彦祖的小号

CDB&PDB USERS AND PRIVILLEGE

容器中只有以下DDL操作可以使用container=all|current，其它DDL只能对当前的容器有效：

create user, alter user, create role, grant, revoke

user/role：

comon user/role：只能在cdb$root或application root中创建，即创建时不用指定container=all

local user/role：只能在pdb或application pdb中创建，即创建时也不用指定container=current

Common user/role在所有容器的密码是一致的，不能单独更改；但它们的权限是可以在cdb$root或pdbs中不同的

2. grant&revoke:

默认为container=current

grant:

container=current时可以授权给local user, common user, local role.

container=all时可以授权给common user, common role.

revoke:

container=current时可收回local user, common user, local role. 它只能收回通过container=current授予的权限，对container=all授予权限无影响

container=all时可收回common user, common role. 它只能收回通过container=all授予的权限，对container=current授予权限无影响

Container=all不仅表示对当前所有容器操作，对于将来创建的pdbs也生效

Setting CONTAINER to ALL applies the privilege to all existing and future containers;

注：授予对象权限时使用container=all，则必是将common object授予common user，即只能在application root中把sharing object授予common user.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

权限与角色：

CREATE PLUGGABLE DATABASE: 可以执行create/alter pluggable database，授予了还不能执行一般要授予sysdba或sysoper
SET CONTAINER：切换到此容器的权限
PDB_DBA角色：没有系统权限可以执行一些存储过程
CDB_DBA角色：只有set container权限以及查询三张sys表
从12c开始resouce不会再同时授予unlimited tablespace权限，connect不再只授予create session权限，还多了set container权限

pdb_dba与cdb_dba的权限远小于dba，它们单独授予很难工作

dba角色虽然包含CREATE PLUGGABLE DATABASE与SET CONTAINER, 但在cdb$root中无法通过访问容器视图访问其它pdb的信息(需要设置container_data,很麻烦)，因此也无法执行show pdbs，而且不能启停pdbs

可以单个container管理用dba，整个cdb管理用sysdba.

另外application的创建，修改以及在pdbs中的sync均需要dba权限

在CDB对public role授权时建议不要使用container=all，但试了下还是可以使用且生效的：

All privileges that Oracle grants to the PUBLIC role are granted locally.

This feature enables you to revoke privileges or roles that have been granted to the PUBLIC role individually in each PDB as needed. If you must grant any privileges to the PUBLIC role, then grant them locally. Never grant privileges to PUBLIC commonly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CONTAINER_DATA:

只能在cdb$root中使用，通过设置common user的container_data属性，来使用户可以通过视图或数据字典查看多个容器信息

creat user c##test identified by oracle;

grant dba to c##test container=all;

conn c##test/oracle

select * from cdb_pdbs; ---空

conn / as sysdba

Alter user c##test SET CONTAINER_DATA = (cdb$root, pdbnew, deppdb1) FOR cdb_pdbs container=current; --只能使用container=current

col username format a10

col object_name format a20

col container_name format a10

set linesize 200

select username, OBJECT_NAME,CONTAINER_NAME from dba_container_data where username='C##TEST';

USERNAME OBJECT_NAME CONTAINER_

---------- -------------------- ----------

C##TEST CDB_PDBS CDB$ROOT

C##TEST CDB_PDBS PDBNEW

C##TEST CDB_PDBS DEPPDB1

Alter user c##test SET CONTAINER_DATA = (cdb$root, pdbnew, deppdb1) FOR v_$session container=current; --sys用户要用v_$session, dba用户能用v$session

select username, OBJECT_NAME,CONTAINER_NAME from dba_container_data where username='C##TEST';

USERNAME OBJECT_NAME CONTAINER_

---------- -------------------- ----------

C##TEST V_$SESSION CDB$ROOT

C##TEST V_$SESSION PDBNEW

C##TEST V_$SESSION DEPPDB1

C##TEST CDB_PDBS CDB$ROOT

C##TEST CDB_PDBS PDBNEW

C##TEST CDB_PDBS DEPPDB1

忽略指定容器数据字典或视图则表示ALL

Alter user c##test SET CONTAINER_DATA = (cdb$root, pdbnew, deppdb1) container=current;

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Note:

如果pdb mounted，在cdb$root中create/modify/drop common user，则在pdb open read write时自动同步
在cdb$root下使用container=all则影响所有pdb且为立即同步

在application root下使用container=all只影响此application root与它的pdbs，且需要在application pdbs下执行alter pluggable database application app$con sync 才会同步

只有被授予set container权限的comm user或application comm user，才能使用SQL时使用CONTAINER = ALL.
cdb$root comm user/role通过COMMON_USER_PREFIX参数设置前缀，默认为c##；application root默认值为空；不论此参数如何设置local users, roles and profiles不能以c##开头
comm user只能由ASCII characters组成，comm user使用的默认表空间要在所有pdbs中均包含

CREATE USER testpdb IDENTIFIED BY password

DEFAULT TABLESPACE pdb1_tbs

QUOTA UNLIMITED ON pdb1_tbs

CONTAINER = CURRENT|ALL;

Common user是在于root及PDBs相同名字的用户(user_id并不一定相同)
Common user可以登陆ROOT及所有PDB容器(如果有权限)，local user的当前container只能为对应PDB.
Common user负责管理整个CDB容器，而local user负责管理自己的PDB

如果common user当前container为pdb则它可见及可管理的只能是此pdb

A common user is a user that has the same identity in the root and in every existing and future PDB. A common user can log in to the root and any container in which it has been granted CREATE SESSION privilege. Some administrative tasks, such as creating a PDB or unplugging a PDB, must be performed by a common user. A CDB also supports local users. A local user is a user that exists in exactly one PDB.

oracle默认的管理用户(如sys, system)也是common user

Oracle provides two types of common users: CDB common users and application common users.

A CDB common user can perform all tasks that an application common user can perform, provided that appropriate privileges have been granted to that user.

All Oracle-supplied administrative user accounts, such as SYS and SYSTEM, are CDB common users and can navigate across the system container.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

在clone或pluggable创建pdb时，源库的local user为相应的local user，但对于common user:

When cloning a remote PDB, user-created common users that existed in the source CDB but not in the target CDB do not have any privileges granted commonly. However, if the target CDB has a common user with the same name as a common user in the PDB, the latter is linked to the former and has the privileges granted to this common user in the target CDB.
If the cloned or plugged-in PDB has a common user account that does not exist in the target CDB, and if this user does not own objects in the PDB, then Oracle Database drops the user during the synchronization step; otherwise, the user account is locked in the target PDB. You have the following options regarding locked accounts:

Close the PDB, connect to the root, and create a common user account with the same name. When the PDB is opened in read/write mode, differences in roles and privileges granted commonly to the user account are resolved, and you can unlock the account. Privileges and roles granted locally to the user account remain unchanged during this process.

Create a new local user account in the PDB and use Data Pump to export/import the locked user's data into the new local user's schema.

Leave the user account locked.

Drop the user account.

Example:

如把cdb_1中的pdb_1 plug to cdb_2:

cdb_1 has the common user c##cdb1_user. cdb_2 does not have this user.

c##cdb1_user remains in PDB_1 but this account is locked.

cdb_1 and cdb_2 both have common user c##common_user.

Both c##common_user accounts are merged. c##common_user retains its password in cdb_2. Any privileges assigned to it in cdb_2 but not in cdb_1 are retained locally in pdb_1.

Using PDB Lockdown Profiles

Lockdown profile是在cdb$root中创建的，用于限制所有用户（包括sysdba）在pdbs中不可以执行的操作

You can use PDB lockdown profiles in a multitenant container database (CDB) to restrict user operations in PDBs. After you create a PDB lockdown profile, you can add restrictions to the profile with the ALTER LOCKDOWN PROFILE statement. You can restrict user operations associated with certain database features, options, and SQL statements.

通过初始参数PDB_LOCKDOWN来指定使用哪个lockdown profile：

如果在cdb$root中设置此参数，将在所有pdbs生效，但不会在cdb$root生效
如果在application root中设置此参数,则在application及applicaiton PDBs中生效
如果在某一pdbs中设置此参数，它会覆盖cdb$root或application root中的设置

示例：

ALTER SESSION SET CONTAINER=CDB$ROOT;

Create lockdown profile与alter lockdown profile均必须在cdb$root中执行

CREATE LOCKDOWN PROFILE MYPROFILE1;

ALTER LOCKDOWN PROFILE MYPROFILE DISABLE STATEMENT = ('ALTER SYSTEM');

ALTER LOCKDOWN PROFILE MYPROFILE ENABLE STATEMENT = ('ALTER SYSTEM') clause = ('flush shared_pool');

ALTER LOCKDOWN PROFILE MYPROFILE DISABLE FEATURE = ('XDB_PROTOCOLS');

SELECT * FROM DBA_LOCKDOWN_PROFILES; --STATUS列表示此rule是允许还是禁止操作

ALTER SESSION SET CONTAINER=PDBNEW;

ALTER SYSTEM SET PDB_LOCKDOWN=MYPROFILE;

SHOW PARAMETER PDB_LOCKDOWN

NAME TYPE VALUE

------------------------------------ -----------

pdb_lockdown string MYPROFILE

查看所有PDBS设置：

select con_id, value from v$system_parameter where name='pdb_lockdown';

上面因为限制了alter system操作，所以不能重设置DB_LOCKDOWN：

Show user

USER is "SYS"

ALTER SYSTEM SET PDB_LOCKDOWN='';

ORA-01031: insufficient privileges

ALTER SESSION SET CONTAINER=CDB$ROOT;

DROP LOCKDOWN PROFILE MYPROFILE;

alter lockdown profile语法：

1. lockdown_features::=

Use feature to specify the features whose operations you want to disable or enable. Table 11-1 lists the features you can specify and describes the operations associated with each feature.

The table also indicates a feature bundle for each feature. For feature, you can specify a feature bundle name to disable or enable user operations for all features in that bundle, or you can specify an individual feature name. You can specify feature bundle names and feature names in any combination of uppercase and lowercase letters.

Use ALL to specify all features listed in the table.

Use ALL EXCEPT to specify all features listed in the table except the specified features.

If you omit this clause, then the default is ENABLE ALL.

Example:

ALTER LOCKDOWN PROFILE hr_prof DISABLE FEATURE = ('NETWORK_ACCESS');

ALTER LOCKDOWN PROFILE hr_prof DISABLE FEATURE = ('LOB_FILE_ACCESS', 'TRACE_VIEW_ACCESS');

ALTER LOCKDOWN PROFILE hr_prof DISABLE FEATURE ALL EXCEPT = ('COMMON_USER_LOCAL_SCHEMA_ACCESS', 'LOCAL_USER_COMMON_SCHEMA_ACCESS');

ALTER LOCKDOWN PROFILE hr_prof DISABLE FEATURE ALL;

ALTER LOCKDOWN PROFILE hr_prof ENABLE FEATURE = ('UTL_HTTP', 'UTL_SMTP', 'OS_ACCESS');

ALTER LOCKDOWN PROFILE hr_prof ENABLE FEATURE ALL EXCEPT = ('AQ_PROTOCOLS', 'CTX_PROTOCOLS');

ALTER LOCKDOWN PROFILE hr_prof ENABLE FEATURE ALL;

lockdown_options::=

For option, you can specify the following database options in any combination of uppercase and lowercase letters:

DATABASE QUEUING – Represents user operations associated with the Oracle Database Advanced Queuing option

PARTITIONING – Represents user operations associated with the Oracle Partitioning option

Use ALL to specify all options in the preceding list.

Use ALL EXCEPT to specify all options in the preceding list except the specified options.

If you omit this clause, then the default is ENABLE OPTION ALL.

Example:

ALTER LOCKDOWN PROFILE hr_prof DISABLE OPTION = ('DATABASE QUEUING');

ALTER LOCKDOWN PROFILE hr_prof DISABLE OPTION = ('PARTITIONING');

ALTER LOCKDOWN PROFILE hr_prof ENABLE OPTION = ('DATABASE QUEUING');

ALTER LOCKDOWN PROFILE hr_prof ENABLE OPTION ALL;

lockdown_statements::=

For SQL_statement, you can specify the following statements in any combination of uppercase and lowercase letters:

ALTER DATABASE

ALTER PLUGGABLE DATABASE

ALTER SESSION

ALTER SYSTEM

Use ALL to specify all statements in the preceding list.

Use ALL EXCEPT to specify all statements in the preceding list except the specified statements.

If you omit this clause, then the default is ENABLE STATEMENT ALL.

statement_clauses::=

For clause, you must specify at least enough keywords to unambiguously identify a single clause for the SQL statement. The following are some examples of how to specify clause for the ALTER SYSTEM statement:

To specify the archive_log_clause::=, specify ARCHIVE. This is sufficient because no other ALTER SYSTEM clause begins with the keyword ARCHIVE. Alternatively, you can specify ARCHIVE LOG for semantic clarity, but the LOG keyword is unnecessary.

To specify either of the rolling_migration_clauses::=, you must specify START ROLLING MIGRATION or STOP ROLLING MIGRATION in order to distinguish these clauses from the similarly named rolling_patch_clauses::= START ROLLING PATCH and STOP ROLLING PATCH.

You cannot specify the single keyword FLUSH, because several ALTER SYSTEM clauses begin with this keyword. You must instead specify each clause separately, such as FLUSH SHARED_POOL or FLUSH GLOBAL CONTEXT.

There is no need to specify optional keywords within a clause, because they have no effect. For example:

The archive_log_clause::= has an optional INSTANCE keyword. However, you cannot enable or disable only ARCHIVE LOG clauses that contain the INSTANCE keyword. Specifying ARCHIVE LOG INSTANCE is equivalent to specifying ARCHIVE or ARCHIVE LOG.

There is no need to specify parameter values within a clause, because they have no effect. For example:

The shutdown_dispatcher_clause::= requires you to specify a dispatcher_name. However, you cannot enable or disable SHUTDOWN clauses that contain a specific dispatcher name. Specifying SHUTDOWN dispatcher1 is equivalent to specifying SHUTDOWN.

clause_options::=

This clause is valid only when you specify one of the following for lockdown_statements and statement_clauses:

{ DISABLE | ENABLE } STATEMENT = ('ALTER SESSION') CLAUSE = ('SET')

{ DISABLE | ENABLE } STATEMENT = ('ALTER SYSTEM') CLAUSE = ('SET')

This clause lets you disable or enable the setting or modification of specific options with the ALTER SESSION SET or ALTER SYSTEM SET statements.

Use clause_option to specify the option you want to disable or enable.

Use clause_option_pattern to specify a pattern that matches multiple options. Within the pattern, specify a percent sign (%) to match zero or more characters in an option name. For example, specifying 'QUERY_REWRITE_%' is equivalent to specifying both the QUERY_REWRITE_ENABLED and QUERY_REWRITE_INTEGRITY options.

You can specify clause_option and clause_option_pattern in any combination of uppercase and lowercase letters.

Use ALL to specify all options.

Use ALL EXCEPT to specify all options except the specified options.

option_values::=

This clause is valid only when you specify one of the following for lockdown_statements, statement_clauses, and clause_options:

DISABLE STATEMENT = ('ALTER SESSION') CLAUSE = ('SET') OPTION = clause_option

DISABLE STATEMENT = ('ALTER SYSTEM') CLAUSE = ('SET') OPTION = clause_option

This clause lets you specify a default value for an option when disabling the setting of that option. For options that take numeric values, this clause also lets you restrict users from setting an option to certain values.

The VALUE clause lets you specify a default option_value for clause_option, which will go into effect for any PDB to which the profile applies after you close and reopen the PDB. If clause_option accepts multiple default values, then you can specify more than one option_value in a comma-separated list. The purpose of using this clause is to simultaneously set a default value for an option and restrict users from setting or modifying the value.

The MINVALUE clause lets you restricts users from setting the value of clause_option to a value less than option_value. You can specify this clause only for options that take a numeric value.

The MAXVALUE clause lets you restricts users from setting the value of clause_option to a value greater than option_value. You can specify this clause only for options that take a numeric value.

You can specify both the MINVALUE and MAXVALUE clauses together to restrict users from setting the value of clause_options to any value less than MINVALUE or greater than MAXVALUE.

MINVALUE and MAXVALUE settings take effect immediately when the lockdown profile is assigned to a PDB; you need not close and reopen the PDB.

Example:

ALTER LOCKDOWN PROFILE hr_prof DISABLE STATEMENT = ('ALTER DATABASE');

ALTER LOCKDOWN PROFILE hr_prof DISABLE STATEMENT = ('ALTER SYSTEM') CLAUSE = ('SUSPEND', 'RESUME');

ALTER LOCKDOWN PROFILE hr_prof DISABLE STATEMENT = ('ALTER PLUGGABLE DATABASE')

CLAUSE ALL EXCEPT = ('DEFAULT TABLESPACE', 'DEFAULT TEMPORARY TABLESPACE');

ALTER LOCKDOWN PROFILE hr_prof DISABLE STATEMENT = ('ALTER SESSION')

CLAUSE = ('SET') OPTION = ('COMMIT_WAIT', 'CURSOR_SHARING');