Oracle Scheduler Jobs and Database Vault ORA-20000/ORA-01031 failure

SYMPTOMS

Oracle Text jobs are failing with the following errors after enabling the Database Vault.

ORA-20000/ORA-01031 failure on Oracle Text

CAUSE

The setting of dbms_macadm.authorize_scheduler_user to the job creator and data owner is not present.

SOLUTION

Drop and recreate the job as the data owner.

Or

Set the authorization in the following manner:

Administrator will be the job creator for Oracle Text and the dataowner for example XYZ

The authorization needed is :

begin

DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('ADMINISTRATOR', 'XYZ');

end;

/

Oracle Scheduler Jobs and Database Vault

This post is also available in: ​编辑Português

As everybody knows, the "Oracle Scheduler" is the official task manager for an Oracle Database. It is a robust and complex tool, allowing the user to create chains, parameterized intervals on several types of metrics, execution windows, etc.

In most cases, when a job is created, modified and executed by its owner, there are not many complications. However, things can get confusing especially when you are working on systems that has the security layer of Oracle Database Vault and if the job was created by an user other than its owner.

In this article, I will show the users that are involved in a Scheduler Job and the role of each.

Well, first, there are basically 3 users participating in an Oracle Scheduler Job:

  • The Job Owner -- "OWNER" column of all_scheduler_jobs. view
  • The Job Creator -- "JOB_CREATOR" column of all_scheduler_jobs. view
  • The Job latest "Modifier" -- This information is not present in all_scheduler_jobs view and must be obtained through queries on dictionary tables.

The attribution of each role is what we will see next.

1 -- The Job Owner

The job owner is the schema informed within the JOB_NAME parameter when creating a Job. If omitted, the owner will be the same user who executed the CREATE_JOB procedure. In the next example, the owner is "SCOTT" user.

BEGIN

DBMS_SCHEDULER.CREATE_JOB(JOB_NAME => 'SCOTT.JOB1', ..........);

END;

/

The owner will also be the ++executor++ . If the task runs a procedure or PL/SQL, this user must therefore ++be allowed++ to execute the procedure or privileges on the objects accessed by PL/SQL code. Otherwise, you will receive an error such as "ORA-00942: table or view does not exist".

In case of executing a PL/SQL, the environment variables CURRENT_USER (user whose privileges are currently active) and CURRENT_SCHEMA (active default schema at the time) will obviously be the job owner because, as already mentioned, he is the executor.

However, in case of running a Procedure, the variables CURRENT_USER and CURRENT_SCHEMA show the owner of the Procedure since when it is called, it executes with the privileges of its owner (except if it has "AUTHID CURRENT_USER" and in this case would behave similar to a PL/SQL explained above).

And what happens if we lock the user who owns the job? In this scenario, nothing interferes and the task will continue to run on the scheduled time without any problems. However, if the owner is removed, the scheduled job will also be deleted.

2 -- The Job Creator

The job creator is the schema that runs the procedure DBMS_SCHEDULER.CREATE_JOB. If you create a job to another user, you will be defined as the ++creator++ of that job.

NOTE: Remember that to create a job in another schema you must have the privilege "CREATE ANY JOB."

The job creator is the user that will connect to the database before running it, despite the executor be the owner. Therefore, the environment variable SESSION_USER always points to the creator. However, those who create do not need any privileges on the objects involved and executed by the job.

During the execution of the scheduled job, if we query the column "USERNAME" from v$session, it returns the job creator user (as he is the one who logged in).

In the latest example, if the SCOTT.JOB1 job was created by INFRAUSR, this would be the output of the v$session while the task was running:

SQL> select username,schemaname,status,program,type,module,action from v$session where module='DBMS_SCHEDULER';

USERNAME SCHEMANAME STATUS PROGRAM TYPE MODULE ACTION


INFRAUSR SCOTT ACTIVE oracle@localhost (J000) USER DBMS_SCHEDULER JOB1

SQL>

Despite the user who created be used to log in, if it is locked (or revoked the CREATE SESSION privilege), the job will continue to run normally. This is because the internal behind the sign in for the execution of a job is different. Be aware that, even so, jobs trigger "BEFORE LOGIN" actions.

And what if we delete the user who created the job? In this situation, the job isn't deleted, only disabled. When trying to activate it, the job status in all_scheduler_job_logs will be changed to BROKEN. You will need to recreate it to make it work again.

3 -- The Job latest "Modifier"

What a few people know is that Oracle maintains in its records the user who changed a job for the last time. This information is important only if the database has "Database Vault" feature enabled and when the job is also protected by a Realm.

This happens because the last one who changes a particular task is monitored by Oracle Database Vault and only jobs modified by users who have a special privilege on a separated job layer will be authorized to run.

What is the reason for this protection? A user with the "CREATE ANY JOB" privilege could easily compromise the DB or explore a privilege escalation by creating/changing a job from another user who is DBA making that process do whatever he wanted.

Example:

BEGIN

DBMS_SCHEDULER.CREATE_JOB(

JOB_NAME => 'SCOTT.JOB_TEMP',

JOB_TYPE => 'PLSQL_BLOCK',

JOB_ACTION => q'[BEGIN EXECUTE IMMEDIATE 'GRANT SELECT ON SCOTT.EMP TO MYUSER'; END;]',

ENABLED => TRUE);

END;

/

With Oracle Database Vault feature, this would not be possible.

To get the last user who changed a job, we need to query the "RUN_INVOKER " column on SYS.SCHEDULER$_JOB table:

SQL> col job_creator format a25

SQL> col job_owner format a25

SQL> col job_name format a25

SQL> col perms_check_user format a25

SQL> SELECT JU.NAME "JOB_OWNER",

2 JO.NAME "JOB_NAME",

3 J.CREATOR "JOB_CREATOR",

4 JR.NAME "JOB_MODIFIER"

5 FROM SYS.SCHEDULER$_JOB J,

6 SYS.USER$ JU,

7 SYS.USER$ JR,

8 SYS.OBJ$ JO

9 WHERE J.RUN_INVOKER = JR.USER# (+)

10 AND J.OBJ# = JO.OBJ#

11 AND JO.OWNER# = JU.USER#

12 AND JO.NAME = 'JOB_TEST';

JOB_OWNER JOB_NAME JOB_CREATOR JOB_MODIFIER


SCOTT JOB_TEST INFRAUSR OPERUSR

In the example above, the job was last modified by OPERUSR. This means that if the OPERUSR has no privileges on DB Vault to run it, the job will display the error upon execution:

ORA-12012: error on auto execute of job "SCOTT"."JOB_TEST"

ORA-01031: insufficient privileges

ORA-06512: at line 2

This error has nothing to do with the permissions on the objects involved, because privileges on those objects, as already said, who needs to have is the job owner, which in this case is SCOTT.

So what privilege it is necessary? Only the simple authorization that this job will be allowed to run for the user who last modified it.

In the Database, logged in as a DV Owner account, this authorization may be granted/consulted by running:

SQL> EXEC DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER(UNAME => 'OPERUSR', SNAME => 'SCOTT');

PL/SQL procedure successfully completed.

SQL> col grantee format a30

SQL> col schema format a30

SQL> select * from dvsys.dba_dv_job_auth;

GRANTEE SCHEMA


OPERUSR SCOTT

Lastly, as we saw in this article, a job may be more complex than it seems. If you are having problems privilege in any of your scheduled tasks, be sure to check what is the role of each user who is participating and that all have the appropriate privileges.

相关推荐
mmsx5 分钟前
android sqlite 数据库简单封装示例(java)
android·java·数据库
zpjing~.~1 小时前
Mongo 分页判断是否有下一页
数据库
2401_857600951 小时前
技术与教育的融合:构建现代成绩管理系统
数据库·oracle
秋恬意2 小时前
Mybatis能执行一对一、一对多的关联查询吗?都有哪些实现方式,以及它们之间的区别
java·数据库·mybatis
潇湘秦2 小时前
一文了解Oracle数据库如何连接(1)
数据库·oracle
雅冰石2 小时前
oracle怎样使用logmnr恢复误删除的数据
数据库·oracle
web前端神器2 小时前
mongodb给不同的库设置不同的密码进行连接
数据库·mongodb
从以前2 小时前
Berlandesk 注册系统算法实现与解析
数据库·oracle
Muko_0x7d22 小时前
Mongodb
数据库·mongodb
Ren_xixi2 小时前
redis和mysql的区别
数据库·redis·mysql