Oracle 参数 PDB_LOCKDOWN 官方解释,作用,如何配置最优化建议
本站中文解释
_STYLE
PDB_LOCKDOWN_STYLE参数控制着Pluggable Database (PDB)中用户是否可以访问容器数据库 (CDB)。可以设置为FULL , RESTRICTED (默认值)和NONE三个值.
FULL:这个参数的值阻止从PDB到CDB的连接,就是避免从PDB到CDB来访问或者改变CDB中的对象,尤其是数据库配置和注册表以及共享池资源(如视图,存储过程之类),当PDB_LOCKDOWN_STYLE参数设置为FULL时,任何在PDB中创建的普通用户,将只能从PDB访问自己PDB中的资源以及CDB中共享池中的资源,不能访问和使用CDB。
RESTRICTED:只能允许某些特权操作用户,比如SYSDBA、sysoper、system等特权用户可以用来连接PDB的外部资源,但是首先必须以通用登录(common user)的方式登录到PDB中去。
NONE:阻止无法从PDB直接连接到CDB,但是在PDB中可以使用DBLINKs来访问CDB中的资源。
设置正确的PDB_LOCKDOWN_STYLE参数需要根据实际需要来设置,比如如果不希望PDB中的用户可以访问CDB中的资源,那么应该将PDB_LOCKDOWN_STYLE设置为FULL.
官方英文解释
PDB_LOCKDOWN
determines the PDB lockdown profile that applies to a PDB.
Property | Description |
---|---|
Parameter type |
String |
Syntax |
|
Default value |
|
Modifiable |
|
Modifiable in a PDB |
Yes |
Basic |
No |
Oracle RAC |
All instances should have the same value |
A PDB lockdown profile is a mechanism to restrict operations (such as setting values of certain parameters and using certain options) that can be performed by users connected to a given PDB. You can also restrict execution of any packages that allow network access, for example, UTL_SMTP
.
You create lockdown profiles using the SQL CREATE LOCKDOWN PROFILE
statement. Then you can set a profile using the SQL ALTER SESSION
or ALTER SYSTEM
statement. See the Examples section.
This parameter can be set using the ALTER SYSTEM
statement with scope set to MEMORY
, SPFILE
, or BOTH
.
The lockdown profile for PDBs can be specified by a common user with common ALTER SYSTEM
or common SYSDBA
privilege.
If a PDB lockdown profile is dropped, any PDB to which the dropped profile was assigned (by means of storing the dropped profile name in the PDB_LOCKDOWN
parameter) will continue to have its PDB_LOCKDOWN
parameter set to the dropped lockdown profile name. However, the PDB will not have any restrictions imposed by the dropped lockdown profile.
Lockdown profiles can now be created in an application root and are referred to as application lockdown profiles.
A CDB common user with common SYSDBA
or common ALTER SYSTEM
privilege can only set PDB_LOCKDOWN
to a CDB lockdown profile. Similarly, an application common user with application common SYSDBA
or application common ALTER SYSTEM
privilege can only set PDB_LOCKDOWN
to an application lockdown profile.
An application common user cannot overwrite PDB_LOCKDOWN
if PDB_LOCKDOWN
is already set to a CDB lockdown profile in an application root or application PDB.
If the PDB_LOCKDOWN
parameter in a PDB is set to the name of a lockdown profile different from that in its ancestor (for a CDB, the CDB root or, for application PDBs, the application root), the following will govern the interaction between restrictions imposed by these profiles:
-
If the
PDB_LOCKDOWN
parameter in a PDB (including an application PDB) is set to a CDB lockdown profile, lockdown profiles specified by thePDB_LOCKDOWN
parameter in CDB root (and for application PDBs, the application root) are ignored. -
If the
PDB_LOCKDOWN
parameter in an application PDB is set to an application lockdown profile while thePDB_LOCKDOWN
parameter in the application root or CDB root is set to a CDB lockdown profile, in addition to the rules stipulated in the application lockdown profile, the DISABLE rules from the CDB lockdown profile set in its nearest ancestor (that is, an application root or CDB root) are inherited. -
If there are conflicts between rules comprising the CDB lockdown profile and the application lockdown profile, the rules in the CDB lockdown profile will take precedence (for example, the
OPTION_VALUE
clause of a CDB lockdown profile will take precedence over theOPTION_VALUE
clause of an application lockdown profile).
Examples
This example shows how the SYS
user can connect to the database AS SYSDBA
and use the CREATE LOCKDOWN PROFILE
statement in the root of a CDB to define a new lockdown profile. After defining the new lockdown profile, the SYS
user can assign the new lockdown profile to a PDB using the PDB_LOCKDOWN
parameter:
SQL> ALTER SESSION SET CONTAINER=CDB$ROOT;
Session altered.
SQL> CREATE LOCKDOWN PROFILE MYPROFILE;
Lockdown Profile created.
SQL> ALTER SESSION SET CONTAINER=CDB1_PDB1;
Session altered.
SQL> ALTER SYSTEM SET PDB_LOCKDOWN=MYPROFILE;
System altered.
SQL> SHOW PARAMETER PDB_LOCKDOWN
NAME TYPE VALUE
-------------- ----------- ---------
pdb_lockdown string MYPROFILE
SQL>
See Also:
-
“DBA_LOCKDOWN_PROFILES”
-
Oracle Multitenant
Administrator’s Guide for an introduction to PDB lockdown profiles -
Oracle Database SQL
Language Reference for more information about theCREATE LOCKDOWN PROFILE
statement