ora user
Overview
This type allows you to manage a user inside an Oracle database.
It recognises most of the options that CREATE USER supports. Besides these options, you can also use this type to manage the grants and the quota’s for this user.
ora_user{user_name@sid:
temporary_tablespace => temp,
default_tablespace => 'my_app_ts',
password => 'verysecret',
require => Ora_tablespace['my_app_ts'],
grants => ['SELECT ANY TABLE', 'CONNECT', 'CREATE TABLE', 'CREATE TRIGGER'],
quotas => {
"my_app_ts" => 'unlimited'
},
}
Attributes
Attribute Name | Short Description |
---|---|
common_granted | The common grants you want to make sure are granted to the ora_user or ora_role . |
common_granted_with_admin | The common grants with admin you want to make sure are granted to the ora_user or ora_role . |
common_grants | Common grants for this user or role. |
common_grants_with_admin | Common grants for this user or role with admin. |
common_revoked | The common grants you want to make sure are revoked from the ora_user or ora_role . |
common_revoked_with_admin | The common grants you want to make sure are revoked from the ora_user or ora_role . |
container | Allows you to specify the scope of the object. |
create_only | The attributes from ora_user you only want to manage when you create a user. |
default_roles | The user’s default roles |
default_tablespace | The user’s default tablespace. |
disable_corrective_change | Disable the modification of a resource when Puppet decides it is a corrective change. |
disable_corrective_ensure | Disable the creation or removal of a resource when Puppet decides is a corrective change. |
ensure | The basic property that the resource should be in. |
expired | specified if the account is expired. |
granted | The grants you want to make sure are granted to the ora_user or ora_role . |
granted_with_admin | The grants with admin you want to make sure are granted to the ora_user or ora_role . |
grants | grants for this user or role. |
grants_with_admin | grants for this user or role. |
ignore_oracle_maintained_warnings | This is a parameter that can be used to skip generating warnings on changing or dropping Oracle managed users or roles. |
locked | specified if the account is locked. |
name | The user name. |
oracle_maintained | This is a read only property that cannot be used when specifying a user. |
password | The user’s password. |
profile | The user’s profile |
provider | resource. |
quotas | Quota’s for this user. |
raw_password | The user’s raw password. |
revoked | The grants you want to make sure are revoked from the ora_user or ora_role . |
revoked_with_admin | The grants you want to make sure are revoked from the ora_user or ora_role . |
schema_only | specify if the account is schema only, without password and cannot be logged in with. |
sid | SID to connect to. |
temporary_tablespace | The user’s temporary tablespace. |
username | The user name. |
common_granted
The common grants you want to make sure are granted to the ora_user
or ora_role
.
This property is only functional when applied on container databases.
It is different from the common_grants
property in the sense that this is not a full list of the rights, but just the rights that are granted to the user
Here is an example with an ora_user
:
ora_user {'scott':
...
common_granted => ['GRANT ANY ROLE'],
...
}
Here is an example with an ora_role
:
ora_role {'app_dba_role':
...
common_granted => ['GRANT ANY ROLE'],
...
}
common_granted_with_admin
The common grants with admin you want to make sure are granted to the ora_user
or ora_role
.
This property is only functional when applied on container databases.
It is different from the common_grants_with_admin
property in the sense that this is not a full list of the rights, but just the rights that are granted to the user
Here is an example with an ora_user
:
ora_user {'scott':
...
common_granted_with_admin => ['GRANT ANY ROLE'],
...
}
Here is an example with an ora_role
:
ora_role {'app_dba_role':
...
common_granted_with_admin => ['GRANT ANY ROLE'],
...
}
common_grants
Common grants for this user or role.
This property is only functional when applied on container databases.
All the common grants this resource has. Here is an example on how to use this on an ora_user
:
ora_user { ‘my_user@sid’: … common_grants => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }
Here is an example on how to use this on an ora_role
:
ora_ora_role { ‘my_role@sid’: … common_grants => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }
common_grants_with_admin
Common grants for this user or role with admin.
This property is only functional when applied on container databases.
All the common grants this resource has. Here is an example on how to use this on an ora_user
:
ora_user { ‘my_user@sid’: … common_grants_with_admin => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }
Here is an example on how to use this on an ora_role
:
ora_ora_role { ‘my_role@sid’: … common_grants_with_admin => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }
common_revoked
The common grants you want to make sure are revoked from the ora_user
or ora_role
.
This property is only functional when applied on container databases.
It is different from the common_grants
property in the sense that this is not a full list of the rights, but just the rights that are NOT granted to the user
Here is an example when using ora_user
:
ora_user {'scott':
...
common_revoked => ['GRANT ANY ROLE'],
}
Here is an example when using ora_role
:
ora_role {'scott':
...
common_revoked => ['GRANT ANY ROLE'],
}
WARNING
When you us both the common_grants
and common_revoked
property, Puppet will give you a warning about conflicting values. In the end it WILL ensure that the rights specified for the common_revoked
property are removed. This way ensuring the most secure configuration.
common_revoked_with_admin
The common grants you want to make sure are revoked from the ora_user
or ora_role
.
This property is only functional when applied on container databases.
It is different from the grants
property in the sense that this is not a full list of the rights, but just the rights that are NOT granted to the user
Here is an example when using ora_user
:
ora_user {'scott':
...
common_revoked_with_admin => ['GRANT ANY ROLE'],
}
Here is an example when using ora_role
:
ora_role {'scott':
...
common_revoked_with_admin => ['GRANT ANY ROLE'],
}
WARNING
When you us both the common_grants
and common_revoked
property, Puppet will give you a warning about conflicting values. In the end it WILL ensure that the rights specified for the common_revoked
property are removed. This way ensuring the most secure configuration.
container
Allows you to specify the scope of the object.
This property is only supported on version 12 and higher. It allows you to specify if the user will be seen through all portable containers (e.g. global) of just in the current pluggable database.
You can use container
on:
ora_user
ora_profile
ora_object_grant
Here is an example on how to use this:
ora_... { '...@sid':
...
container => 'local',
...
}
Valid values are local
, common
.
create_only
The attributes from ora_user
you only want to manage when you create a user. This is usefull when defining oracle iser accounts for REAL users. Users that are supposed to change the password and the account expirery. Here is an example:
ora_user {'scott':
password => 'secret',
locked => false,
expired => true,
create_only => ['locked', 'expired', 'password']
}
When user scott
doesn’t exists, it will be created as an expired account, with specified password. After the first run the properties locked
expired
and password
are not updated anymore. Even when there is a difference between the manifest and reality.
default_roles
The user’s default roles
default_tablespace
The user’s default tablespace.
disable_corrective_change
Disable the modification of a resource when Puppet decides it is a corrective change.
(requires easy_type V2.11.0 or higher)
When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.
Using the disable_corrective_change
parameter, you can disable corrective changes on the current resource.
Here is an example of this:
crucial_resource {'be_carefull':
...
disable_corrective_change => true,
...
}
When a corrective ensure does happen on the resource Puppet will not modify the resource and signal an error:
Error: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change
Error: /Stage[main]/Main/Crucial_resource[be_carefull]/parameter: change from '10' to '20' failed: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change. (corrective)
disable_corrective_ensure
Disable the creation or removal of a resource when Puppet decides is a corrective change.
(requires easy_type V2.11.0 or higher)
When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.
Using the disable_corrective_ensure
parameter, you can disable corrective ensure present or ensure absent actions on the current resource.
Here is an example of this:
crucial_resource {'be_carefull':
ensure => 'present',
...
disable_corrective_ensure => true,
...
}
When a corrective ensure does happen on the resource Puppet will not create or remove the resource and signal an error:
Error: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure.
Error: /Stage[main]/Main/Crucial_resource[be_carefull]/ensure: change from 'absent' to 'present' failed: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure. (corrective)
ensure
The basic property that the resource should be in.
Valid values are present
, absent
.
expired
specified if the account is expired.
Valid values are true
, false
.
granted
The grants you want to make sure are granted to the ora_user
or ora_role
. It is different from the grants
property in the sense that this is not a full list of the rights, but just the rights that are granted to the user
Here is an example with an ora_user
:
ora_user {'scott':
...
granted => ['GRANT ANY ROLE'],
...
}
Here is an example with an ora_role
:
ora_role {'app_dba_role':
...
granted => ['GRANT ANY ROLE'],
...
}
**WARNING**
When you us both the `grants` and `granted` property, Puppet will give you a warning about conflicting values. In the end it **WILL** ensure
that the rights specified for the `revoked` property are removed. This way ensuring the most secure configuration.
granted_with_admin
The grants with admin you want to make sure are granted to the ora_user
or ora_role
. It is different from the grants_with_admin
property in the sense that this is not a full list of the rights, but just the rights that are granted to the user
Here is an example with an ora_user
:
ora_user {'scott':
...
granted_with_admin => ['GRANT ANY ROLE'],
...
}
Here is an example with an ora_role
:
ora_role {'app_dba_role':
...
granted_with_admin => ['GRANT ANY ROLE'],
...
}
grants
grants for this user or role.
All the grants this resource has. Here is an example on how to use this on an ora_user
:
ora_user { ‘my_user@sid’: … grants => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }
Here is an example on how to use this on an ora_role
:
ora_ora_role { ‘my_role@sid’: … grants => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }
grants_with_admin
grants for this user or role.
All the grants this resource has. Here is an example on how to use this on an ora_user
:
ora_user { ‘my_user@sid’: … grants_with_admin => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }
Here is an example on how to use this on an ora_role
:
ora_ora_role { ‘my_role@sid’: … grants_with_admin => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }
ignore_oracle_maintained_warnings
This is a parameter that can be used to skip generating warnings on changing or dropping Oracle managed users or roles.
locked
specified if the account is locked.
Valid values are true
, false
.
name
The user name.
oracle_maintained
This is a read only property that cannot be used when specifying a user.
password
The user’s password.
profile
The user’s profile
provider
The specific backend to use for this ora_user
resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.Available providers are:
- simple
- Manage Oracle users in an Oracle Database via regular SQL
quotas
Quota’s for this user.
raw_password
The user’s raw password.
revoked
The grants you want to make sure are revoked from the ora_user
or ora_role
. It is different from the grants
property in the sense that this is not a full list of the rights, but just the rights that are NOT granted to the user
Here is an example when using ora_user
:
ora_user {'scott':
...
revoked => ['GRANT ANY ROLE'],
}
Here is an example when using ora_role
:
ora_role {'scott':
...
revoked => ['GRANT ANY ROLE'],
}
WARNING
When you us both the grants
and revoked
property, Puppet will give you a warning about conflicting values. In the end it WILL ensure that the rights specified for the revoked
property are removed. This way ensuring the most secure configuration.
revoked_with_admin
The grants you want to make sure are revoked from the ora_user
or ora_role
. It is different from the grants
property in the sense that this is not a full list of the rights, but just the rights that are NOT granted to the user
Here is an example when using ora_user
:
ora_user {'scott':
...
revoked_with_admin => ['GRANT ANY ROLE'],
}
Here is an example when using ora_role
:
ora_role {'scott':
...
revoked_with_admin => ['GRANT ANY ROLE'],
}
WARNING
When you us both the grants_with_admin
and revoked_with_admin
property, Puppet will give you a warning about conflicting values. In the end it WILL ensure that the rights specified for the revoked_with_admin
property are removed. This way ensuring the most secure configuration.
schema_only
specify if the account is schema only, without password and cannot be logged in with.
Valid values are true
, false
.
sid
SID to connect to.
All types have a name like resource@sid
. The sid is optional. If you don’t specify the sid, the type will use the database from the /etc/ora_setting.yaml
with the property default
set to true
. We advise you to either use @sid
in all your manifests or leave it empty everywhere.
temporary_tablespace
The user’s temporary tablespace.
username
The user name.