From 198fa4642a146270c04f5e25ee7e06e8d56f1c88 Mon Sep 17 00:00:00 2001 From: Victor Chavez <vdc@stanford.edu> Date: Thu, 17 Apr 2014 12:01:23 -0700 Subject: [PATCH] release/002.001: new classes to support Oracle DB management by AS, Ntirety, or both. --- NEWS | 17 +++++++++++ manifests/alldbas.pp | 11 +++++++ manifests/as.pp | 27 +++++------------ manifests/asdbas.pp | 16 ++++++++++ manifests/init.pp | 31 ++++++++++--------- manifests/k5login.pp | 65 ++++++++++++++++++++++++++++++++++++++++ manifests/ntirety.pp | 10 ++----- manifests/ntiretydbas.pp | 9 ++++++ manifests/oracleusers.pp | 6 ---- manifests/rhel5.pp | 2 ++ 10 files changed, 146 insertions(+), 48 deletions(-) create mode 100644 manifests/alldbas.pp create mode 100644 manifests/asdbas.pp create mode 100644 manifests/k5login.pp create mode 100644 manifests/ntiretydbas.pp diff --git a/NEWS b/NEWS index 8d77a45..d680607 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,20 @@ +release/002.001 (2014-04-17) + + Added new classes to support all combinations of AS & Ntirety DBA access. + This release takes some migration steps: + 1. Remove user::ntirety from inclusion in client manifests + 2. Update these classes from the appsupport (pp-apps) repo: + - group::emagent + - user::emagent + - user::ntirety + - user::oracle + 3. Choose *one* of the following classes for inclusion in client manifests + wherever oracledb is included or inherited: + - oracledb::alldbas + - oracledb::asdbas + - oracledb::ntiretydbas + (vdc) + release/001.005 (2014-03-27) Added AS DBA access to oracle k5login, added network range to iptables, and diff --git a/manifests/alldbas.pp b/manifests/alldbas.pp new file mode 100644 index 0000000..2994207 --- /dev/null +++ b/manifests/alldbas.pp @@ -0,0 +1,11 @@ +# class to handle oracle user .k5login for both AS and Ntirety admins + +class oracledb::alldbas { + + include oracledb::as + include oracledb::k5login::all + include oracledb::ntirety + include user::emagent + include user::ntirety + +} diff --git a/manifests/as.pp b/manifests/as.pp index fe7331b..c524510 100644 --- a/manifests/as.pp +++ b/manifests/as.pp @@ -1,23 +1,12 @@ -# for AS access +# AS DBA user list for .k5login files (oracle and emagent users) -class oracledb::as inherits oracledb::oracleusers { +class oracledb::as { - include user::emagent + $asusers = [ + 'jenhong@stanford.edu', + 'kmadduri@stanford.edu', + 'sanjeevk@stanford.edu', + 'toaivo@stanford.edu', + ] - K5login['/u01/app/oracle/.k5login'] { - principals +> [ - 'jenhong@stanford.edu', - 'kmadduri@stanford.edu', - 'sanjeevk@stanford.edu', - 'toaivo@stanford.edu', - ] - } - - base::iptables::rule { 'as_dba_access': - description => 'AS VDI range for DBAs to access these systems', - source => ['172.20.200.0/23'], - port => ['1533','1534','1535'], - protocol => 'tcp', - } - } diff --git a/manifests/asdbas.pp b/manifests/asdbas.pp new file mode 100644 index 0000000..ac0f2b2 --- /dev/null +++ b/manifests/asdbas.pp @@ -0,0 +1,16 @@ +# AS *only* DBA config + +class oracledb::asdbas { + + include oracledb::as + include oracledb::k5login::as + include user::emagent + + base::iptables::rule { 'as_dba_access': + description => 'AS VDI range for DBAs to access these systems', + source => ['172.20.200.0/23'], + port => ['1533','1534','1535'], + protocol => 'tcp', + } + +} diff --git a/manifests/init.pp b/manifests/init.pp index b4cabbe..1790fe3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,15 +3,14 @@ # essentially the same way and this module contains all the standard bits. class oracledb { - include compatlibs - include group::dba - include base::libstdc - include oracledb::directories - include oracledb::packages - include oracledb::oracleusers - include user::ntirety - include user::oracle + include base::libstdc + include compatlibs + include group::dba + include oracledb::directories + include oracledb::oracleusers + include oracledb::packages + include user::oracle if ($::operatingsystem != 'redhat') { fail ('Oracle only runs on Red Hat!') @@ -20,14 +19,14 @@ class oracledb { case $::lsbmajdistrelease { ## rhel4 '4': { - package { - [ 'glibc-kernheaders', - 'gnome-libs', - 'openmotif21', - 'pdksh', - 'xorg-x11-deprecated-libs', - 'xscreensaver', ]: - ensure => present; + package { [ + 'glibc-kernheaders', + 'gnome-libs', + 'openmotif21', + 'pdksh', + 'xorg-x11-deprecated-libs', + 'xscreensaver', + ]: ensure => present; } # Old workaround for up2date i386 arch packages on x86_64. diff --git a/manifests/k5login.pp b/manifests/k5login.pp new file mode 100644 index 0000000..0593a62 --- /dev/null +++ b/manifests/k5login.pp @@ -0,0 +1,65 @@ +# class to handle oracle user .k5logins for all Oracle DBA scenarios + +# this is a hack for oracledb::k5login::all +class oracledb::k5login { + + include oracledb::ntirety + + $allusers = $oracledb::as::asusers + +} + +class oracledb::k5login::all inherits oracledb::k5login { + + $allusers += $oracledb::ntirety::ntiretyusers + + k5login { + '/home/emagent/.k5login': + purge => true, + require => [User[emagent], File['/home/emagent']], + principals => $oracledb::as::asusers; + '/opt/ntirety/.k5login': + purge => true, + require => [User[ntirety], File['/opt/ntirety']], + principals => $oracledb::ntirety::ntiretyusers; + '/u01/app/oracle/.k5login': + purge => true, + mode => 664, + require => [User[oracle], File['/u01/app/oracle']], + principals => $allusers; + } + +} + +class oracledb::k5login::as { + + k5login { + '/u01/app/oracle/.k5login': + purge => true, + mode => 664, + require => [User[oracle], File['/u01/app/oracle']], + principals => $oracledb::as::asusers; + '/home/emagent/.k5login': + purge => true, + require => [User[emagent], File['/home/emagent']], + principals => $oracledb::as::asusers; + } + +} + +class oracledb::k5login::ntirety { + + k5login { + '/opt/ntirety/.k5login': + purge => true, + require => [User['ntirety'], File['/opt/ntirety']], + principals => $oracledb::ntirety::ntiretyusers; + '/u01/app/oracle/.k5login': + purge => true, + mode => 664, + require => File['/u01/app/oracle'], + principals => $oracledb::ntirety::ntiretyusers; + } + +} + diff --git a/manifests/ntirety.pp b/manifests/ntirety.pp index dc39c4f..81d1438 100644 --- a/manifests/ntirety.pp +++ b/manifests/ntirety.pp @@ -1,11 +1,8 @@ -# -# Ntirety admins to access oracle user account -# +# Ntirety DBA user list for .k5login files (oracle and ntirety users) -class oracledb::ntirety inherits oracledb::oracleusers { +class oracledb::ntirety { - K5login['/u01/app/oracle/.k5login'] { - principals +> [ + $ntiretyusers = [ 'cgarcia5@stanford.edu', 'chapmci1@stanford.edu', 'dcampoy@stanford.edu', @@ -30,6 +27,5 @@ class oracledb::ntirety inherits oracledb::oracleusers { 'vkalyana@stanford.edu', #'wsheffie@stanford.edu', # win only ] - } } diff --git a/manifests/ntiretydbas.pp b/manifests/ntiretydbas.pp new file mode 100644 index 0000000..66d9ff8 --- /dev/null +++ b/manifests/ntiretydbas.pp @@ -0,0 +1,9 @@ +# Ntirety *only* DBA config + +class oracledb::ntiretydbas { + + include oracledb::ntirety + include oracledb::k5login::ntirety + include user::ntirety + +} diff --git a/manifests/oracleusers.pp b/manifests/oracleusers.pp index 5cd5c5d..d0af705 100644 --- a/manifests/oracleusers.pp +++ b/manifests/oracleusers.pp @@ -11,10 +11,4 @@ class oracledb::oracleusers { escaped_name => 'oracle ALL= NOPASSWD: /usr/bin/tdpoconf PassWord \*'; } - k5login { '/u01/app/oracle/.k5login': - ensure => present, - principals => [ ], - mode => 664, - purge => true, - } } diff --git a/manifests/rhel5.pp b/manifests/rhel5.pp index c739ff8..91bd496 100644 --- a/manifests/rhel5.pp +++ b/manifests/rhel5.pp @@ -1,3 +1,5 @@ +# + class oracledb::rhel5 inherits oracledb { if (! ( $::operatingsystem == 'redhat' and $::lsbmajdistrelease == '5' )) { fail 'Must be running RHEL5 to use oracledb::rhel5 class' -- GitLab