Oracle Virtual Private Database

The idea of Virtual Private Database is to enable users having access to a table to see ONLY subset of
data within the table. This technique is based on a function that will enable SQL execution to append a WHRE clause predicate. The subset of data can be from row-level or column-level perspective.

For demonstration, I will be using a table called EMP under SCOTT schema.

1.PNG

I will also create 2 accounts:
SQL> create user manager identified by mono670;
SQL>grant create session to to manager;
SQL>grant select on SCOTT.EMP to manager;
SQL>create user clerk identified by clerk332;

SQL>grant create session to clerk;
SQL>grant select on SCOTT.EMP to clerk;
connecting as accounts MANAGER & CLERK I can see the full table data !!!

2

3.PNG

Now I will create security administrator account:
SQL> alter session set container=CDB$root;
SQL> create user security_admin identified by zorro3_g;
SQL> grant create session to security_admin;
SQL> grant create procedure to security_admin;
Now I am going to create the function:
SQL> CREATE OR REPLACE FUNCTION VPD_FUNC
(schema_v IN VARCHAR2, tbl_v IN VARCHAR2) RETURN VARCHAR2 IS
BEGIN
RETURN ‘upper(ename) = SYS_CONTEXT(”USERENV”, ”CURRENT_USER”) OR upper(job) =
SYS_CONTEXT(”USERENV”, ”CURRENT_USER”)’;
END;
/

 

4

Then as a sys user in the pluggable database PDB_ORIGIN configure the policy:
SQL> begin
sys.dbms_rls.add_policy(
object_schema=>’SCOTT’,
object_name=>’EMP’,
policy_name=>’VPD1_POLICY’,
function_schema=>’security_admin’,
policy_function=>’VPD_FUNC’,
statement_types => ‘SELECT’);
end;
/
Connecting as account “manager” I can see data related to “manager” records:

5

Same to “CLERK

6

This is a very nice security feature that many organizations can use to restrict  access to data within the table itself.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ORA-06512: at “CTXSYS.TEXTINDEXMETHODS”, line 366

while creating a domain index as a SYS user for a table…..the following error was thrown:

ERROR at line 1:

ORA-29855: error occurred in the execution of ODCIINDEXCREATE routine

ORA-20000: Oracle Text error:

DRG-50857: oracle error in drvxtab.create_index_tables

ORA-01031: insufficient privileges

ORA-06512: at “CTXSYS.DRUE”, line 160

ORA-06512: at “CTXSYS.TEXTINDEXMETHODS”, line 366

 

Solution:

Grant create table to the schema account user of the table.

ORA-27211: Failed to load Media Management Library

while configuring RMAN for a new database, the following errors were thrown while running the backup:

using target database control file instead of recovery catalog

RMAN-00571: ===========================================================

RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============

RMAN-00571: ===========================================================

RMAN-03002: failure of backup command at 10/09/2017 15:14:51

ORA-19554: error allocating device, device type: SBT_TAPE, device name:

ORA-27211: Failed to load Media Management Library

Additional information: 2

 

SOLUTION:

cd $ORACLE_HOME\lib

relink all

ln -s /usr/openv/netbackup/bin/libobk.so64 libobk.so

 

Oracle Database Control File

An Oracle Database Control file contains crucial information such as:

  • The database name
  • The timestamp of database creation
  • The names and locations of associated datafiles and redo log files
  • Tablespace information
  • Datafile offline ranges
  • The log history
  • Archived log information
  • Backup set and backup piece information
  • Backup datafile and redo log information
  • Datafile copy information
  • The current log sequence number
  • Checkpoint information

 

You can’t start the database to “MOUNT” state unless a control file exists.

Parameter CONTROL_FILE_RECORD_KEEP_TIME specifies the minimum number of days before a reusable record in the control file can be reused, the default value is 7.

An Auto-Backup control file can be set as follows:

RMAN> SHOW CONTROLFILE AUTOBACKUP;

RMAN> CONFIGURE CONTROLFILE AUTOBACKUP ON;

Autobackup will be triggered whenever a structural changes takes place such as adding new data file, dropping data file, renaming data file. Of course, a control backup will be included with full database backup with datafile 1 that belongs to system tablespace.

 

How to Restore database control file when it’s damaged or removed by mistake:

 

METHOD NO.1: re-creating the control file:

  1. Execute the below SQL statement to have a copy definition of the control file

SQL> alter database backup controlfile to trace as ‘C:\app\emodb\diag\rdbms\hero\hero\trace\cntl_aug5_backup.trc’;

  1. Gather information:

 

SQL>  spool gather_info

SQL>  SELECT MEMBER FROM V$LOGFILE;

SQL>  SELECT NAME FROM V$DATAFILE;

SQL>  SELECT VALUE FROM V$PARAMETER WHERE NAME = ‘control_files’;

SQL>  spool off

 

  1. Shutdown the database: SQL> shutdown immediate;

 

  1.  SQL>STARTUP NOMOUNT

 

  1. Create a new control file for the database using the CREATE CONTROLFILE statement, When creating a new control file (from trace file), specify the RESETLOGS clause if you have lost any redo log groups in addition to control files. In this case, you will need to recover from the loss of the redo logs. You must specify the RESETLOGS clause if you have renamed the database. Otherwise, select the NORESETLOGS clause.

 

 

  1. If you are creating the control file as part of recovery, recover the database. If the new control file was created using the NORESETLOGS clause you can recover the database with complete, closed database recovery.

 

  1. If you did not perform recovery, or you performed complete, closed database recovery in step open the database normally.

SQL> ALTER DATABASE OPEN;

 

 

METHOD NO.2 : RMAN

 

RMAN> list backup of controlfile;

RMAN>  SHOW CONTROLFILE AUTOBACKUP;

 

RMAN> restore controlfile from autobackup;

OR

RMAN> restore controlfile;

OR

 

Restore the controlfile from a specific autobackup file to a temporary disk location the replicate the temp controlfile to the respective locations and names given in control_files.

 RMAN> restore controlfile from ‘/tmp/c-1140771490-2008050203’ to ‘/tmp/control.tmp’;

 RMAN> replicate controlfile from ‘/tmp/control.tmp’;

Oracle ERROR ORA-28221: REPLACE not specified

I am going to simulate a scenario when an account owner would like to change the password of his account by himself.

—– as sys user or user with “DBA” role i will create an account “dropme”:

SQL> create user dropme identified by drop23_k23;

SQL> grant create session to dropme;

exit

—– i will now connect using the account “dropme” against DB1 database:

sqlplus dropme/drop23_k23@DB1

SQL> alter user dropme identified by kitk38_x9 ;

an error ORA-28221 is thrown !!!

ORA ERROR

To fix that you need to specify the old password:

SQL> alter user dropme identified by kitk38_x9 REPLACE drop23_k23;

Unfortunately some third party applications (from my experience) , the “REPLACE” command clause won’t be executed through the application (password change will be through the application) ……. How to solve that in this case ??

1. You can either grant the account “alter user” permission temporarily:

SQL> grant alter user to dropme;

OR

2. Remove the password verify function  (set it to NULL) from the profile…the user is assigned to:

SQL> ALTER PROFILE “DEFAULT” LIMIT

  SESSIONS_PER_USER UNLIMITED

  CPU_PER_SESSION UNLIMITED

  CPU_PER_CALL UNLIMITED

  CONNECT_TIME UNLIMITED

  IDLE_TIME UNLIMITED

  LOGICAL_READS_PER_SESSION UNLIMITED

  LOGICAL_READS_PER_CALL UNLIMITED

  COMPOSITE_LIMIT UNLIMITED

  PRIVATE_SGA UNLIMITED

  FAILED_LOGIN_ATTEMPTS 3

  PASSWORD_LIFE_TIME UNLIMITED

  PASSWORD_REUSE_TIME UNLIMITED

  PASSWORD_REUSE_MAX UNLIMITED

  PASSWORD_LOCK_TIME UNLIMITED

  PASSWORD_GRACE_TIME 5

  PASSWORD_VERIFY_FUNCTION NULL;

 

 

 

 

 

 

 

 

 

 

 

Applying PSU results ORA-22308: operation not allowed on evolved type

While applying Oracle PSU patches on 12cR1 database and checking the view dba_registry_sqlpatch the STATUS was “WITH ERRORS”.

 

In order to fix this you need to check the log file for patch (you can find the location for the log file  from dba_registry_sqlpatch OR using DBMS_QOPATCH package) , in my case the error was referring to database vault type:

 

create or replace type dvsys.ku$_dv_realm_member_t as object
*
ERROR at line 1:
ORA-22308: operation not allowed on evolved type

 

to fix this:

 

SQL> drop type dvsys.ku$_dv_realm_member_t validate;

 

Then,

 

cd $ORACLE_HOME/OPatch

 

./datapatch -verbose

Managing RMAN Configuration using DBMS_BACKUP_RESTORE Package

In this blog article, I will illustrate the ability to change RMAN configuration through SQL using DBMS_BACKUP_RESTORE package. This package is not well known and is not documented.

 

Traditionally we use RMAN interface utility as shown:

rman target /

RMAN> show all;

rman1

Let us now explore changing RMAN configuration through the package:

SQL> VARIABLE rman_config NUMBER;

SQL> EXECUTE :rman_config := SYS.DBMS_BACKUP_RESTORE.SETCONFIG(‘BACKUP OPTIMIZATION’,’ON’);

rman2

Checking through the RMAN interface utility, we can see that the configuration change is reflected successfully:

rman3

 

What are the benefits?

This will help you with the provisioning and automation of your new databases to have identical RMAN configuration. Also, this will enable you to propagate RMAN configuration changes to all of your landscape.

Oracle PSU Error UtilSession failed: Lock file left by a different patch, OPatch will not try re-using the lock file

PROBLEM DESCRIPTION:

for some reason my sessions was kicked out and the patch process didn’t complete. Then, when i tried to re-apply the patch the following error was thrown:

UtilSession failed: Lock file left by a different patch, OPatch will not try re-using the lock file. 

OPatch failed with error code 73

SOLUTION:

remove the patch lock file using the below UNIX command:

rm $ORACLE_HOME/.patch_storage/patch_locked

then try to re-apply the patch again.

Applying PSU results “patching Following executables are active”

while patching oracle 12c database on Linux OS environment, i faced the below error while applying the patch using Opatch utility (although the database is shutdown):

 

Verifying environment and performing prerequisite checks…

Prerequisite check “CheckActiveFilesAndExecutables” failed.

The details are:

Following executables are active :

/oracl/db11/product/12.1.0.2/lib/libclntsh.so.12.1

UtilSession failed: Prerequisite check “CheckActiveFilesAndExecutables” failed.

 

solution:

find the process that is locking the file system using the fuser command

fuser -u /oracl/db11/product/12.1.0.2/lib/libclntsh.so.12.1

and then kill it using kill -9 command

set define off and ‘&’ in your SQL Code

have you ever faced a problem when you executed a SQL code sent to you by a developer and the below pop window appeared ??

 

POP & in SQL CODE

to avoid this just add the following starting statement:

set define off

set define off

When you have ‘&’ inside SQL Script you need to specify “set define off” at the beginning of the code .  It will Turn off substitution variables.