Oracle Database 12.2 New Feature – PDB Lockdown Profiles

Posted by Gavin Soorma
On April 20, 2017
0 Comments
12.2, 12c Release 2, lockdown profiles, multitenant, new features, pluggable database, security

In an earlier post I had mentioned one of the new features in Oracle Database 12.2 was the ability to set SGA and PGA memory related parameters even at the individual PDB level. So it enables us to further limit or define the resources which a particular PDB can use and enable a more efficient management of resources in a multitenant environment.

We can further in Oracle 12c Release 2 now even limit the operations which can be performed within a particular PDB as well as restrict features which can be used or enabled – all at the individual PDB level. We can also limit network connectivity a PDB can have by enabling or disabling the use of network related packages like UTL_SMTP,UTL_HTTP, UTL_TCP at the PDB level.

This is done via the new 12.2 feature called Lockdown Profiles.

We create lockdown profiles via the CREATE LOCKDOWN PROFILE statement while connected to the root CDB and after the lockdown profile has been created, we add the required restrictions or limits which we would like to enforce via the ALTER LOCKDOWN PROFILE statement.

To assign the lockdown profile to a particular PDB, we use the PDB_LOCKDOWN initialization parameter which will contain the name of the lockdown profile we have earlier created.

If we set the PDB_LOCKDOWN parameter at the CDB level, it will apply to all the PDB’s in the CDB. We can also set the PDB_LOCKDOWN parameter at the PDB level and we can maybe have different PDB_LOCKDOWN values for different PDB’s as we will see in the example below.

Let us have a look at an example of PDB Lockdown Profiles at work.

In our CDB, we have two pluggable databases PDB1 and PDB2. We want to limit some kind of operations depending on the PDB involved.

Our requirements are the following:

We want to ensure that in PDB1 the value for SGA_TARGET cannot be altered – so even a privileged user cannot allocate additional memory to the PDB. However if memory is available, then PGA allocation can be altered.
To shutdown PDB1, it can only be done if connected to the root container and not from within the Pluggable Database itself
The Partitioning feature is not available in PDB2

Create the Lockdown Profiles

SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT

SQL> create lockdown profile pdb1_profile;

Lockdown Profile created.

SQL> create lockdown profile pdb2_profile;

Lockdown Profile created.

Alter Lockdown Profile pdb1_profile

SQL> alter lockdown profile pdb1_profile
     disable statement =('ALTER SYSTEM') 
     clause=('SET')
     OPTION = ('SGA_TARGET');

Lockdown Profile altered.



SQL> alter lockdown profile pdb1_profile 
     disable statement =('ALTER PLUGGABLE DATABASE CLOSE IMMEDIATE');

Lockdown Profile altered.

Alter Lockdown Profile pdb2_profile

SQL> alter lockdown profile pdb2_profile 
     DISABLE OPTION = ('PARTITIONING');

Lockdown Profile altered.

Enable the Lockdown Profiles for both PDB1 and PDB2 pluggable databases

SQL> conn / as sysdba
Connected.

SQL> alter session set container=PDB1;

Session altered.

SQL> alter system set PDB_LOCKDOWN='PDB1_PROFILE';

System altered.

SQL> alter session set container=PDB2;

Session altered.

SQL> alter system set PDB_LOCKDOWN='PDB2_PROFILE';

System altered.

Connect to PDB1 and try and increase the value of the parameter SGA_TARGET and PGA_AGGREGATE_TARGET

Note that we cannot alter SGA_TARGET because it is prevented by the lockdown profile in place, but we can alter PGA_AGGREGATE_TARGET because the lockdown profile clause only applies to the ALTER SYSTEM SET SGA_TARGET command.

SQL> alter session set container=PDB1;

Session altered.

SQL> alter system set sga_target=800m;
alter system set sga_target=800m
*
ERROR at line 1:
ORA-01031: insufficient privileges

SQL> alter system set pga_aggregate_target=200m;

System altered.

Connect to PDB2 and try and create a partitioned table

SQL> CREATE TABLE testme
     (id NUMBER,
      name VARCHAR2 (60))
   PARTITION BY HASH (id)
   PARTITIONS 4    ;
CREATE TABLE testme
*
ERROR at line 1:
ORA-00439: feature not enabled: Partitioning

Connect to PDB1 and try to shutdown the pluggable database

Note that while we cannot shutdown PDB1, we are able to shutdown PDB2.

SQL> alter session set container=pdb1;

Session altered.

SQL> ALTER PLUGGABLE DATABASE CLOSE IMMEDIATE;
ALTER PLUGGABLE DATABASE CLOSE IMMEDIATE
*
ERROR at line 1:
ORA-01031: insufficient privileges


SQL> alter session set container=pdb2;

Session altered.

SQL> ALTER PLUGGABLE DATABASE CLOSE IMMEDIATE;

Pluggable database altered.

Venky on DBCA New Features Oracle 19cAwesome !!!
Luis Santos on Oracle 19c New Feature High-Frequency StatisticsI loved this! Which other new prefs are avaiable, on DBMS_STATS.SET_GLOBAL_PREFS, since Oracle 18c and 12c?
Thiruselvam Velayutham on Oracle 19c New Feature Real-Time StatisticsConceptually this should also work for transactional database too, good feature.
Vijay kumar on Oracle 19c AutoUpgrade Utility (Part 1)Really fruitful knowledge
Skant on Oracle 18c Scalable SequencesIts in ORALCE 18c as well
David Rickinson on Oratop utilityUseful little guide, thanks!
Ravikumar Chandrasekaran on Oracle GoldenGate 18c UpgradeYou are the best for Golden Gate. Thanks for your help.
Dude on RMAN KEEP FOREVER, KEEP UNTIL TIME and FORCE commandsYou wrote the KEEP option will only retain enough archive logs to keep the backup consistent. According to the documentation,
Jay on Oracle 18c Grid Infrastructure UpgradeHi Gavin, Thanks for this! One question: after upgrading GRID to 18c, do I need to upgrade RDBMS also? Or
Ali on CURSOR_SHARING=SIMILAR and FORCE – some examplesThank you for sharing your knowledge, sir!

News

Oracle Database 12.2 New Feature – PDB Lockdown Profiles

0 Comments

Leave Reply Cancel reply

Oracle Database 12.2 New Feature - Pluggable Database Performance Profiles

Oracle 12c Release 2 Partitioning New Features