1. 关于profiles
profiles文件是口令和资源限制的配置集合,包括CPU的时间、I/O的使用、空闲时间、连接时间、并发会话数量、密码策略等对于资源的使用profile可以做到控制会话级别或语句调用级别。oracle自带的默认(default文件)好多是不限制的,用户创建时都会被指定这个PROFILE。
1.1 查看dba_profiles
dba_profiles这个视图提供关于用户的概要文件的信息,是 DBA 管理用户资源分配的最好助手。其中包含了profile文件名、配置项信息及其限制条件等重要信息。
- 在sys用户下查看dba_profiles中 ‘DEFAULT’ 文件信息–'DEFAULT’文件时oracle在创建用户时,若不指定profile文件时赋予的默认配置文件
SYS@oradb> select * from dba_profiles WHERE PROFILE='DEFAULT';
PROFILE RESOURCE_NAME RESOURCE LIMIT COM INH IMP
-------------------- -------------------------------- -------- -------------------- --- --- ---
DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED NO NO NO
DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED NO NO NO
DEFAULT CPU_PER_SESSION KERNEL UNLIMITED NO NO NO
DEFAULT CPU_PER_CALL KERNEL UNLIMITED NO NO NO
DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED NO NO NO
DEFAULT LOGICAL_READS_PER_CALL KERNEL UNLIMITED NO NO NO
DEFAULT IDLE_TIME KERNEL UNLIMITED NO NO NO
DEFAULT CONNECT_TIME KERNEL UNLIMITED NO NO NO
DEFAULT PRIVATE_SGA KERNEL UNLIMITED NO NO NO
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 10 NO NO NO
DEFAULT PASSWORD_LIFE_TIME PASSWORD 180 NO NO NO
DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED NO NO NO
DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED NO NO NO
DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL NO NO NO
DEFAULT PASSWORD_LOCK_TIME PASSWORD 1 NO NO NO
DEFAULT PASSWORD_GRACE_TIME PASSWORD 7 NO NO NO
DEFAULT INACTIVE_ACCOUNT_TIME PASSWORD UNLIMITED NO NO NO
2. 参数详解
2.1 RESOURCE_PARAMETER(RESOURCE=KERNEL)
| 参数 | 描述 | 备注 |
|---|---|---|
| COMPOSITE_LIMIT | 指定一个会话的总的资源消耗 | Oracle数据库以有利方式计算cpu_per_session,connect_time,logical_reads_per_session和private-sga总的service units |
| SESSIONS_PER_USER | SESSIONS_PER_USER | 默认无限制 |
| CPU_PER_SESSION | 指定会话的CPU时间限制,单位为百分之一秒 | 默认无限制 |
| CPU_PER_CALL | 指定一次调用(解析、执行和提取)的CPU时间限制,单位为百分之一秒 | |
| LOGICAL_READS_PER_SESSION | 指定一个会话允许读的数据块的数目,包括从内存和磁盘读的所有数据块 | 默认无限制 |
| LOGICAL_READS_PER_CALL | 指定一个会话允许读的数据块的数目,包括从内存和磁盘读的所有数据块 | 默认无限制 |
| IDLE_TIME | 指定会话的总的连接时间,以分钟为单位。 | 默认无限制 |
| CONNECT_TIME | 指定会话的总的连接时间,以分钟为单位。 | 默认无限制 |
| PRIVATE_SGA | 指定一个会话可以在共享池(SGA)中所允许分配的最大空间,以字节为单位 | 默认无限制 |
2.2 PASSWORD_PARAMETER(RESOURCE=PASSWORD)
| 参数 | 描述 |
|---|---|
| FAILED_LOGIN_ATTEMPTS | 指定在帐户被锁定之前所允许尝试登陆的的最大次数 |
| PASSWORD_LIFE_TIME | PASSWORD_LIFE_TIM |
| PASSWORD_REUSE_TIME | 指定了密码不能重用前的天数,整数 |
| PASSWORD_REUSE_MAX | 指定了当前密码被重用之前密码改变的次数,整数 |
| PASSWORD_VERIFY_FUNCTION | 该字段允许将复杂的PL/SQL密码验证脚本做为参数传递到create profile语句。Oracle数据库提供了一个默认的脚本,但是自己可以创建自己的验证规则或使用第三方软件验证。对Function名称,指定的是密码验证规则的名称, 指定为Null则意味着不使用密码验证功能。如果为密码参数指定表达式,则该表达式可以是任意格式,除了数据库量子查询。 |
| PASSWORD_LOCK_TIME | 指定登陆尝试失败次数到达后帐户的锁定时间,以天为单位 |
| PASSWORD_GRACE_TIME | PASSWORD_GRACE_TIME |
| INACTIVE_ACCOUNT_TIME | 表示从该用户上次成功登陆开始计算,如果超过参数设定的天数,那么Oracle会自动锁住该用户。默认unlimited,不启用自动锁用户 |
3. 创建、使用自定义profile
3.1 创建自定义profile
CREATE PROFILE my_profile LIMIT
SESSIONS_PER_USER UNLIMITED
CPU_PER_SESSION UNLIMITED
CPU_PER_CALL 6000
CONNECT_TIME 60
LOGICAL_READS_PER_SESSION DEFAULT
LOGICAL_READS_PER_CALL 6000
COMPOSITE_LIMIT 6000000
PRIVATE_SGA 66K
FAILED_LOGIN_ATTEMPTS 6
PASSWORD_LIFE_TIME 60
PASSWORD_REUSE_TIME 60
PASSWORD_REUSE_MAX 5
PASSWORD_LOCK_TIME 1/24
PASSWORD_GRACE_TIME 10 ;
- 查看创建的profile详情
SYS@oradb> SELECT * FROM DBA_PROFILES WHERE PROFILE='MY_PROFILE';
PROFILE RESOURCE_NAME RESOURCE LIMIT COM INH IMP
-------------------- -------------------------------- -------- -------------------- --- --- ---
MY_PROFILE COMPOSITE_LIMIT KERNEL 6000000 NO NO NO
MY_PROFILE SESSIONS_PER_USER KERNEL UNLIMITED NO NO NO
MY_PROFILE CPU_PER_SESSION KERNEL UNLIMITED NO NO NO
MY_PROFILE CPU_PER_CALL KERNEL 6000 NO NO NO
MY_PROFILE LOGICAL_READS_PER_SESSION KERNEL DEFAULT NO NO NO
MY_PROFILE LOGICAL_READS_PER_CALL KERNEL 6000 NO NO NO
MY_PROFILE IDLE_TIME KERNEL DEFAULT NO NO NO
MY_PROFILE CONNECT_TIME KERNEL 60 NO NO NO
MY_PROFILE PRIVATE_SGA KERNEL 67584 NO NO NO
MY_PROFILE FAILED_LOGIN_ATTEMPTS PASSWORD 6 NO NO NO
MY_PROFILE PASSWORD_LIFE_TIME PASSWORD 60 NO NO NO
MY_PROFILE PASSWORD_REUSE_TIME PASSWORD 60 NO NO NO
MY_PROFILE PASSWORD_REUSE_MAX PASSWORD 5 NO NO NO
MY_PROFILE PASSWORD_VERIFY_FUNCTION PASSWORD DEFAULT NO NO NO
MY_PROFILE PASSWORD_LOCK_TIME PASSWORD .0416 NO NO NO
MY_PROFILE PASSWORD_GRACE_TIME PASSWORD 10 NO NO NO
MY_PROFILE INACTIVE_ACCOUNT_TIME PASSWORD DEFAULT NO NO NO
3.2 使用自定义profile
- 在创建用户的时候指定使用profiles
SYS@oradb> CREATE USER CANCER IDENTIFIED BY cancer PROFILE MY_PROFILE;
User created.
SYS@oradb> select username,profile from dba_users where username='CANCER';
USERNAME PROFILE
-------------------- --------------------
CANCER MY_PROFILE
3.3 变更用户的profile
- 语法
ALTER USER user_name PROFILE new_profile;
- 示例:
SYS@oradb> alter user cancer profile default;
User altered.
SYS@oradb> select username,profile from dba_users where username='CANCER';
USERNAME PROFILE
-------------------- --------------------
CANCER DEFAULT
4. 修改profile中的参数
4.1 RESOURCE_LIMIT参数生效限制
Oracle系统参数RESOURCE_LIMIT是一个用于控制用户对于数据库资源使用的参数,当值为true的时候即为启用,否则禁用。该参数结合profile来可以控制多种资源的使用.
- 查看参数:
SHOW PARAMETER RESOURCE_LIMIT
SYS@oradb> SHOW PARAMETER RESOURCE_LIMIT
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
resource_limit boolean TRUE
其值为TRUE时,修改profile参数才会生效(password的配置项除外),用户所有拥有的PROFILE中有关密码的限制立即生效
4.2 将值修改为TRUE
当我们遇到resource_limit值为FALSE的时候,可以修改系统参数设置其为TURE
ALTER SYSTEM SET RESOURCE_LIMIT=TRUE;
4.3 修改profile中的参数
以设置密码不过期为例子,修改profile中的PASSWORD_LIFE_TIME参数
- 查看参数当前值
SYS@oradb> select * from dba_profiles where resource_name ='PASSWORD_LIFE_TIME' and profile='DEFAULT';
PROFILE RESOURCE_NAME RESOURCE LIMIT COM INH IMP
-------------------- -------------------------------- -------- -------------------- --- --- ---
DEFAULT PASSWORD_LIFE_TIME PASSWORD 180 NO NO NO
- 修改参数为无限制
语法如下:
ALTER PROFILE profile_name LIMIT resource_name value;
- profile_name 表示需要修改的profile名
- resource_name 表示profile中需要修改的参数项
- value 表示设置该参数的值
SYS@oradb> ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED;
Profile altered.
SYS@oradb> select * from dba_profiles where resource_name ='PASSWORD_LIFE_TIME' and profile='DEFAULT';
PROFILE RESOURCE_NAME RESOURCE LIMIT COM INH IMP
-------------------- -------------------------------- -------- -------------------- --- --- ---
DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED NO NO NO
补充:
密码验证函数
- 脚本地址:/u01/app/oracle/product/12.2.0.1/dbhome_1/rdbms/admin/utlpwdmg.sql
Rem *************************************************************************
Rem BEGIN Password Management Parameters
Rem *************************************************************************
-- This script alters the default parameters for Password Management
-- This means that all the users on the system have Password Management
-- enabled and set to the following values unless another profile is
-- created with parameter values set to different value or UNLIMITED
-- is created and assigned to the user.
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1
INACTIVE_ACCOUNT_TIME UNLIMITED
PASSWORD_VERIFY_FUNCTION ora12c_verify_function;
/**
The below set of password profile parameters would take into consideration
recommendations from Center for Internet Security[CIS Oracle 11g].
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 90
PASSWORD_GRACE_TIME 3
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 20
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1
PASSWORD_VERIFY_FUNCTION ora12c_verify_function;
*/
/**
The below set of password profile parameters would take into
consideration recommendations from Department of Defense Database
Security Technical Implementation Guide[STIG v8R1].
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 60
PASSWORD_REUSE_TIME 365
PASSWORD_REUSE_MAX 5
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_VERIFY_FUNCTION ora12c_strong_verify_function;
*/
Rem *************************************************************************
Rem END Password Management Parameters
Rem ************************************************************************
- 两个使用到的函数:
SYS@oradb> select text from user_source where name='ORA12C_STRONG_VERIFY_FUNCTION';
TEXT
------------------------------------------------------------------------------------------------------------------------
function ora12c_strong_verify_function
(username varchar2,
password varchar2,
old_password varchar2)
return boolean IS
differ integer;
begin
if not ora_complexity_check(password, chars => 9, upper => 2, lower => 2,
digit => 2, special => 2) then
return(false);
end if;
-- Check if the password differs from the previous password by at least
-- 4 characters
if old_password is not null then
differ := ora_string_distance(old_password, password);
if differ < 4 then
raise_application_error(-20032, 'Password should differ from previous '
|| 'password by at least 4 characters');
end if;
end if;
return(true);
end;
24 rows selected.
SYS@oradb> select text from user_source where name='ORA12C_VERIFY_FUNCTION';
TEXT
------------------------------------------------------------------------------------------------------------------------
FUNCTION ora12c_verify_function
(username varchar2,
password varchar2,
old_password varchar2)
RETURN boolean IS
differ integer;
db_name varchar2(40);
i integer;
reverse_user dbms_id;
canon_username dbms_id := username;
BEGIN
-- Bug 22369990: Dbms_Utility may not be available at this point, so switch
-- to dynamic SQL to execute canonicalize procedure.
IF (substr(username,1,1) = '"') THEN
execute immediate 'begin dbms_utility.canonicalize(:p1, :p2, 128); end;'
using IN username, OUT canon_username;
END IF;
IF NOT ora_complexity_check(password, chars => 8, letter => 1, digit => 1,
special => 1) THEN
RETURN(FALSE);
END IF;
-- Check if the password contains the username
IF regexp_instr(password, canon_username, 1, 1, 0, 'i') > 0 THEN
raise_application_error(-20002, 'Password contains the username');
END IF;
-- Check if the password contains the username reversed
FOR i in REVERSE 1..length(canon_username) LOOP
reverse_user := reverse_user || substr(canon_username, i, 1);
END LOOP;
IF regexp_instr(password, reverse_user, 1, 1, 0, 'i') > 0 THEN
raise_application_error(-20003, 'Password contains the username ' ||
'reversed');
END IF;
-- Check if the password contains the server name
select name into db_name from sys.v$database;
IF regexp_instr(password, db_name, 1, 1, 0, 'i') > 0 THEN
raise_application_error(-20004, 'Password contains the server name');
END IF;
-- Check if the password contains 'oracle'
IF regexp_instr(password, 'oracle', 1, 1, 0, 'i') > 0 THEN
raise_application_error(-20006, 'Password too simple');
END IF;
-- Check if the password differs from the previous password by at least
-- 3 characters
IF old_password IS NOT NULL THEN
differ := ora_string_distance(old_password, password);
IF differ < 3 THEN
raise_application_error(-20010, 'Password should differ from the '
|| 'old password by at least 3 characters');
END IF;
END IF ;
RETURN(TRUE);
END;
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
