release/002.001: new classes to support Oracle DB management by AS, Ntirety, or both.

198fa464 · Victor Chavez · 56ac3742 · 198fa464 · 198fa464 · 198fa464
Commit 198fa464 authored 10 years ago by Victor Chavez
--- a/NEWS
+++ b/NEWS
+release/002.001 (2014-04-17)
+    Added new classes to support all combinations of AS & Ntirety DBA access.
+    This release takes some migration steps:
+    1. Remove user::ntirety from inclusion in client manifests
+    2. Update these classes from the appsupport (pp-apps) repo:
+       - group::emagent
+       - user::emagent
+       - user::ntirety
+       - user::oracle
+    3. Choose *one* of the following classes for inclusion in client manifests
+       wherever oracledb is included or inherited:
+       - oracledb::alldbas
+       - oracledb::asdbas
+       - oracledb::ntiretydbas
+    (vdc)
 release/001.005 (2014-03-27)
    Added AS DBA access to oracle k5login, added network range to iptables, and

--- a/manifests/alldbas.pp
+++ b/manifests/alldbas.pp
+# class to handle oracle user .k5login for both AS and Ntirety admins
+class oracledb::alldbas {
+  include oracledb::as
+  include oracledb::k5login::all
+  include oracledb::ntirety
+  include user::emagent
+  include user::ntirety
+}
--- a/manifests/as.pp
+++ b/manifests/as.pp
-# for AS access
+# AS DBA user list for .k5login files (oracle and emagent users)
-class oracledb::as inherits oracledb::oracleusers {
+class oracledb::as {
-  include user::emagent
+  $asusers = [
+              'jenhong@stanford.edu',
+              'kmadduri@stanford.edu',
+              'sanjeevk@stanford.edu',
+              'toaivo@stanford.edu',
+             ]
-  K5login['/u01/app/oracle/.k5login'] {
-    principals +> [
-                   'jenhong@stanford.edu',
-                   'kmadduri@stanford.edu',
-                   'sanjeevk@stanford.edu',
-                   'toaivo@stanford.edu',
-                  ]
-  }
-  base::iptables::rule { 'as_dba_access':
-    description => 'AS VDI range for DBAs to access these systems',
-    source      => ['172.20.200.0/23'],
-    port        => ['1533','1534','1535'],
-    protocol    => 'tcp',
-  }
 }
--- a/manifests/asdbas.pp
+++ b/manifests/asdbas.pp
+# AS *only* DBA config
+class oracledb::asdbas {
+  include oracledb::as
+  include oracledb::k5login::as
+  include user::emagent
+  base::iptables::rule { 'as_dba_access':
+    description => 'AS VDI range for DBAs to access these systems',
+    source      => ['172.20.200.0/23'],
+    port        => ['1533','1534','1535'],
+    protocol    => 'tcp',
+  }
+}
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -3,15 +3,14 @@
 # essentially the same way and this module contains all the standard bits.
 class oracledb {
-    include compatlibs
-    include group::dba
-    include base::libstdc
-    include oracledb::directories
-    include oracledb::packages
-    include oracledb::oracleusers
-    include user::ntirety
-    include user::oracle
+  include base::libstdc
+  include compatlibs
+  include group::dba
+  include oracledb::directories
+  include oracledb::oracleusers
+  include oracledb::packages
+  include user::oracle
  if ($::operatingsystem != 'redhat') {
    fail ('Oracle only runs on Red Hat!')
@@ -20,14 +19,14 @@ class oracledb {
  case $::lsbmajdistrelease {
    ## rhel4
    '4': {
-      package {
+      package { [
-        [ 'glibc-kernheaders',
+        'glibc-kernheaders',
-          'gnome-libs',
+        'gnome-libs',
-          'openmotif21',
+        'openmotif21',
-          'pdksh',
+        'pdksh',
-          'xorg-x11-deprecated-libs',
+        'xorg-x11-deprecated-libs',
-          'xscreensaver', ]:
+        'xscreensaver',
-            ensure => present;
+        ]: ensure => present;
      }
      # Old workaround for up2date i386 arch packages on x86_64.

--- a/manifests/k5login.pp
+++ b/manifests/k5login.pp
+# class to handle oracle user .k5logins for all Oracle DBA scenarios
+# this is a hack for oracledb::k5login::all
+class oracledb::k5login {
+  include oracledb::ntirety
+  $allusers = $oracledb::as::asusers
+}
+class oracledb::k5login::all inherits oracledb::k5login {
+  $allusers += $oracledb::ntirety::ntiretyusers
+  k5login {
+    '/home/emagent/.k5login':
+      purge      => true,
+      require    => [User[emagent], File['/home/emagent']],
+      principals => $oracledb::as::asusers;
+    '/opt/ntirety/.k5login':
+      purge      => true,
+      require    => [User[ntirety], File['/opt/ntirety']],
+      principals => $oracledb::ntirety::ntiretyusers;
+    '/u01/app/oracle/.k5login':
+      purge      => true,
+      mode       => 664,
+      require    => [User[oracle], File['/u01/app/oracle']],
+      principals => $allusers;
+  }
+}
+class oracledb::k5login::as {
+  k5login {
+    '/u01/app/oracle/.k5login':
+      purge      => true,
+      mode       => 664,
+      require    => [User[oracle], File['/u01/app/oracle']],
+      principals => $oracledb::as::asusers;
+    '/home/emagent/.k5login':
+      purge      => true,
+      require    => [User[emagent], File['/home/emagent']],
+      principals => $oracledb::as::asusers;
+  }
+}
+class oracledb::k5login::ntirety {
+  k5login {
+    '/opt/ntirety/.k5login':
+      purge      => true,
+      require    => [User['ntirety'], File['/opt/ntirety']],
+      principals => $oracledb::ntirety::ntiretyusers;
+    '/u01/app/oracle/.k5login':
+      purge      => true,
+      mode       => 664,
+      require    => File['/u01/app/oracle'],
+      principals => $oracledb::ntirety::ntiretyusers;
+  }
+}
--- a/manifests/ntirety.pp
+++ b/manifests/ntirety.pp
-#
+# Ntirety DBA user list for .k5login files (oracle and ntirety users)
-# Ntirety admins to access oracle user account
-#
-class oracledb::ntirety inherits oracledb::oracleusers {
+class oracledb::ntirety {
-  K5login['/u01/app/oracle/.k5login'] {
+  $ntiretyusers = [
-    principals +> [
                   'cgarcia5@stanford.edu',
                   'chapmci1@stanford.edu',
                   'dcampoy@stanford.edu',
@@ -30,6 +27,5 @@ class oracledb::ntirety inherits oracledb::oracleusers {
                   'vkalyana@stanford.edu',
                   #'wsheffie@stanford.edu', # win only
                  ]
-  }
 }
--- a/manifests/ntiretydbas.pp
+++ b/manifests/ntiretydbas.pp
+# Ntirety *only* DBA config
+class oracledb::ntiretydbas {
+  include oracledb::ntirety
+  include oracledb::k5login::ntirety
+  include user::ntirety
+}
--- a/manifests/oracleusers.pp
+++ b/manifests/oracleusers.pp
@@ -11,10 +11,4 @@ class oracledb::oracleusers {
      escaped_name => 'oracle  ALL= NOPASSWD: /usr/bin/tdpoconf PassWord \*';
  }
-  k5login { '/u01/app/oracle/.k5login':
-    ensure     => present,
-    principals => [ ],
-    mode       => 664,
-    purge      => true,
-  }
 }
--- a/manifests/rhel5.pp
+++ b/manifests/rhel5.pp
+#
 class oracledb::rhel5 inherits oracledb {
  if (! ( $::operatingsystem == 'redhat' and $::lsbmajdistrelease == '5' )) {
    fail 'Must be running RHEL5 to use oracledb::rhel5 class'