DBMS_NETWORK_ACL_ADMIN

arcsdegeoLeave a comment

The NETWORK_ACL_ADMIN package provides the interface to administer the network access control lists (ACL). ACLs are used to control access by users to external network services and resources from the database through PL/SQL network utility packages including UTL_TCP, UTL_HTTP, UTL_SMTP andUTL_INADDR.

starting with Oracle 12c oracle have deprecated subprograms such as: ADD_PRIVILEGE, CHECK_PRIVILEGE Function, CREATE ACL Procedure, DELETE PRIVILEGE Procedure. for further guide please visit:

http://docs.oracle.com/cd/E16655_01/appdev.121/e17602/d_networkacl_adm.htm#ARPLS148

 

The below is a guide for 11g Version:

Access control lists are manipulated using the DBMS_NETWORK_ACL_ADMIN package. The CREATE_ACL procedure uses the following parameters to create a new ACL:

  • acl – The name of the access control list XML file, generated relative to the “/sys/acls” directory in the XML DB Repository.
  • description – A description of the ACL.
  • principal – The first user account or role being granted or denied permissions. The text is case sensitive.
  • is_grant – TRUE to grant, FALSE to deny the privilege.
  • privilege – Use ‘connect’ for UTL_TCP, UTL_SMTP, UTL_MAIL and UTL_HTTP access. Use ‘resolve’ for UTL_INADDR name/IP resolution. The text is case sensitive.
  • start_date – Default value NULL. When specified, the ACL will only be active on or after the specified date.
  • end_date – An optional end date for the ACL.

The following code creates two test users to act as principals, then creates a new ACL.

CONN sys/password@db11g AS SYSDBA

CREATE USER test1 IDENTIFIED BY test1;

GRANT CONNECT TO test1;

CREATE USER test2 IDENTIFIED BY test2;

GRANT CONNECT TO test2;

BEGIN

DBMS_NETWORK_ACL_ADMIN.create_acl (

acl          => ‘test_acl_file.xml’,

description  => ‘A test of the ACL functionality’,

principal    => ‘TEST1’,

is_grant     => TRUE,

privilege    => ‘connect’,

start_date   => SYSTIMESTAMP,

end_date     => NULL);

COMMIT;

END;

/

Once created, the ACL is visible in the “http://host:port/sys/acls/” directory.

Additional users or roles are added to the ACL using the ADD_PRIVILEGE procedure. Its parameter list is similar to the CREATE_ACL procedure, with the omission of the DESCRIPTION parameter and the addition of a POSITION parameter, which sets the order of precedence.

BEGIN

DBMS_NETWORK_ACL_ADMIN.add_privilege (

acl         => ‘test_acl_file.xml’,

principal   => ‘TEST2’,

is_grant    => FALSE,

privilege   => ‘connect’,

position    => NULL,

start_date  => NULL,

end_date    => NULL);

COMMIT;

END;

/

====================================================================

select grantee , table_name , privilege from dba_tab_privs where table_name = ‘UTL_HTTP’ and grantee = ‘PUBLIC’;

http://www.oracle-base.com/articles/11g/fine-grained-access-to-network-services-11gr1.php

http://www.oracleflash.com/36/Oracle-11g-Access-Control-List-for-External-Network-Services.html

Querying current ACL’s configured in the database:

SELECT acl,

principal,

privilege,

is_grant,

TO_CHAR(start_date, ‘DD-MON-YYYY’) AS start_date,

TO_CHAR(end_date, ‘DD-MON-YYYY’) AS end_date

FROM   dba_network_acl_privileges;

Checking ACL Privileges:

SELECT DECODE(
         DBMS_NETWORK_ACL_ADMIN.check_privilege('test_acl_file.xml', 'TEST1', 'connect'),
         1, 'GRANTED', 0, 'DENIED', NULL) privilege 
FROM dual;

 

Dropping ACL:

BEGIN

DBMS_NETWORK_ACL_ADMIN.drop_acl (

acl         => ‘test_acl_file.xml’);

COMMIT;

END;

/

Deleting ACL privilege:

BEGIN

DBMS_NETWORK_ACL_ADMIN.delete_privilege (

acl         => ‘test_acl_file.xml’,

principal   => ‘TEST2’,

is_grant    => FALSE,

privilege   => ‘connect’);

COMMIT;

END;

/

ERROR 000955: Error encountered migrating the database storage

arcsdegeoLeave a comment

i have faced the following erorr while performing data migration from SDEBINARY to BLOB using  the Geo-processing Tool (Migrate Storage (Data Management):

ERROR 000955: Error encountered migrating the database storage
Insufficient permissions[Feature Class Name]
Failed to execute(MigrateStorage)

as shown also in the below image:

Image

This migration took place in version ArcGIS 10.1 SP1 in Oracle RDBMS environment.

so if you are in a version(release) below 10.1 that refer to this link:

http://support.esri.com/en/bugs/nimbus/TklNMDgwMDEw

 

The Solution i found is: to grant the schema user the following privileges:

GRANT ALTER ANY INDEX TO USER;
GRANT CREATE ANY INDEX TO USER;
GRANT CREATE TABLE TO USER;
GRANT DROP ANY INDEX TO USER;

Unfortunately this is not stated in any ESRI documentation (so far ….)

References for Data Migration:

http://resources.arcgis.com/en/help/main/10.1/index.html#//002n00000076000000

http://resources.arcgis.com/en/help/main/10.1/index.html#//00170000000q000000

http://resources.arcgis.com/en/help/main/10.2/index.html#//002n00000076000000

 

Also, the below is the data migration for each DBMS type in ArcGIS:

Image

 

 

create spatial type in Esri Geodatabase for st_geometry

arcsdegeoLeave a comment

To create the spatial type (st_geoemtry) in your Oracle Geodatabase, use the Geoprocessing tool

create spatial type” which can be found in catalog tree search.

 

in order to perform this you need to configure your ‘SYS’ oracle user to connect from your client machine , this can be done through a procedure described in my early thread (https://geodatamaster.wordpress.com/2014/02/18/connecting-using-sys-user-from-client-machine/)

PLEASE NOTE: that is geoprocessing tool will ONLY work with ‘SYS’ user.

the below snapshot describes the activity:

Image

 

the dll st_geoemtry library (libst_shapelib.dll) can be found locally on your machine, in this directory:

C:\Program Files (x86)\ArcGIS\Desktop10.1\DatabaseSupport

 

 

connecting using ‘SYS’ user from client machine

arcsdegeo1 Comment

in order to connect using ‘SYS’ account from your local machine to the Oracle database, you need to follow the following steps:

1. create a password file, using the command:

orapwd file=orapwsid  password=xxxxx entries=Z

**IMPORTANT REMARKS**:

this command should be executed under the directory: $ORACLE_HOME/dbs where your init.ora is located

orapwsid: where you need to append the database SID in the name, which is a standrd conversion naming for the password file that must be used.

Z: represents the number of oracle users that needs to be granted the SYSDBA privilege

just type the following command and it will list for you the parameters in details: orapwd

2. edit the init.ora file under $ORACLE_HOME/dbs

change the parameter “remote_login_passwordfile” to “exclusive”

SQL> show parameter password

NAME TYPE VALUE
—————————– ———– ———-
remote_login_passwordfile string EXCLUSIVE

3. grant ‘sysdba’ privilege to the oracle account you are seeking.

 

for example,

SQL> grant sysdba to db_user;

 

ORA-39070: Unable to open the log file ORA-06512: at “SYS.UTL_FILE”, line 536

arcsdegeoLeave a comment

if you receive the following error message:

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 – 64bit Production

With the Partitioning option

ORA-39002: invalid operation

ORA-39070: Unable to open the log file.

ORA-29283: invalid file operation

ORA-06512: at “SYS.UTL_FILE”, line 536

ORA-29283: invalid file operation

**** Resolution:

Create a database directory that has been grante privilege access to the user who is performing “expdp” operation.

SQL> create or replace directory DB_EXPORT as ‘/oracle/export/db/;

Directory created.

SQL> grant read, write on directory DB_EXPORT to expdp_user;

Grant succeeded.

 

Where expdp_user could be ‘system’ user, or any user that has ‘DBA’ role privilege.

Example of expdp command:

expdp expdp_user /XXXX directory=DB_EXPORT logfile=db_test.log dumpfile=EXDP_TEST.dmp schemas=HR