,23 +1,12 @@
-# for AS access
+# AS DBA user list for .k5login files (oracle and emagent users)
-class oracledb::as inherits oracledb::oracleusers {
+class oracledb::as {
- include user::emagent
+ $asusers = [
+ 'jenhong@stanford.edu',
+ 'kmadduri@stanford.edu',
+ 'sanjeevk@stanford.edu',
+ 'toaivo@stanford.edu',
+ ]
- K5login['/u01/app/oracle/.k5login'] {
- principals +> [
- 'jenhong@stanford.edu',
- 'kmadduri@stanford.edu',
- 'sanjeevk@stanford.edu',
- 'toaivo@stanford.edu',
- ]
- }
-
- base::iptables::rule { 'as_dba_access':
- description => 'AS VDI range for DBAs to access these systems',
- source => ['172.20.200.0/23'],
- port => ['1533','1534','1535'],
- protocol => 'tcp',
- }
-
}
diff --git a/manifests/asdbas.pp b/manifests/asdbas.pp
new file mode 100644
index 0000000..ac0f2b2
--- /dev/null
+++ b/manifests/asdbas.pp
@@ -0,0 +1,16 @@
+# AS *only* DBA config
+
+class oracledb::asdbas {
+
+ include oracledb::as
+ include oracledb::k5login::as
+ include user::emagent
+
+ base::iptables::rule { 'as_dba_access':
+ description => 'AS VDI range for DBAs to access these systems',
+ source => ['172.20.200.0/23'],
+ port => ['1533','1534','1535'],
+ protocol => 'tcp',
+ }
+
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index b4cabbe..1790fe3 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -3,15 +3,14 @@
# essentially the same way and this module contains all the standard bits.
class oracledb {
- include compatlibs
- include group::dba
- include base::libstdc
- include oracledb::directories
- include oracledb::packages
- include oracledb::oracleusers
- include user::ntirety
- include user::oracle
+ include base::libstdc
+ include compatlibs
+ include group::dba
+ include oracledb::directories
+ include oracledb::oracleusers
+ include oracledb::packages
+ include user::oracle
if ($::operatingsystem != 'redhat') {
fail ('Oracle only runs on Red Hat!')
@@ -20,14 +19,14 @@ class oracledb {
case $::lsbmajdistrelease {
## rhel4
'4': {
- package {
- [ 'glibc-kernheaders',
- 'gnome-libs',
- 'openmotif21',
- 'pdksh',
- 'xorg-x11-deprecated-libs',
- 'xscreensaver', ]:
- ensure => present;
+ package { [
+ 'glibc-kernheaders',
+ 'gnome-libs',
+ 'openmotif21',
+ 'pdksh',
+ 'xorg-x11-deprecated-libs',
+ 'xscreensaver',
+ ]: ensure => present;
}
# Old workaround for up2date i386 arch packages on x86_64.
diff --git a/manifests/k5login.pp b/manifests/k5login.pp
new file mode 100644
index 0000000..0593a62
--- /dev/null
+++ b/manifests/k5login.pp
@@ -0,0 +1,65 @@
+# class to handle oracle user .k5logins for all Oracle DBA scenarios
+
+# this is a hack for oracledb::k5login::all
+class oracledb::k5login {
+
+ include oracledb::ntirety
+
+ $allusers = $oracledb::as::asusers
+
+}
+
+class oracledb::k5login::all inherits oracledb::k5login {
+
+ $allusers += $oracledb::ntirety::ntiretyusers
+
+ k5login {
+ '/home/emagent/.k5login':
+ purge => true,
+ require => [User[emagent], File['/home/emagent']],
+ principals => $oracledb::as::asusers;
+ '/opt/ntirety/.k5login':
+ purge => true,
+ require => [User[ntirety], File['/opt/ntirety']],
+ principals => $oracledb::ntirety::ntiretyusers;
+ '/u01/app/oracle/.k5login':
+ purge => true,
+ mode => 664,
+ require => [User[oracle], File['/u01/app/oracle']],
+ principals => $allusers;
+ }
+
+}
+
+class oracledb::k5login::as {
+
+ k5login {
+ '/u01/app/oracle/.k5login':
+ purge => true,
+ mode => 664,
+ require => [User[oracle], File['/u01/app/oracle']],
+ principals => $oracledb::as::asusers;
+ '/home/emagent/.k5login':
+ purge => true,
+ require => [User[emagent], File['/home/emagent']],
+ principals => $oracledb::as::asusers;
+ }
+
+}
+
+class oracledb::k5login::ntirety {
+
+ k5login {
+ '/opt/ntirety/.k5login':
+ purge => true,
+ require => [User['ntirety'], File['/opt/ntirety']],
+ principals => $oracledb::ntirety::ntiretyusers;
+ '/u01/app/oracle/.k5login':
+ purge => true,
+ mode => 664,
+ require => File['/u01/app/oracle'],
+ principals => $oracledb::ntirety::ntiretyusers;
+ }
+
+}
+
diff --git a/manifests/ntirety.pp b/manifests/ntirety.pp
index dc39c4f..81d1438 100644
--- a/manifests/ntirety.pp
+++ b/manifests/ntirety.pp
@@ -1,11 +1,8 @@
-#
-# Ntirety admins to access oracle user account
-#
+# Ntirety DBA user list for .k5login files (oracle and ntirety users)
-class oracledb::ntirety inherits oracledb::oracleusers {
+class oracledb::ntirety {
- K5login['/u01/app/oracle/.k5login'] {
- principals +> [
+ $ntiretyusers = [
'cgarcia5@stanford.edu',
'chapmci1@stanford.edu',
'dcampoy@stanford.edu',
@@ -30,6 +27,5 @@ class oracledb::ntirety inherits oracledb::oracleusers {
'vkalyana@stanford.edu',
#'wsheffie@stanford.edu', # win only
]
- }
}
diff --git a/manifests/ntiretydbas.pp b/manifests/ntiretydbas.pp
new file mode 100644
index 0000000..66d9ff8
--- /dev/null
+++ b/manifests/ntiretydbas.pp
@@ -0,0 +1,9 @@
+# Ntirety *only* DBA config
+
+class oracledb::ntiretydbas {
+
+ include oracledb::ntirety
+ include oracledb::k5login::ntirety
+ include user::ntirety
+
+}
diff --git a/manifests/oracleusers.pp b/manifests/oracleusers.pp
index 5cd5c5d..d0af705 100644
--- a/manifests/oracleusers.pp
+++ b/manifests/oracleusers.pp
@@ -11,10 +11,4 @@ class oracledb::oracleusers {
escaped_name => 'oracle ALL= NOPASSWD: /usr/bin/tdpoconf PassWord \*';
}
- k5login { '/u01/app/oracle/.k5login':
- ensure => present,
- principals => [ ],
- mode => 664,
- purge => true,
- }
}
diff --git a/manifests/rhel5.pp b/manifests/rhel5.pp
index c739ff8..91bd496 100644
--- a/manifests/rhel5.pp
+++ b/manifests/rhel5.pp
@@ -1,3 +1,5 @@
+#
+
class oracledb::rhel5 inherits oracledb {
if (! ( $::operatingsystem == 'redhat' and $::lsbmajdistrelease == '5' )) {
fail 'Must be running RHEL5 to use oracledb::rhel5 class'
--
GitLab