ORA-01536: space quota exceeded for tablespace案例

時間  2021-08-12
標籤 數據庫 app ide this 編碼 spa code orm blog 欄目 SQL 简体版
原文   原文鏈接

 

最近在作數據治理的過程當中,回收了部分帳號的權限,由於角色RESOURCE裏擁有CREATE TABLE的權限,因此我想回收RESOURCE角色。例如,對於TEST帳號,收回其建立表的權限,就收回了授予其的RESOURCE的角色,結果不到幾小時,SUPPORT人員就反饋這個帳號遇到了ORA-01536錯誤。開始還有點懵,後面梳理清楚後,才感慨本身踩了一個大坑。下面簡單的從新構造、模擬這樣的一個案例。數據庫

 

SQL> select * from v$version;
 
BANNER
----------------------------------------------------------------
Oracle Database 10g Release 10.2.0.5.0 - 64bit Production
PL/SQL Release 10.2.0.5.0 - Production
CORE    10.2.0.5.0      Production
TNS for Linux: Version 10.2.0.5.0 - Production
NLSRTL Version 10.2.0.5.0 - Production
 
SQL>CREATE TABLESPACE TBS_TEST_DATA
DATAFILE '/u03/oradata/gps/tbs_test_data.dbf'
SIZE 200M 
EXTENT MANAGEMENT LOCAL
SEGMENT SPACE MANAGEMENT AUTO ONLINE;
 
 
SQL> CREATE USER TEST IDENTIFIED BY "Test#1232134$#3" DEFAULT TABLESPACE TBS_TEST_DATA TEMPORARY TABLESPACE  TEMP;
 
User created.
 
SQL> GRANT CONNECT, RESOURCE TO TEST;
 
Grant succeeded.
 
SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='TEST';
 
GRANTEE                        PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
TEST                           UNLIMITED TABLESPACE                     NO
 
SQL> SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTEE='TEST';
 
GRANTEE                        GRANTED_ROLE                   ADM DEF
------------------------------ ------------------------------ --- ---
TEST                           RESOURCE                       NO  YES
TEST                           CONNECT                        NO  YES
 
SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='RESOURCE';
 
GRANTEE                        PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
RESOURCE                       CREATE TRIGGER                           NO
RESOURCE                       CREATE SEQUENCE                          NO
RESOURCE                       CREATE TYPE                              NO
RESOURCE                       CREATE PROCEDURE                         NO
RESOURCE                       CREATE CLUSTER                           NO
RESOURCE                       CREATE OPERATOR                          NO
RESOURCE                       CREATE INDEXTYPE                         NO
RESOURCE                       CREATE TABLE                             NO
 
8 rows selected.

 

clip_image001

 

 

用帳號TEST登陸數據庫,建立了一個test表app

 

SQL> show user;
USER is "TEST"
SQL> create table test
  2  as
  3  select * from all_objects;
 
Table created.
 
SQL> select count(*) from test;
 
  COUNT(*)
----------
     34859
 
SQL>

 

而後收回帳號TEST的RESOURCE角色,以下所示:ide

 

SQL> show user;
USER is "SYS"
SQL> REVOKE RESOURCE FROM TEST;
 
Revoke succeeded.
 
SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='TEST';
 
no rows selected

 

而後此時TEST作DML操做就會報ORA-01536錯誤,以下ui

 

SQL> show user;
USER is "TEST"
SQL> insert into test
  2  select * from test;
insert into test
            *
ERROR at line 1:
ORA-01536: space quota exceeded for tablespace 'TBS_TEST_DATA'

 

 

那麼爲何出現這種狀況呢? 其實剛開始我也有點懵,檢查表空間發現表空間正常,檢查RESOURCE角色,發現裏面沒有關於表空間的配額限制。怎麼回收RESOURCE角色,就整出這麼一檔子事呢?那麼究竟是怎麼一回事呢,直到我看到Doc ID 465737.1才豁然開朗。this

 

其實細心的人應該也有所發現(上面截圖),若是您授予或撤銷用戶的 RESOURCE 或 DBA 角色,ORACLE會隱式授予或撤銷該用戶的 UNLIMITED TABLESPACE 系統權限。Doc ID 465737.1中介紹,其實當角色在Oracle 7.0 中首次引入時,RESOURCE 和 DBA 的權限從舊的Oracle V6中遷移到新的角色中。 可是因爲不容許爲 RESOURCE 和 DBA 角色授予 UNLIMITED TABLESPACE權限,爲了保持與Oracle V6版本的向後兼容性,解析器會自動將語句轉換爲grant resource to abc自動變爲grant resource,unlimited tablespace to abc 而且將revoke resource from abc自動變爲revoke resource, unlimited tablespace from abc。 授予和撤銷 DBA 角色時也是如此。 也就是說UNLIMITED TABLESPACE的系統權限已經被硬編碼到RESOURCE角色。而咱們建立用戶時,沒有額外授予用戶關於表空間使用配額。因此一旦系統權限UNLIMITED TABLESPACE被收回,就出現問題了。編碼

 

解決這個問題也比較簡單,設置帳號使用表空間的配額限制或不限制用戶使用表空間,以下所示spa

 

GRANT UNLIMITED TABLESPACE TO TEST;
 
 
ALTER USER TEST QUOTA UNLIMITED ON TBS_TEST_DATA;

 

 

ORA-01536 After Revoking DBA Role (Doc ID 465737.1)code

clip_image002To Bottomorm

clip_image004

clip_image006

clip_image008

In this Documentblog

 

Symptoms

 

Cause

 

Solution

 

References

clip_image010

 

APPLIES TO:

Oracle Database - Enterprise Edition - Version 8.1.7.4 to 11.2.0.4 [Release 8.1.7 to 11.2]
Information in this document applies to any platform.

SYMPTOMS


ORA-01536: space quota exceeded for tablespace '<Tablespace_Name>'
After revoking DBA or Resource Role from a user

Example:

SQL> conn /as sysdba
Connected.
SQL> create user testrights identified by testos;
User created.
SQL> grant connect, resource to testrights;
Grant succeeded.
SQL> connect testrights/testos;
Connected.

SQL> CREATE TABLE "TESTRIGHTS"."TESTTAB" ( "TESTFIELD" VARCHAR2(200) NOT NULL
, CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE ) TABLESPACE "USERS" STORAGE ( INITIAL 64M) ;
Table created.

SQL> conn /as sysdba
Connected.
SQL> grant dba to testrights;
Grant succeeded.
SQL> revoke dba from testrights;
Revoke succeeded.
SQL> show user
USER is "SYS"
SQL> drop table testrights.testtab;
Table dropped.
SQL> conn testrights/testos;
Connected.
SQL> CREATE TABLE "TESTRIGHTS"."TESTTAB" ( "TESTFIELD" VARCHAR2(200) NOT NULL
, CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE ) TABLESPACE "USERS"  STORAGE ( INITIAL 64M) ;

CREATE TABLE "TESTRIGHTS"."TESTTAB" ( "TESTFIELD" VARCHAR2(200) NOT NULL ,
CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE ) TABLESPACE "USERS"
STORAGE ( INITIAL 64M)
*
ERROR at line 1:
ORA-1536: space quota exceeded for tablespace 'USERS'

SQL> conn /as sysdba
Connected.
SQL> grant connect, resource to testrights;
Grant succeeded.

SQL> conn testrights/testos;
Connected.
SQL>
SQL> CREATE TABLE "TESTRIGHTS"."TESTTAB" ( "TESTFIELD" VARCHAR2(200) NOT NULL , CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE ) TABLESPACE "USERS"
STORAGE ( INITIAL 64M) ;

Table created.

CAUSE

This issue has been discussed in bug 6494010.
The behavior seen in the above example is expected and not a bug

When roles were first introduced into Oracle in 7.0, the old Oracle V6 privileges of RESOURCE and DBA were migrated to use the new role functionality. But because the RESOURCE and DBA roles are not allowed to be granted UNLIMITED TABLESPACE, in order to preserve the backwards compatibility with V6, the parser automatically transforms statements such that "grant resource to abc" automatically becomes "grant resource, unlimited tablespace to abc" and "revoke resource from abc" automatically becomes "revoke resource, unlimited tablespace from abc". The same is true when granting and revoking the DBA role. This behaviour used to be well documented in the SQL reference guide which read:


Note: If you grant or revoke the RESOURCE or DBA role to or from a user, Oracle implicitly grants or revokes the UNLIMITED TABLESPACE system privilege to or from the user.

SOLUTION

To Resolve this issue you need to :

1] Grant DBA or Resource Role back to the user from whom it was revoked.

REFERENCES

BUG:6494010 - ORA-01536 AFTER GRANTING,REVOKING ROLE DBA

 

 

 

 參考資料:

 

ORA-01536 After Revoking DBA Role (Doc ID 465737.1)

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程