Downgrade mysql cookbook for now

It doesn't play well with our current dev server setup
2017-06-16 22:43:51 +02:00
parent e39792ea36
commit bdfb3a1afb
398 changed files with 12716 additions and 10889 deletions
--- a/cookbooks/rbac/README.md
+++ b/cookbooks/rbac/README.md
@@ -0,0 +1,82 @@
+Role based access control
+=========================
+
+Solaris and Illumos provide sophisticated role-based access control for
+delegating authorizations within the system. Using RBAC, users can be
+given permissions to manage and update services without sudo.
+
+This cookbook provides chef with LWRPs to manage RBAC and grant permissions.
+
+At this time this cookbook ONLY manages SMF-related permissions (ie, ability
+of non-priviliged users to start/stop SMF services), but in the future it may
+be enhanced to support arbitrary Solaris permissions.
+
+## Installation
+
+In order to add the RBAC LWRPs to a chef run, add the following recipe 
+to the run_list:
+
+    rbac::default
+
+This will do no work, but will load the providers.
+
+## LWRPs
+
+### rbac
+
+Defines a set of authorizations that can be applied to SMF services and
+authorized to users, without actually applying them to users.
+
+Actions:
+  * create (default)
+
+Attributes:
+  * name
+
+Example:
+
+```ruby
+rbac "nginx" do
+  action :create
+end
+```
+
+This will update the authorizations file at `/etc/security/auth_attr`
+with the following lines:
+
+```
+solaris.smf.manage.nginx:::Manage nginx Service States::
+solaris.smf.value.nginx:::Change value of nginx Service::
+```
+
+Users who are given these authorizations can change properties of the
+service as well as change its state (i.e. `svcadm disable|enable|restart|clear service`
+
+### rbac_auth
+
+Adds the rbac definition created by `auth` to the user `name`.
+
+Actions:
+  * add (default)
+
+Attributes:
+  * name - for descriptive purposes and to ensure that each LWRP call is uniquely
+           identified in the chef run
+  * user
+  * auth
+
+Example:
+
+```ruby
+rbac_auth "add nginx management permissions to my_user" do
+  user "my_user"
+  auth "nginx"
+end
+```
+
+This adds both manage and value auths to user `my_user`.
+
+## TODO
+
+* separate manage auth from value auth
+* ability to delete all rbac attributes
--- a/cookbooks/rbac/libraries/rbac.rb
+++ b/cookbooks/rbac/libraries/rbac.rb
@@ -0,0 +1,15 @@
+# This module is used to retain state during the course of a chef
+# run. The LWRPs in the cookbook modify a global hash in this module,
+# and at the end of the chef run if user authorizations change they
+# are written out into the system.
+#
+module RBAC
+  def self.authorizations
+    @authorizations ||= {}
+  end
+
+  def self.add_authorization(username, auth)
+    authorizations[username] ||= []
+    authorizations[username] << auth
+  end
+end
--- a/cookbooks/rbac/metadata.json
+++ b/cookbooks/rbac/metadata.json
@@ -0,0 +1,42 @@
+{
+  "name": "rbac",
+  "description": "Allows delegation of service management to users with Solaris Role Based Access Control (RBAC)",
+  "long_description": "Role based access control\n=========================\n\nSolaris and Illumos provide sophisticated role-based access control for\ndelegating authorizations within the system. Using RBAC, users can be\ngiven permissions to manage and update services without sudo.\n\nThis cookbook provides chef with LWRPs to manage RBAC and grant permissions.\n\nAt this time this cookbook ONLY manages SMF-related permissions (ie, ability\nof non-priviliged users to start/stop SMF services), but in the future it may\nbe enhanced to support arbitrary Solaris permissions.\n\n## Installation\n\nIn order to add the RBAC LWRPs to a chef run, add the following recipe \nto the run_list:\n\n    rbac::default\n\nThis will do no work, but will load the providers.\n\n## LWRPs\n\n### rbac\n\nDefines a set of authorizations that can be applied to SMF services and\nauthorized to users, without actually applying them to users.\n\nActions:\n  * create (default)\n\nAttributes:\n  * name\n\nExample:\n\n```ruby\nrbac \"nginx\" do\n  action :create\nend\n```\n\nThis will update the authorizations file at `/etc/security/auth_attr`\nwith the following lines:\n\n```\nsolaris.smf.manage.nginx:::Manage nginx Service States::\nsolaris.smf.value.nginx:::Change value of nginx Service::\n```\n\nUsers who are given these authorizations can change properties of the\nservice as well as change its state (i.e. `svcadm disable|enable|restart|clear service`\n\n### rbac_auth\n\nAdds the rbac definition created by `auth` to the user `name`.\n\nActions:\n  * add (default)\n\nAttributes:\n  * name - for descriptive purposes and to ensure that each LWRP call is uniquely\n           identified in the chef run\n  * user\n  * auth\n\nExample:\n\n```ruby\nrbac_auth \"add nginx management permissions to my_user\" do\n  user \"my_user\"\n  auth \"nginx\"\nend\n```\n\nThis adds both manage and value auths to user `my_user`.\n\n## TODO\n\n* separate manage auth from value auth\n* ability to delete all rbac attributes\n",
+  "maintainer": "Eric Saxby",
+  "maintainer_email": "sax@livinginthepast.org",
+  "license": "MIT",
+  "platforms": {
+    "solaris2": ">= 0.0.0",
+    "smartos": ">= 0.0.0"
+  },
+  "dependencies": {
+
+  },
+  "recommendations": {
+
+  },
+  "suggestions": {
+
+  },
+  "conflicting": {
+
+  },
+  "providing": {
+
+  },
+  "replacing": {
+
+  },
+  "attributes": {
+
+  },
+  "groupings": {
+
+  },
+  "recipes": {
+
+  },
+  "version": "1.0.3",
+  "source_url": "",
+  "issues_url": ""
+}
--- a/cookbooks/rbac/metadata.rb
+++ b/cookbooks/rbac/metadata.rb
@@ -0,0 +1,10 @@
+name             'rbac'
+maintainer       'Eric Saxby'
+maintainer_email 'sax@livinginthepast.org'
+license          'MIT'
+description      'Allows delegation of service management to users with Solaris Role Based Access Control (RBAC)'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version          '1.0.3'
+
+supports 'solaris2'
+supports 'smartos'
--- a/cookbooks/rbac/providers/auth.rb
+++ b/cookbooks/rbac/providers/auth.rb
@@ -0,0 +1,20 @@
+def load_current_resource
+  @current_resource = Chef::Resource::RbacAuth.new(new_resource.name)
+  @new_resource.definition = run_context.resource_collection.find(:rbac => @new_resource.auth)
+  begin
+    @new_resource.user_definition = run_context.resource_collection.find(:rbac_user => @new_resource.user)
+  rescue Chef::Exceptions::ResourceNotFound
+  end
+end
+
+action :add do
+  unless new_resource.user_definition
+    new_resource.user_definition = rbac_user new_resource.user
+  end
+
+  new_resource.add_auth new_resource.user, new_resource.auth
+
+  new_resource.updated_by_last_action(true)
+
+  new_resource.notifies(:apply, new_resource.user_definition, :delayed)
+end
--- a/cookbooks/rbac/providers/default.rb
+++ b/cookbooks/rbac/providers/default.rb
@@ -0,0 +1,27 @@
+
+def load_current_resource
+  @current_resource = Chef::Resource::Rbac.new(@new_resource.name)
+end
+
+action :create do
+  definition = new_resource.name
+
+  new_resource.updated_by_last_action(false)
+
+  manage_auth = "solaris.smf.manage.#{definition}:::Manage #{definition} Service States::"
+  manage = execute "add RBAC #{definition} management to /etc/security/auth_attr" do
+    command "echo \"#{manage_auth}\" >> /etc/security/auth_attr"
+    not_if "grep \"#{manage_auth}\" /etc/security/auth_attr"
+  end
+
+  # This additional permission allows the user to call svccfg -s service setprop
+  # to set dynamic properties without having to re-run chef. This may be
+  # moved into a separate LWRP in the future.
+  value_auth = "solaris.smf.value.#{definition}:::Change value of #{definition} Service::"
+  value = execute "add RBAC #{definition} value to /etc/security/auth_attr" do
+    command "echo \"#{value_auth}\" >> /etc/security/auth_attr"
+    not_if "grep \"#{value_auth}\" /etc/security/auth_attr"
+  end
+
+  new_resource.updated_by_last_action(manage.updated_by_last_action? || value.updated_by_last_action?)
+end
--- a/cookbooks/rbac/providers/user.rb
+++ b/cookbooks/rbac/providers/user.rb
@@ -0,0 +1,22 @@
+# The rbac_user LWRP is an internal set of classes used by other LWRPs to
+# delay writing of user attributes until the end of the chef run. It should not be
+# manually run.
+
+def load_current_resource
+  @current_resource = Chef::Resource::Rbac::User.new(@new_resource.user)
+end
+
+action :apply do
+  username = new_resource.user
+
+  auths = RBAC.authorizations[username]
+  permissions = auths.inject([]) do |auth, name|
+    auth + ["solaris.smf.manage.#{name}", "solaris.smf.value.#{name}"]
+  end.sort.uniq.join(',')
+
+  execute "Apply rbac authorizations to #{username}" do
+    command "usermod -A #{permissions} #{username}"
+    action :nothing
+    not_if "grep #{username} /etc/user_attr | grep 'auths=#{permissions}'"
+  end.run_action(:run)
+end
--- a/cookbooks/rbac/recipes/default.rb
+++ b/cookbooks/rbac/recipes/default.rb
@@ -0,0 +1,6 @@
+#
+# Cookbook Name:: rbac
+# Recipe:: default
+#
+# Copyright 2012, ModCloth, Inc.
+#
--- a/cookbooks/rbac/resources/auth.rb
+++ b/cookbooks/rbac/resources/auth.rb
@@ -0,0 +1,14 @@
+
+default_action :add
+
+actions :add
+
+attribute :user, :kind_of => String, :required => true
+attribute :auth, :kind_of => String, :required => true
+
+# private, internal attributes
+attr_accessor :definition, :user_definition
+
+def add_auth(user, auth)
+  RBAC.add_authorization(user, auth)
+end
--- a/cookbooks/rbac/resources/default.rb
+++ b/cookbooks/rbac/resources/default.rb
@@ -0,0 +1,6 @@
+
+default_action :create
+
+actions :create
+
+attribute :name, :kind_of => String, :name_attribute => true, :required => true
--- a/cookbooks/rbac/resources/user.rb
+++ b/cookbooks/rbac/resources/user.rb
@@ -0,0 +1,6 @@
+
+default_action :nothing
+
+actions :apply
+
+attribute :user, :kind_of => String, :name_attribute => true, :required => true