Overview

This puppet type allows you to manage grants/permissions on database objects. Here is an example:

db2_object_grant { 'db2inst1/MYDB/USER/MYUSER->MYSCHEMA.MYTABLE':
  permissions            => ['CONTROL'],
  provider               => 'db2',
  with_grant_permissions => ['ALTER', 'DELETE', 'INDEX', 'INSERT', 'REFERENCE', 'SELECT', 'UPDATE'],
}

This code tell’s Puppet that on database MYDB on instance dbs2inst1, the user MYUSER has CONTROL permission on the table MYTABLE in schema MYSCHEMA. It can also grant the rights ALTER’, ‘DELETE’, ‘INDEX’, ‘INSERT’, ‘REFERENCE’, ‘SELECT’, ‘UPDATE to other users.

Attributes

Attribute Name Short Description
database_name The name of the database.
disable_corrective_change Disable the modification of a resource when Puppet decides it is a corrective change.
disable_corrective_ensure Disable the creation or removal of a resource when Puppet decides is a corrective change.
grantee The DB2 username that is granted (or revoked) the permission.
grantee_type The type of grantee that
   
instance_name The name of the instance.
name The object and name combination you want to manage.
object_name The object name.
permissions The permissions on the specified object, granted to the specified user.
provider resource.
with_grant_permissions The permissions on the specified object, granted to the specified user with the option to regrant to an other user.

database_name

The name of the database.

Back to overview of db2_object_grant

disable_corrective_change

Disable the modification of a resource when Puppet decides it is a corrective change.

(requires easy_type V2.11.0 or higher)

When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.

Using the disable_corrective_change parameter, you can disable corrective changes on the current resource.

Here is an example of this:

crucial_resource {'be_carefull':
  ...
  disable_corrective_change => true,
  ...
}

When a corrective ensure does happen on the resource Puppet will not modify the resource and signal an error:

    Error: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change
    Error: /Stage[main]/Main/Crucial_resource[be_carefull]/parameter: change from '10' to '20' failed: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change. (corrective)

Back to overview of db2_object_grant

disable_corrective_ensure

Disable the creation or removal of a resource when Puppet decides is a corrective change.

(requires easy_type V2.11.0 or higher)

When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.

Using the disable_corrective_ensure parameter, you can disable corrective ensure present or ensure absent actions on the current resource.

Here is an example of this:

crucial_resource {'be_carefull':
  ensure                    => 'present',
  ...
  disable_corrective_ensure => true,
  ...
}

When a corrective ensure does happen on the resource Puppet will not create or remove the resource and signal an error:

    Error: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure.
    Error: /Stage[main]/Main/Crucial_resource[be_carefull]/ensure: change from 'absent' to 'present' failed: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure. (corrective)

Back to overview of db2_object_grant

grantee

The DB2 username that is granted (or revoked) the permission.

This parameter is extracted from the title of the type. It is separated by the object by a /.

db2_object_grant { 'SCOTT->sys.dbms_aqin@SID':
  ...
}

In this example SCOTT is the grantee. Grantee names will always be uppercased by Puppet. This means in Puppet you can use either lower, upper or mixed case. In DB2, it will be always be an upper case string.

Back to overview of db2_object_grant

grantee_type

The type of grantee that

This parameter is extracted from the title of the type. It is separated by the object by a /.

db2_object_grant { 'SCOTT->sys.dbms_aqin@SID':
  ...
}

Back to overview of db2_object_grant

instance_name

The name of the instance.

Back to overview of db2_object_grant

name

The object and name combination you want to manage. Including an appended SID.

db2_object_grant { ‘db2inst1/MYDB/SCOTT->sys.dbms_aqin’: … }

Back to overview of db2_object_grant

object_name

The object name.

This parameter is extracted from the title of the type. It is the first part of the name.

db2_object_grant { 'SCOTT->sys.dbms_aqin@SID':
  ...
}

In this example sys.dbms_aqin is the object name. The object names will always be uppercased by Puppet. This means in Puppet you can use either lower, upper or mixed case. In DB2, it will be always be an upper case string.

You must specify full qualified object names. This means owner.object.

The table may be a valid sql wildcard like DBA_%. Here is an example of such a resource definition:

db2_object_grant { 'APPQOSSYS->SYS.DBA_%@TEST':
  permissions => [],
}

This wil revoke all rights on all DBA tables from user APPQOSSYS.

Back to overview of db2_object_grant

permissions

The permissions on the specified object, granted to the specified user.

This is a required array of rights to grant on the user object combination

db2_object_grant{ ...:
  permissions => ['execute', 'select'],
}

When this list contains less rights then currently granted, the the extra rights will be revoked from the user. If the permissions list contains more rights then currently granted in the database, the extra rights will be granted to the user.

If you want to make sure no rights are granted, you must use an empty array.

db2_object_grant{ ...:
  permissions => ['execute', 'select'],
}

Back to overview of db2_object_grant

provider

The specific backend to use for this db2_object_grant resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.Available providers are:

db2
Manage DB2 object grants

Back to overview of db2_object_grant

with_grant_permissions

The permissions on the specified object, granted to the specified user with the option to regrant to an other user.

This is a required array of rights to grant on the user object combination

db2_object_grant{ ...:
  with_grant_permissions => ['execute', 'select'],
}

When this list contains less rights then currently granted, the the extra rights will be revoked from the user. If the permissions list contains more rights then currently granted in the database, the extra rights will be granted to the user.

If you want to make sure no rights are granted, you must use an empty array.

db2_object_grant{ ...:
  with_grant_permissions => ['execute', 'select'],
}

Back to overview of db2_object_grant