Focus On Oracle

Installing, Backup & Recovery, Performance Tuning,
Troubleshooting, Upgrading, Patching

Oracle Engineered System


当前位置: 首页 » 技术文章 » ASM

asmcmd之文件访问控制管理

ASMCMD File Access Control Commands(文件访问控制),是一种可选的保护ASM Disk Groups的机制,防止未授权的登录,主要是在操作系统用户层面做的设置。主要命令有:chgrp, chmod, chown, groups, grpmod, lsgrp, lsusr, mkgrp, mkusr, passwd, rmgrp, rmusr

ASM操作系统用户组类型及职责
OSASM group
This group is granted the SYSASM privilege, which provides full administrative privileges for the Oracle ASM instance. For example, the group could be asmadmin.

OSDBA for Oracle ASM group
This group is granted the SYSDBA privilege on the Oracle ASM instance, which grants access to data stored on Oracle ASM. This group has a subset of the privileges of the OSASM group.

When you implement separate administrator privileges, choose an OSDBA group for the Oracle ASM instance that is different than the group that you select for the database instance, such as dba. For example, the group could be asmdba.

OSOPER for Oracle ASM group
This group is granted the SYSOPER privilege on the Oracle ASM instance, which provides operations such as startup, shutdown, mount, dismount, and check disk group. This group has a subset of the privileges of the OSASM group. For example, the group could be asmoper.

chgrp 修改文件的用户组属性
Changes the user group of a file or list of files.
        chgrp usergroup file [file ...]
        The options for the chgrp command are described below.
        usergroup       - Name of the user group.
        file            - Name of a file.                   
ASMCMD> chgrp asmdata +OHSDBA/ohs-cluster/ASMPARAMETERFILE/REGISTRY.253.911689503
ASMCMD>
ASMCMD> ls --permission +OHSDBA/ohs-cluster/ASMPARAMETERFILE/REGISTRY.253.911689503
User  Group    Permission  Name
      asmdata   rw-rw-rw-  REGISTRY.253.911689503
ASMCMD>

chmod 修改文件的属性
Changes permissions of a file or list of files.
        chmod mode file [file ...]
        mode can one of the following forms:
        { ugo | ug | uo | go | u | g | o | a } {+|- } {r|w |rw}

        a specifies permissions for all users, u specifies permissions for
        the owner of the file, g specifies the group permissions, and
        o specifies permissions for other users.
        { 0|4|6} {0|4|6} {0|4|6}

        The first digit specifies owner permissions, the second digit
        specifies group permissions, and the third digit specifies other
        permissions.
        The options for the chmod command are described below.
        6       - Read write permissions
        4       - Read only permissions
        0       - No permissions
        u       - Owner permissions, used with r or w
        g       - Group permissions, used with r or w
        o       - Other user permissions, used with r or w
        a       - All user permissions, used with r or w
        +       - Add a permission, used with r or w
        -       - Removes a permission, used with r or w
        r       - Read permission
        w       - Write permission
        file    - Name of a file
ASMCMD> ls --permission
User    Group    Permission  Name
                             ASM/
                             ohs/
                             ohs-cluster/
                             undotbs02.dbf => +OHSDBA/ASM/DATAFILE/undotbs02.dbf.256.911862393
ASMCMD> chmod 660 undotbs02.dbf                             
ASMCMD> ls --permission +OHSDBA/ASM/DATAFILE/undotbs02.dbf.256.911862393
User    Group    Permission  Name
oracle  asmdata   rw-rw----  undotbs02.dbf.256.911862393
ASMCMD>

chown 修改文件的owner
Changes the owner of a file or list of files.
        chown user[:usergroup ] file [file ...]
        The options for the chown command are described below.
        user            - The name of the user that becomes the new owner.
        usergroup       - Name of the user group to which the user belongs.
        file            - Name of a file.
        user typically refers to the user that owns the database instance
        home. Oracle ASM File Access Control uses the operating system (OS)
        name to identify a database.        
ASMCMD> chown oracle:asmdata undotbs02.dbf
ASMCMD> ls --permission +OHSDBA/ASM/DATAFILE/undotbs02.dbf.256.911862393
User    Group    Permission  Name
oracle  asmdata   rw-rw----  undotbs02.dbf.256.911862393
ASMCMD> chown oracle1:asmdata undotbs02.dbf
ASMCMD> ls --permission +OHSDBA/ASM/DATAFILE/undotbs02.dbf.256.911862393
User     Group    Permission  Name
oracle1  asmdata   rw-rw----  undotbs02.dbf.256.911862393
ASMCMD>

groups 列出用户的组名称
Lists all the user groups to which the specified user belongs.
        groups diskgroup user
        The options for the groups command are described below.
        diskgroup       - Name of the disk group to which the user belongs.
        user            - Name of the user.
ASMCMD> groups ohsdba oracle
asmdata
ASMCMD> groups ohsdba oracle1 ASMCMD> lsusr DG_Name User_Num OS_ID OS_Name  OHSDBA  1        500   oracle   OHSDBA  2        502   oracle1  ASMCMD>  

grpmod 从ASM用户组中增加或移除OS用户
Adds or removes operating system (OS) users to and from an
        existing Oracle ASM user group.
        grpmod { --add | --delete } diskgroup usergroup user [user...]
        The options for the grpmod command are described below.
      --add             - Specifies to add users to the user group.
      --delete          - Specifies to delete users from the user group.
      diskgroup         - Name of the disk group to which the user group belongs
      usergroup         - Name of the user group.
      user              - Name of the user to add or remove from the user group.         
ASMCMD> lsgrp -a            
DG_Name  Grp_Name  Owner   Members  
OHSDBA   asmdata   oracle  oracle   
ASMCMD>

ASMCMD> grpmod --add ohsdba asmdata oracle1   --增加OS用户Oracle1到asmdata ASM用户组
ASMCMD> lsgrp -a
DG_Name  Grp_Name  Owner   Members          
OHSDBA   asmdata   oracle  oracle oracle1   
ASMCMD> 

lsgrp 列出ASM用户组
Lists all Oracle ASM user groups or only groups that match a
        specified pattern.
        lsgrp [-a] [--suppressheader] [ -G diskgroup ] [ pattern ]
        The options for the lsgrp command are described below.
        -a                - Lists all columns.
        --suppressheader  - Suppresses column headings.
        -G diskgroup      - Limits the results to the specified disk group name.
        pattern           - Displays the user groups that match the
                            pattern expression.                
ASMCMD> lsgrp -a
DG_Name  Grp_Name  Owner   Members  
OHSDBA   asmdata   oracle  oracle   
ASMCMD> lsgrp
DG_Name  Grp_Name  Owner   
OHSDBA   asmdata   oracle  
ASMCMD> lsgrp ohsdba
DG_Name  Grp_Name  Owner  
ASMCMD> lsgrp -G ohsdba
DG_Name  Grp_Name  Owner   
OHSDBA   asmdata   oracle  
ASMCMD>

lsusr 列出磁盘组中ASM用户
Lists Oracle ASM users in a disk group.
        lsusr [-a]  [--suppressheader] [ -G diskgroup ] [ pattern ]
        The options for the lsusr command are described below.
        -a               - List all users and the disk groups to which
                           the users belongs.
        --suppressheader - Suppresses column headings.
        -G diskgroup     - Limits the results to the specified disk group name.
        pattern          - Displays the users that match the pattern expression.
ASMCMD> lsusr
DG_Name User_Num OS_ID OS_Name
OHSDBA  1        500   oracle  
ASMCMD>

ASMCMD> lsusr -G ohsdba
User_Num OS_ID OS_Name
1        500   oracle  
ASMCMD> 

lspwusr 列出本地ASM密码文件中的用户  
List the users from the local Oracle ASM password file
        lspwusr [--suppressheader]
        The options for the lspwusr command are described below.
        --suppressheader    - Suppresses column headers from the output.     
ASMCMD> lspwusr
Username sysdba sysoper sysasm
     SYS   TRUE    TRUE   TRUE
 ASMSNMP  FALSE    TRUE  FALSE
ASMCMD>   

mkgrp 创建一个ASM用户组
Creates a new Oracle ASM user group.
        mkgrp diskgroup usergroup [user] [user...]
        The options for the mkgrp command are described below.
        diskgroup       - Name of the disk group to which the user group
                          will be added.
        usergroup       - Name of the user group to add. 30 is the maximum
                          number of characters.
        user            - Name of the database user to add to the user group.
        
ASMCMD> mkgrp ohsdba asmdata oracle
ASMCMD>

mkusr 为Disk Group增加一个OS用户
Adds an operating system (OS) user to a disk group.
        mkusr diskgroup user
        The options for the mkusr command are described below.
        diskgroup       - Specifies the name of the disk group to which
                          the user is to be added.
        user            - Name of the user that you want to add.
[root@ohs1 ~]# useradd -g oinstall -G dba ohsdba     
ASMCMD> mkusr ohsdba ohsdba
ORA-15032: not all alterations performed
ORA-15304: operation requires ACCESS_CONTROL.ENABLED attribute to be TRUE (DBD ERROR: OCIStmtExecute)
       
ASMCMD> lsattr -G ohsdba -l
Name                     Value       
access_control.enabled   FALSE       
access_control.umask     066         
au_size                  1048576     
cell.smart_scan_capable  FALSE       
compatible.advm          11.2.0.0.0  
compatible.asm           11.2.0.0.0  
compatible.rdbms         11.2.0.0.0  
disk_repair_time         8h          
sector_size              512         

ASMCMD> setattr access_control.enabled true -G ohsdba

ASMCMD> lsattr -G ohsdba -l
Name                     Value       
access_control.enabled   true        
access_control.umask     066         
au_size                  1048576     
cell.smart_scan_capable  FALSE       
compatible.advm          11.2.0.0.0  
compatible.asm           11.2.0.0.0  
compatible.rdbms         11.2.0.0.0  
disk_repair_time         8h          
sector_size              512         
ASMCMD>
ASMCMD> mkusr ohsdba oracle1
ASMCMD> lsusr
DG_Name User_Num OS_ID OS_Name
OHSDBA  1        500   oracle  
OHSDBA  2        502   oracle1
ASMCMD>


passwd 修改ASM实例用户密码

Changes the password of a user.
        passwd user
        The options for the passwd command are described below.
        user    - Name of the user.
        An error is raised if the user does not exist in the Oracle ASM
        password file. The user is first prompted for the current password,
        then the new password. The command requires the SYSASM privilege to run      

ASMCMD> lspwusr
Username sysdba sysoper sysasm
     SYS   TRUE    TRUE   TRUE
 ASMSNMP  FALSE    TRUE  FALSE
ASMCMD> passwd sys
Enter old password (optional):
Enter new password: ******
ASMCMD> passwd asmsnmp
Enter old password (optional):
Enter new password: ******
ASMCMD>

orapwusr 增加、删除、修改ASM密码文件中用户
Add, drop, or modify an Oracle ASM password file user.
        orapwusr { { { --add | --modify [--password] }[--privilege {sysasm|sysdba|sysoper} ] } | --delete } user
        The options for the orapwusr command are described below.
        --add              - Adds a user to the password file. Also prompts
                             for a password.
        --delete           - Drops a user from the password file.
        --modify           - Changes a user in the password file.
        --privilege role   - Sets the role for the user. The options are
                             sysasm, sysdba, and sysoper.
        --password         - Prompts for and then changes the password
                             of a user.
        user               - the user to add, drop, or modify.
ASMCMD> orapwusr --add --privilege sysdba robin
Enter password: ******
ASMCMD> lspwusr
Username sysdba sysoper sysasm
     SYS   TRUE    TRUE   TRUE
 ASMSNMP  FALSE    TRUE  FALSE
   ROBIN   TRUE   FALSE  FALSE
ASMCMD>     
       
rmgrp 移除磁盘组的用户组,移除之后,之前已owner过的文件group会变为空
Removes a user group from a disk group.
        rmgrp diskgroup usergroup
        The options for the rmgrp command are described below.
        diskgroup       - Name of the disk group to which the user group belongs
        usergroup       - Name of the user group to delete.

        Note that removing a group might leave some files without a valid group.
        To ensure that those files have a valid group, explicitly update those
        files to a valid group. See "chgrp".
ASMCMD> rmgrp ohsdba asmdata
ASMCMD> lsgrp -a
DG_Name  Grp_Name  Owner  Members  
ASMCMD> lsusr -a
DG_Name User_Num OS_ID OS_Name
OHSDBA  1        500   oracle  
ASMCMD>
ASMCMD> ls --permission +OHSDBA/ASM/DATAFILE/undotbs02.dbf.256.911862393
User    Group  Permission  Name
oracle          rw-rw----  undotbs02.dbf.256.911862393
ASMCMD>        

rmusr 从磁盘组中删除OS用户
Deletes an operating system (OS) user from a disk group.
        rmusr [-r] diskgroup user
        The options for the rmusr command are described below.
        -r              - Removes all files in the disk group that the user
                          owns at the same time that the user is removed.
        diskgroup       - Specifies the name of the disk group from which
                          the user is to be deleted.
        user            - Name of the user that you want to delete.  
ASMCMD> rmusr ohsdba oracle1
ORA-15032: not all alterations performed
ORA-15280: user 'oracle1' owns existing files (DBD ERROR: OCIStmtExecute)
ASMCMD>
ASMCMD> ls --permission +OHSDBA/ASM/DATAFILE/undotbs02.dbf.256.911862393
User     Group    Permission  Name
oracle1  asmdata   rw-rw----  undotbs02.dbf.256.911862393
ASMCMD> chown oracle.asmdata +OHSDBA/ASM/DATAFILE/undotbs02.dbf.256.911862393
ASMCMD>
ASMCMD> rmusr ohsdba oracle1
ASMCMD> lsusr -a
DG_Name User_Num OS_ID OS_Name
OHSDBA  1        500   oracle  
ASMCMD>   
           

Reference
http://docs.oracle.com/cd/B14117_01/server.101/b10739/storeman.htm
http://docs.oracle.com/cd/B19306_01/server.102/b14231/storeman.htm#i1021337
http://docs.oracle.com/cd/B19306_01/server.102/b14215/asm_util.htm
http://docs.oracle.com/cd/E11882_01/server.112/e18951/asmcon.htm
http://docs.oracle.com/cd/E11882_01/server.112/e18951/asm_util001.htm
http://docs.oracle.com/database/121/OSTMG/GUID-34A732CD-CC55-4A25-982A-209FDF6134BE.htm
http://docs.oracle.com/database/121/OSTMG/GUID-1E5C4FAD-087F-4598-B959-E66670804C4F.htm

http://docs.oracle.com/database/121/OSTMG/GUID-995198B7-9235-4FCF-988E-A48B3B62B405.htm


关键词:asm 

相关文章

Oracle ASM from 10g to 18c
在18c中通过ASM Flex DiskGroup克隆PDB
Exadata and ASM
Oracle ASM Storage Limits
12c 如何将Standard ASM转化为Flex ASM
How to use amdu(ASM Metadata Dump Utility)
How to use kfed(Kernel Files metadata Editor)
How to use kfod(Kernel Files OSM Disk)
如何计算ASM磁盘头自动备份的位置
What is disk_repair_time?
Find block in ASM
12c新特性ASMFD
Top