ORACLE user profile配置/管理/维护
今天在新数据库上面创建一个USER时,要求配置资源限制,很久没有玩ORACLE了,这个东西还玩得差不多了。
user profile包括了两部分内容,1.是资源的限制,但是这个默认是不生效的,要启动(resource_limit为true)才生效。2.用户密码限制,这个配置后,再用户下次登陆就生效。通过user profile配置的限制都是在用户下次登陆时生效,对当前的session不生效。数据库中有一个默认的profile,名字是DEFAULT,在11G前这个DEFAULT没有任何的限制,但是从11G开始,对PASSWORD_LIFE_TIME 为180,FAILED_LOGIN_ATTEMPTS为10次。
资源的限制包括下面几个部分
下面是详细的说明
SESSIONS_PER_USER:指定每一个用户最大可以并发sessions,如果达到了最大session后会报ORA-02391: exceeded simultaneous SESSIONS_PER_USER limit错误
CPU_PER_SESSION:指定每一个SESSION总共使用CPU时间,单位是1/100秒,如果超过后会报下面的错误ORA-02392: exceeded session limit on CPU usage, you are being logged off
CPU_PER_CALL:每一次CALL使用的CPU时间,也就是一条SQL调用(a parse, execute, or fetch),单位是1/100秒,如果超过后会报ORA-02393: exceeded call limit on CPU usage。
CONNECT_TIME:限制一个session总的连接时间,单位为分钟。如果超过最大值会报ORA-02399: exceeded maximum connect time, you are being logged off
IDLE_TIME:指定一个session空闲的时间,单位为分钟。如果超过最大值会报ORA-02396: exceeded maximum idle time, please connect again
LOGICAL_READS_PER_SESSION:限制每一个session读取logical块的个数。
LOGICAL_READS_PER_CALL:限制一条SQL读取logical块的个数。如果超过最大值会报ORA-02395: exceeded call limit on IO usage
PRIVATE_SGA:限制一个session在sga中私有空间的分配。
COMPOSITE_LIMIT:指定一个session总的资源代价。
FAILED_LOGIN_ATTEMPTS:指定帐户在被锁之前可以使用错误密码尝试登陆的次数,默认是10次
PASSWORD_LIFE_TIME:指定密码存活的天数,默认是180天。
PASSWORD_LOCK_TIME:登陆失败过,帐户被锁定的天数。默认值是1天。
PASSWORD_GRACE_TIME:指密码到期后,还可以使用多少天来登陆数据库,默认是7天。
PASSWORD_VERIFY_FUNCTION:指定密码验证函数。如果为null就表示没有。
PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX :这个两个参数要一起配置才会生效,PASSWORD_REUSE_TIME指相同密码被重用的间隔天数,PASSWORD_REUSE_MAX相同密码再次被重用要求最低的密码修改次数(不包括本次修改成重用密码)
下面是开始测试:
测试环境:OS RHEL 5.6 X86_64 DB:11.2.0.2
1,创建profile
- CREATE PROFILE test_profile LIMIT
- SESSIONS_PER_USER 100
- CPU_PER_SESSION 500
- CPU_PER_CALL 500
- CONNECT_TIME 3
- IDLE_TIME 2
- LOGICAL_READS_PER_SESSION 1000
- LOGICAL_READS_PER_CALL 1000
- COMPOSITE_LIMIT DEFAULT
- PRIVATE_SGA 2
- FAILED_LOGIN_ATTEMPTS 2
- PASSWORD_LIFE_TIME 0.0017
- PASSWORD_REUSE_TIME 0.0024
- PASSWORD_REUSE_MAX 2
- PASSWORD_LOCK_TIME 0.0017
- PASSWORD_GRACE_TIME 1;
2.查看profile的内容
- SQL> set lines 100
- SQL> col profile for a15
- SQL> col resource_name for a30
- SQL> col limit for a14
- SQL> select * from dba_profiles where profile='TEST_PROFILE';
- PROFILE RESOURCE_NAME RESOURCE LIMIT
- --------------- ------------------------------ -------- --------------
- TEST_PROFILE COMPOSITE_LIMIT KERNEL DEFAULT
- TEST_PROFILE SESSIONS_PER_USER KERNEL 100
- TEST_PROFILE CPU_PER_SESSION KERNEL 500
- TEST_PROFILE CPU_PER_CALL KERNEL 500
- TEST_PROFILE LOGICAL_READS_PER_SESSION KERNEL 1000
- TEST_PROFILE LOGICAL_READS_PER_CALL KERNEL 1000
- TEST_PROFILE IDLE_TIME KERNEL 2
- TEST_PROFILE CONNECT_TIME KERNEL 3
- TEST_PROFILE PRIVATE_SGA KERNEL 2
- TEST_PROFILE FAILED_LOGIN_ATTEMPTS PASSWORD 2
- TEST_PROFILE PASSWORD_LIFE_TIME PASSWORD .0017
- PROFILE RESOURCE_NAME RESOURCE LIMIT
- --------------- ------------------------------ -------- --------------
- TEST_PROFILE PASSWORD_REUSE_TIME PASSWORD .0023
- TEST_PROFILE PASSWORD_REUSE_MAX PASSWORD 2
- TEST_PROFILE PASSWORD_VERIFY_FUNCTION PASSWORD DEFAULT
- TEST_PROFILE PASSWORD_LOCK_TIME PASSWORD .0017
- TEST_PROFILE PASSWORD_GRACE_TIME PASSWORD 1
- 16 rows selected.
3 修改/查看某个用户的profile
- SQL> select username,profile from dba_users where username='SCOTT';
- USERNAME PROFILE
- ------------------------------ ---------------
- SCOTT DEFAULT
- SQL> alter user scott profile test_profile;
- User altered.
- SQL> select username,profile from dba_users where username='SCOTT';
- USERNAME PROFILE
- ------------------------------ ---------------
- SCOTT TEST_PROFILE
4 修改profile中的资源的值。
这里包括两部分的内容,1.修改成用户指定的值,2.是修改成系统默认的值
- #修改成用户指定的值
- SQL> select * from dba_profiles where profile='TEST_PROFILE' and RESOURCE_NAME='CPU_PER_SESSION'
- 2 ;
- PROFILE RESOURCE_NAME RESOURCE LIMIT
- --------------- ------------------------------ -------- --------------
- TEST_PROFILE CPU_PER_SESSION KERNEL 500
- SQL> alter profile test_profile limit cpu_per_session 100;
- Profile altered.
- SQL> select * from dba_profiles where profile='TEST_PROFILE' and RESOURCE_NAME='CPU_PER_SESSION';
- PROFILE RESOURCE_NAME RESOURCE LIMIT
- --------------- ------------------------------ -------- --------------
- TEST_PROFILE CPU_PER_SESSION KERNEL 100
- #修改成系统默认的值
- SQL> alter profile test_profile limit cpu_per_session default;
- Profile altered.
- SQL> select * from dba_profiles where profile='TEST_PROFILE' and RESOURCE_NAME='CPU_PER_SESSION';
- PROFILE RESOURCE_NAME RESOURCE LIMIT
- --------------- ------------------------------ -------- --------------
- TEST_PROFILE CPU_PER_SESSION KERNEL DEFAULT
5 删除profile
当某个profile被删除时,如果这个profile已经被分配给某个用户,那么我们在删除的时候要加上cascade,并且已经被分配的用户的profile会被自己修改成default profile。
- SQL> select username,profile from dba_users where username='SCOTT';
- USERNAME PROFILE
- ------------------------------ ---------------
- SCOTT TEST_PROFILE
- SQL> drop profile test_profile;
- drop profile test_profile
- *
- ERROR at line 1:
- ORA-02382: profile TEST_PROFILE has users assigned, cannot drop without CASCADE
- SQL> drop profile test_profile cascade;
- Profile dropped.
- SQL> select username,profile from dba_users where username='SCOTT';
- USERNAME PROFILE
- ------------------------------ ---------------
- SCOTT DEFAULT
6。修改参数,使资源限制生效
这个参数默认值是false,是一个动态参数
- SQL> show parameter resource_limit;
- NAME TYPE VALUE
- ------------------------------------ ----------- ------------------------------
- resource_limit boolean FALSE
- SQL> alter system set resource_limit=true;
- System altered.
user profile这个比较操作比较简单,重要的是要理解里面参数的含意。
下面是资源限制达到最大值后的报错提示。
- [oracle@test dbmonitor]$ sqlplus scott/oracle
- SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 8 21:26:38 2012
- Copyright (c) 1982, 2010, Oracle. All rights reserved.
- ERROR:
- sessions_per_user
- ORA-02391: exceeded simultaneous SESSIONS_PER_USER limit
- cpu_per_session
- ORA-02392: exceeded session limit on CPU usage, you are being logged off
- CPU_PER_CALL;
- ORA-00604: error occurred at recursive SQL level 1
- ORA-02393: exceeded call limit on CPU usage
- CONNECT_TIME
- ORA-02399: exceeded maximum connect time, you are being logged off
- IDLE_TIME
- ERROR at line 1:
- ORA-02396: exceeded maximum idle time, please connect again
- logical_reads_per_session
- ERROR:
- ORA-02394: exceeded session limit on IO usage, you are being logged off
- LOGICAL_READS_PER_CALL
- ORA-02395: exceeded call limit on IO usage