我们在pdb$seed 这个pdb里创建一个用户,并且赋予sysdba这个角色
SQL> alter session set container=pdb$seed;
Session altered.
SQL> alter session set "_oracle_script"=true;
Session altered.
SQL> alter pluggable database close immediate instances=all;
Pluggable database altered.
SQL> alter pluggable database open read write instances=all;
Pluggable database altered.
SQL> column name format a30
SQL> select inst_id,name,open_mode from gv$pdbs;
INST_ID NAME OPEN_MODE
---------- ------------------------------ ----------
1 PDB$SEED READ WRITE
2 PDB$SEED READ WRITE
SQL> create user pdb_admin identified by cdb14;
create user pdb_admin identified by cdb14
*
ERROR at line 1:
ORA-01031: insufficient privileges
这个错误的原因是因为我enable 了lockdown ,所以sys用户无法创建user
SQL> connect c##dv_cloud_admin_backup/cdb14@cdb14
Connected.
SQL> alter session set container=pdb$seed;
ERROR:
ORA-01031: insufficient privileges
c##dv_cloud_admin_backup这个用户是dv owner和account administrator,这个用户没有alter session set container权限,看来要做这个测试,只能先将lockdown disable了
SQL> connect sys/cdb14@cdb14 as sysdba
Connected.
SQL> alter system set pdb_lockdown='' scope=both sid='*';
System altered.
SQL> alter session set container=pdb$seed;
Session altered.
SQL> alter session set "_oracle_script"=true;
Session altered.
SQL> create user pdb_admin identified by cdb14;
create user pdb_admin identified by cdb14
*
ERROR at line 1:
ORA-01031: insufficient privileges
在disable lockdown之后,还是报没有权限
在尝试disable lockdown之后,还是报没有权限的错误,这里其实是我的理解错误,本身lockdown没有限制sys用户再pdb$seed 中创建用户,
禁止common user在pdb中创建用户,是有database vault的operation control来控制的
将pdb$seed的app protection disable掉
SQL> connect c##dv_cloud_admin_backup/cdb14@cdb14
Connected.
SQL> exec dbms_macadm.disable_app_protection('pdb$seed');
PL/SQL procedure successfully completed.
SQL> connect sys/cdb14@cdb14 as sysdba
Connected.
SQL> alter system set pdb_lockdown='PAAS' scope=both sid='*';
System altered.
SQL> alter session set container=pdb$seed;
Session altered.
SQL> alter session set "_oracle_script"=true;
Session altered.
SQL> create user pdb_admin identified by cdb14;
User created.
SQL> grant dba to pdb_admin;
Grant succeeded.
SQL> grant sysdba to pdb_admin;
Grant succeeded.
SQL> alter pluggable database close immediate instances=all;
Pluggable database altered.
SQL> alter pluggable database open read only instances=all;
Pluggable database altered.
SQL> alter session set "_oracle_script"=false;
Session altered.
检查pdb_admin这个用户是否具有sysdba 角色在pdb$seed这个pdb里
SQL> connect sys/cdb14@cdb14 as sysdba
Connected.
SQL> alter session set container=pdb$seed;
Session altered.
SQL> select username,sysdba from v$pwfile_users ;
USERNAME SYSDB
-------------------- -----
SYS TRUE
PDB_ADMIN TRUE
下面创建pdb基于pdb$seed
SQL> alter session set container=cdb$root;
Session altered.
SQL> create pluggable database cdb14pdb10888 admin user pdbadmin identified by cdb14 keystore identified by "WelCome-123#";
Pluggable database created.
SQL> alter pluggable database cdb14pdb10888 open read write instances=all;
Pluggable database altered.
SQL> alter session set container=cdb14pdb10888;
Session altered.
SQL> select username,sysdba from v$pwfile_users;
USERNAME SYSDB
-------------------- -----
SYS TRUE
PDB_ADMIN TRUE
下面尝试用sysdba角色连接这个pdb
[oracle@scaqad02adm01 bin]$ ./sqlplus "pdb_admin/cdb14@scaqad02adm01:1521/cdb14pdb10888 as sysdba"
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Feb 8 18:48:27 2021
Version 19.10.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.10.0.0.0
SQL>