Closing DBA session in AFTER LOGON trigger
Hello *,
this is my first question here and my first piece of code in oracle so please don't laugh ;-)
I'm trying to create an AFTER LOGON trigger which disconnects a user if he/she tries to log in from an incorrect host.
What should happen?
User tries to connect.
If he/she is permitted, a record is added to a table.
If not, a record is added to another table and the user is disconnected using RAISE_APPLICATION_ERROR().
After a number of issues I've got it working, except ... I have the feeling that RAISE_APPLICATION_ERROR() doesn't effect users with DBA privileges.
Finally, I'm testing it with one ordinary user - DEF.
The main idea is to disallow connections from user ABC which has DBA privileges.
Tests using DEF are successful but when ABC tries to log in from an incorrect host, a record is added in pcbaudit_failed_logins but the user is not disconnected.
The database is 9.2.0.8.0 and I'm prepared to post RDA report if it is required.
Thank you for your help in advance - I hope I was kind enough :P
Here's the code for the trigger:
DROP TABLE pcbaudit_users;
CREATE TABLE pcbaudit_users (username VARCHAR2(32) NOT NULL, host VARCHAR2(64) NOT NULL);
CREATE INDEX idx_pcbaudit_users_username ON pcbaudit_users(username);
CREATE INDEX idx_pcbaudit_users_host ON pcbaudit_users(host);
DROP TABLE pcbaudit_logins;
CREATE TABLE pcbaudit_logins (username VARCHAR2(32), ip_address VARCHAR2(15), host VARCHAR2(64), ts DATE);
DROP TABLE pcbaudit_failed_logins;
CREATE TABLE pcbaudit_failed_logins (username VARCHAR2(32), ip_address VARCHAR2(15), host VARCHAR2(64), ts DATE);
CREATE OR REPLACE PUBLIC SYNONYM pcbaudit_users FOR sys.pcbaudit_users;
CREATE OR REPLACE PUBLIC SYNONYM pcbaudit_logins FOR sys.pcbaudit_logins;
CREATE OR REPLACE PUBLIC SYNONYM pcbaudit_failed_logins FOR sys.pcbaudit_failed_logins;
GRANT SELECT ON sys.pcbaudit_users TO public;
GRANT INSERT ON sys.pcbaudit_logins TO public;
GRANT INSERT ON sys.pcbaudit_failed_logins TO public;
INSERT INTO pcbaudit_users VALUES ('SYS', '%');
INSERT INTO pcbaudit_users VALUES ('SYSTEM', '%');
INSERT INTO pcbaudit_users VALUES ('ABC', '%');
INSERT INTO pcbaudit_users VALUES ('DEF', '%');
COMMIT;
CREATE OR REPLACE
TRIGGER logon_pcbaudit_trigger AFTER LOGON ON DATABASE
DECLARE
v_username VARCHAR2(32); /* variable that will hold current username */
v_host VARCHAR2(4000); /* variable that will hold current host */
v_allowed NUMBER(1) := 0;
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
SELECT UPPER(USER), /* current user */
UPPER(SYS_CONTEXT('USERENV', 'HOST')) /* current user host */
INTO v_username,
v_host
FROM dual;
/* debug */
-- DBMS_OUTPUT.PUT_LINE(v_username || '@' || v_host);
SELECT 1
INTO v_allowed
FROM pcbaudit_users
WHERE UPPER(username) = v_username
AND (
UPPER(REPLACE(v_host, CHR(0), '')) LIKE UPPER(host) ESCAPE '!' /* fuck that shit! Something appends CHR(0) to its host... */
OR
v_host IS NULL /* fuck that shit! Some hosts are NULLs! */
/* write log (user has logged in!) */
INSERT
INTO pcbaudit_logins
(username, ip_address, host, ts)
VALUES
(v_username, SYS_CONTEXT('USERENV', 'IP_ADDRESS'), v_host, SYSDATE);
COMMIT;
EXCEPTION
WHEN NO_DATA_FOUND THEN /* occurs when no matches were found; i.e. current username is not permitted to login from the current host */
/* log the failed attempt */
INSERT
INTO pcbaudit_failed_logins
(username, ip_address, host, ts)
VALUES
(v_username, SYS_CONTEXT('USERENV', 'IP_ADDRESS'), v_host, SYSDATE);
COMMIT;
/* disconnect user */
RAISE_APPLICATION_ERROR(-20001, v_username || '@' || v_host || ' is not allowed to connect.');
WHEN OTHERS THEN
NULL; /* in this case, NULL is better than an error - if an error occurs, user will not be able to login. */
END;
Thank you for your reply!
The situation is quite complicated.
I am aware that a user with DBA privileges can drop the trigger, modify it, etc.
There's an application on top of it and (i don't know why) it requires dba privileges. The point is, there are developers with access to the production database and my task is to stop them from logging in with this username.
Since I'm creating a trigger, I've obviously have no other choice. I can't change the user's password because of number of reasons, I can't deny developers' IP addresses using sqlnet.ora because they need read-only access and so on.
I realize that this is not the way that things are being done (development cycle), but I have no other choice.
So, is there any other way?
Similar Messages
-
Insufficient privileges using execute immediate in after logon trigger
I have an after logon trigger that executes a package/procedure in the schema it was created in.
One of the procedures runs the following:
EXECUTE IMMEDIATE 'AUDIT INSERT TABLE, UPDATE TABLE, DELETE TABLE, EXECUTE PROCEDURE BY ' || USER;
The procedure is throwing an insufficient privileges error when executing this.
However - the schema owner has audit any and audit system privileges and - the statement works fine independently.
When I login as another user this issue arises. The package/procedure are created with definers rights... So - i'm not sure why this is happenening.
Any help is appreciated.privileges acquired via ROLE do NOT apply within named PL/SQL procedures.
SQL> SET ROLE NONE
SQL> --issue AUDIT again now -
Hi,
I am using Release 11.2.0.3.0 of oracle.
I have created a trigger for restricting specific users(logging from specific program and having specific OSUSER) from loging into the database.
I created below trigger in SYS schema.
CREATE OR REPLACE TRIGGER t1
AFTER
LOGON
ON DATABASE
DECLARE
trg_program varchar2(4000);
trg_user varchar2(4000);
trg_osuser varchar2(4000);
v_killsession VARCHAR2(4000);
v_sid VARCHAR2(4000);
v_serial VARCHAR2(4000);
BEGIN
SELECT UPPER (program), UPPER (USERNAME), UPPER (OSUSER),SID,serial#
INTO trg_program, trg_user, trg_osuser,v_sid,v_serial
FROM v$session
WHERE audsid = SYS_CONTEXT ('USERENV', 'SESSIONID') AND ROWNUM = 1;
IF trg_program IN ('SQLPLUS.EXE','SQLPLUSW.EXE','TOAD.EXE')
AND trg_user in ('USER1','USER2')--,'SYS','SYSTEM')
--AND trg_osuser not in ('O12345')
THEN
raise_application_error(-20001,'You are not authorized to connect to this schema directly!!');
END IF;
END;
when i am logging into USER1 through sqlplus/toad it works fine, i am getting required message which is mentioned as 'raise application error'
but when i am compiling the trigger by uncommenting extra condition for OSUSER i.e trg_osuser not in ('O12345') in the trigger code, so that it wont affect the highly provileged user(i.e OSUSER O12345).During logging in to user USER1 i am getting below error
ERROR:
ORA-04045: errors during recompilation/revalidation of
XIGNCMN.RESTRICT_UNAUTH_ACCESS
ORA-01031: insufficient privileges
it should alow me to login because i am OSUSER 'O12345', so why its not working?Thanks John.
Actually currently we are having database server installed in each of the developers machine so having DBA privilege and having business data, thats why i am planning to configure common database to which all will connect and i wont allow them to connect to the database directly through the functional schema(2 schemas). Now i am planning to restrict the developers access to only 'SELECT+DMLS' for the functional schema and i will do that by creating another user through which they will get connected to the actual functional schema with restricted privilege.
But here the issue is that, for JAVA application, they are having local source code in each of their machine and will also need the connection string/password for the functional schema, so they will know the password for the functional schema, but i want to restrict their access through all the program except 'Jdbc thin client' so i thought of above trigger.
kindly suggest if any other way out? -
Trace users by after logon trigger
Hi.
I have to trace some users application to find the source of problems.
Oracle8i Enterprise Edition Release 8.1.7.0.0
connect system/manager@testdb
create or replace trigger login_trigger
after logon on database
begin
if (USER in ('BLAKE','SCOTT')) then
execute immediate
'ALTER SESSION SET EVENTS ''10046 TRACE NAME CONTEXT FOREVER, LEVEL 12''';
end if;
end;
show error;
SQL> connect scott/tiger@testdb
ERROR:
ORA-00604: error occurred at recursive SQL level 1
ORA-01031: insufficient privileges
ORA-06512: at line 3
OK, I'll grant a priv.
SQL> connect system/manager@testdb
SQL> GRANT administer DATABASE TRIGGER TO "SCOTT";
SQL> connect scott/tiger@testdb
Connected.
Good, only *.trc file is empty after that and there is no trace information for analyse.
Could you please give me a solution?
Mikhailcan't find any *.trc & alert files relevant current time 20080329:20.34
only this
29.03.2008 18:20 72 583 nmuALRT.LOG
25.03.2008 22:22 600 nmuARC0.TRC
but the last connection I've made
20080329:20.34
SQL> connect SCOTT/[email protected]
ERROR:
ORA-00604: error occurred at recursive SQL level 1
ORA-01031: insufficient privileges
ORA-06512: at line 3
this is the files
---nmuALRT.LOG---
Dump file C:\oracle\admin\nmu\bdump\nmuALRT.LOG
Sat Mar 22 17:58:46 2008
ORACLE V8.1.7.0.0 - Production vsnsta=0
vsnsql=e vsnxtr=3
Windows 2000 Version 5.1 Service Pack 2, CPU type 586
Starting up ORACLE RDBMS Version: 8.1.7.0.0.
System parameters with non-default values:
processes = 150
shared_pool_size = 52428800
large_pool_size = 614400
java_pool_size = 20971520
control_files = C:\oracle\oradata\nmu\control01.ctl, C:\oracle\oradata\nmu\control02.ctl, C:\oracle\oradata\nmu\control03.ctl
db_block_buffers = 19200
db_block_size = 8192
compatible = 8.1.0
log_buffer = 32768
log_checkpoint_interval = 10000
log_checkpoint_timeout = 1800
db_files = 1024
db_file_multiblock_read_count= 8
max_enabled_roles = 30
remote_login_passwordfile= EXCLUSIVE
global_names = TRUE
distributed_transactions = 500
instance_name = nmu
service_names = nmu
mts_dispatchers = (PROTOCOL=TCP)(PRE=oracle.aurora.server.SGiopServer)
open_links = 4
sort_area_size = 65536
sort_area_retained_size = 65536
db_name = nmu
open_cursors = 300
os_authent_prefix =
job_queue_processes = 0
job_queue_interval = 10
parallel_max_servers = 5
background_dump_dest = C:\oracle\admin\nmu\bdump
user_dump_dest = C:\oracle\admin\nmu\udump
max_dump_file_size = 10240
oracle_trace_collection_name=
Sat Mar 29 18:20:39 2008
Errors in file C:\oracle\admin\nmu\udump\ORA02288.TRC:
ORA-00604: error occurred at recursive SQL level 1
ORA-01031: insufficient privileges
ORA-06512: at line 3
---nmuARC0.TRC-----------------------------------------
Dump file C:\oracle\admin\nmu\bdump\nmuARC0.TRC
Tue Mar 25 22:22:38 2008
ORACLE V8.1.7.0.0 - Production vsnsta=0
vsnsql=e vsnxtr=3
Windows 2000 Version 5.1 Service Pack 2, CPU type 586
Oracle8i Enterprise Edition Release 8.1.7.0.0 - Production
With the Partitioning option
JServer Release 8.1.7.0.0 - Production
Windows 2000 Version 5.1 Service Pack 2, CPU type 586
Instance name: nmu
Redo thread mounted by this instance: 0 <none>
Oracle process number: 14
Windows thread id: 2592, image: ORACLE.EXE
*** SESSION ID:(11.1) 2008-03-25 22:22:38.428
*** 2008-03-25 22:22:38.428 -
Calling set_context() outside after logon trigger?
Hello all
I'm trying out and learning on using the application context so I tried out the tutorials from: Oracle® Database Security Guide 11g Release 1 (11.1) B28531-06 document (well, very similar examples that is)
I made a procedure which should retreive the employee_id based on the provided user_name (a logical user_name stored in a table) and set an (attribute, value) pair using the dbms_session.set_context()...
select employee_id into emp_id from user_pswd_table where user_name like p_user_name;
DBMS_SESSION.SET_CONTEXT('employee_id_ctx', 'employee_id', emp_id);
and (the tester) the call of the procedure looked like something like this:
declare usernm varchar2(30);
begin
usernm :='user_name_which_will_be_provided';
set_employee_id_pck.set_employee_id_ctx(usernm);
end;
but as it seams like it is only working if the call is made from the after logon on database trigger...if that's the case after the next log on I have the needed information retrieved with select sys_context(...) from dual, but if that's not the case if I call that procedure from anywhere else it results with no_data_found.
Could someone please explain to me why is that???
Thx in advance :D
IldikoSorry Frank, the message for Ildiko.
You found below context example
Login with user scott :
-- creation table dossiers
SQL> connect scott/tiger@oratest
Connected.
--creation de la table dossiers
CREATE TABLE DOSSIER(
NO_DOS NUMBER(6),
DT_DOS DATE,
TYPE_DOS VARCHAR2(50) CHECK (TYPE_DOS IN ('SECRET','NORMAL'))
--Insertions in table dossiers
SQL> insert into dossier values(1,trunc(sysdate),'SECRET');
1 row created.
SQL> insert into dossier values(2,trunc(sysdate),'SECRET');
1 row created.
SQL> insert into dossier values(3,trunc(sysdate),'SECRET');
1 row created.
SQL> insert into dossier values(4,trunc(sysdate),'NORMAL');
1 row created.
SQL> insert into dossier values(5,trunc(sysdate),'NORMAL');
1 row created.
SQL> commit;
Commit complete.
SQL> select * from dossier;
NO_DOS DT_DOS TYPE_DOS
1 22-MAY-07 SECRET
2 22-MAY-07 SECRET
3 22-MAY-07 SECRET
4 22-MAY-07 NORMAL
5 22-MAY-07 NORMAL
-- Logon with user sys :
-- Attribution grants
grant execute on dbms_rls to scott;
grant execute on dbms_session to scott;
grant ADMINISTER DATABASE TRIGGER to scott;
grant alter session to scott ;
--Logon with user system :
--Création et attribution rôles
Create role sec_employe ;
Create role sec_manager;
Grant select, update,insert, delete on scott.dossier to sec_employe ;
Grant select, update,insert, delete on scott.dossier to sec_manager;
Grant sec_manager to scott;
Grant create any context to scott;
grant create table to scott;
grant create procedure to scott;
-Logon with user scott :
-- Création context package
SQL> create or replace package pkg_dossier_context
2 is
3 procedure set_manager;
4 procedure set_employe;
5 end;
Package created.
SQL> create or replace package body pkg_dossier_context
2 as
3 procedure set_manager
4 is
5 begin
6 dbms_session.set_context('scott_dossier','app_role','manager');
7 end;
8 --
9 procedure set_employe
10 is
11 begin
12 dbms_session.set_context('scott_dossier','app_role','employe');
13 end;
14 end;
Package body created.
-- Création context
SQL> create or replace context scott_dossier using pkg_dossier_context;
Context created.
-- Création du package de sécurité
SQL> create or replace package pkg_dossier_sec
2 as
3 function dossier_predicate(schema_name in varchar2, object_name in varchar2)
4 return varchar2;
5 end;
Package created.
SQL> create or replace package body pkg_dossier_sec
2 as
3 function dossier_predicate(schema_name in varchar2,object_name in varchar2)
4 return varchar2
5 is
6 lv_predicate varchar2(1000):='';
7 begin
8 if sys_context('scott_dossier','app_role') = 'manager' then
9 lv_predicate:='type_dos=''SECRET'''; -- a le droit de voir uniquement
-- les dossiers de type SECRET
10 elsif sys_context('scott_dossier','app_role') = 'employe' then
11 lv_predicate:='type_dos=''NORMAL'''; -- a le droit de voir uniquement
--les dossiers de type NORMAL
12 else
13 lv_predicate:='1=2'; -- block access
14 end if;
15 return lv_predicate;
16 end;
17 end;
Package body created.
-- Add la policy (politique)
SQL> begin
2 dbms_rls.add_policy(
3 object_schema => 'SCOTT',
4 object_name => 'DOSSIER',
5 policy_name => 'SCOTT_DOSSIER_POLICY',
6 function_schema => 'SCOTT',
7 policy_function => 'pkg_dossier_sec.dossier_predicate',
8 statement_types => 'select, insert, update, delete',
9 update_check => TRUE,
10 enable => TRUE,
11 static_policy => FALSE);
12 end;
PL/SQL procedure successfully completed.
-- Création du trigger on logon
SQL> create or replace trigger scott_logon_trigger
2 after logon on database
3 declare
4 NB VARCHAR2(30) ;
5 begin
6 select granted_role
7 into nb
8 from dba_role_privs
9 where grantee='SCOTT' and granted_role='SEC_MANAGER' ;
10 pkg_dossier_context.set_manager;
11 exception
12 when no_data_found then
13 pkg_dossier_context.set_employe;
14 end;
Trigger created.
PL/SQL procedure successfully completed.
SQL> SELECT * FROM DOSSIER;
NO_DOS DT_DOS TYPE_DOS
1 22-MAY-07 SECRET
2 22-MAY-07 SECRET
3 22-MAY-07 SECRET
Explication :
Scott a le rôle sec_manager donc il a le droit de voir uniquement les dossiers de type SECRET,
une clause de restriction se rajoute à ma requête initiale,
elle devient :SELECT * FROM DOSSIERS WHERE type_dos='SECRET' ;
-- Connect with user system :
SQL> revoke sec_manager from scott;
Revoke succeeded.
SQL> grant sec_employe to scott;
Grant succeeded.
--Connect with user scott :
SQL> connect scott/tiger@oratest;
Connected.
SQL> select * from dossier;
NO_DOS DT_DOS TYPE_DOS
4 22-MAY-07 NORMAL
5 22-MAY-07 NORMAL
--Pour enlever le policy
SQL> begin
2 dbms_rls.drop_policy(
3 object_schema => 'SCOTT',
4 object_name => 'DOSSIER',
5 policy_name => 'SCOTT_DOSSIER_POLICY');
6 end;
PL/SQL procedure successfully completed.
SQL> select * from dossier;
NO_DOS DT_DOS TYPE_DOS
1 22-MAY-07 SECRET
2 22-MAY-07 SECRET
3 22-MAY-07 SECRET
4 22-MAY-07 NORMAL
5 22-MAY-07 NORMALEdited by: Salim Chelabi on 2008-12-16 10:54
Edited by: Salim Chelabi on 2008-12-16 11:26 -
Raise_application_error in after-logon-trigger
Hi,
I try to build a
after logon on database trigger,
this should execute some inserts into an audit-table, and if some conditions are not given, I want the user to be disconnected.
In this forum I found this thread with a trigger similar to my needs:
To prevent TOAD access
But RAISE_APPLICATION_ERROR in this trigger does not cancel the session and so the user stays connected to oracle. Now I am searching for a disconnect-statement!
WolframWolfram,
What we have here is
- a post without a 4 digit database version. Most questions have a version specific answer. The behavior you describe does not apply to all versions, and might even apply to SYSDBA connected users only. Is everyone connecting as SYSDBA?
- a post without a proper description of what the trigger does, and without a proper description of the business need. This is especially important as you seem to re-invent AUDIT CONNECT.
- a post from someone who already thinks he knows the answer.
Rest assured: there is no disconnect statement in PL/SQL
You would really need to come up with more details
- database version, 4 digits
- the actual trigger code
- what you are trying to accomplish in terms of business requirements
- why you can't use AUDIT
Sybrand Bakker
Senior Oracle DBA -
Setting session item after logon
hello,
i want to set the value of an item after an user successfully has logged on to an apex application.
where should i set the value best?
regards,
romanA good place to do this is in the authentication scheme's post-authentication process.
Scott -
After Logon on Database Trigger Not Working From Client Terminal
Hi Every One
I Have a Problem, I'am Using Oracle 10g R2, I'd Written After Logon on Database Trigger, I'd Written The Trigger Under The Under The User With DBA Privileges, and it is work Fine, but it is work only when i Logon On The Database from The Server Terminal with any user, and If Logon From any Other Terminal It Is Not Work,
Can any One Know The Reason, Please Help me
Yasser MokhtarPlease post the trigger code.
-
Hi,
I created a trigger to avoid users to run commands outside the Forms/Reports environment, which means they must execute their commands using the Application servers (App1 and App2, machine column, in v$session).
I need to send them the message "YOU MUST RUN YOUR COMMANDS USING FORMS" when a user called TST01 is TRYING to connect to the database , running Forms outside App1 or App2 machines .
Here is the code:
CREATE OR REPLACE TRIGGER tr_lock_user_out_forms
AFTER LOGON ON DATABASE
DECLARE
v_user sys.v_$session.username%TYPE;
v_mac sys.v_$session.machine%TYPE;
BEGIN
SELECT username, machine
INTO v_user, v_mac
FROM sys.v_$session
WHERE audsid = USERENV('SESSIONID')
AND audsid != 0
AND ROWNUM = 1;
EXCEPTION WHEN NO_DATA_FOUND THEN NULL;
IF (UPPER(v_user) = 'TST01') THEN
BEGIN
IF LOWER(v_mac) NOT IN ('app1', 'app2')
THEN
RAISE_APPLICATION_ERROR(-20000, 'YOU MUST RUN YOUR COMMANDS USING FORMS');
END IF;
END;
END IF;
END;
SHOW ERRORS
It's allowing user TST01 to connect to the db. Do you guys have any idea ?
Thanks in advance.Thanks for the replies,
Naresh , the idea is to avoid users to connect to the DB without using Oracle Forms, and the message that the user would receive could be "PLEASE, CONNECT TO THE DATABASE USING FORMS ON AAP1 OR APP2" (sorry if the message I wrote before was unclear).
So, the users could not even connect to the DB if they are not login using Forms. Your idea is good but we have 3.000 tables for this user to access, and as after update cannot be used in schema or database levels, I think it won't worth using this event.
I'm trying other code but if any of you guys have another idea to correct the code below it'd be nice.
Thkx in advance. -
Logon trigger to alter the session parameter
Hi,
I want to execute alter session set '_b_tree_bitmap_plans'=false;
for a user once he logs in.
I guess it is possible using logon trigger, pls let me know how to?
Thanks,
Kumar.Ensure that the usage of the statements or settings in the login files is necessary or correct before using it.
For all users, use glogin.sql. This is located in $ORACLE_HOME/sqlplus/admin
For each user, use[b] login.sql. This need to be created by the user from sqlplus using the default editor. e.g type ed login at the SQL prompt. This enables the file to be created at the correct home of the OS user(different between Unix and Windows). Note that it is per OS user and not per Oracle user. For instance, every user who connects to the Server as the OS user oracle will run the same login.sql.
If you enter statements that require logon (just like yours), you will get "Not Connected" error if you normally do sqlplus /nolog. But you will not get it is you connect directly be specifying the username directly or when prompted.
The scripts will be run at each logon (either by typing sqlplus from os command prompt or using connect command within sqlplus). -
Enabling Level-12 trace in SYSTEM.LOGON trigger
I am trying to enable level-12 trace for a user as soon as it login to the database.
CREATE OR REPLACE TRIGGER SYSTEM.LOGON_ASPIRE
AFTER LOGON
ON DATABASE
BEGIN
if(upper(USER) = 'U_DATAHUB') then
EXECUTE IMMEDIATE 'ALTER SESSION SET EVENTS ''10046 TRACE NAME CONTEXT FOREVER,LEVEL 12''';
execute immediate 'alter session set current_schema=DATAHUB';
end if;
I have Grant DBA to user U_DATAHUB and I am able to generatr trace for all sessions..but all the trace file is showing this error
PARSING IN CURSOR #4 len=68 dep=2 uid=5 oct=42 lid=5 tim=14297715680259 hv=753686485 ad='0'
ALTER SESSION SET EVENTS '10046 TRACE NAME CONTEXT FOREVER,LEVEL 12'
END OF STMT
PARSE #4:c=0,e=18,p=0,cr=0,cu=0,mis=0,r=0,dep=2,og=0,tim=14297715680254
ERROR #2:err=1031 tim=2228813739
Skipped error 604 during the execution of SYSTEM.LOGON_ASPIRE
*** 2008-10-24 16:09:40.272
ksedmp: internal or fatal error
ORA-00604: error occurred at recursive SQL level 1
ORA-01031: insufficient privileges
ORA-06512: at line 192See Note:376442.1 Recommended Method for Obtaining 10046 trace for Tuning, it seems the owner of the trigger must be sys:
CREATE OR REPLACE TRIGGER SYS.LOGON_ASPIRE
AFTER LOGON
ON DATABASE
WHEN (USER = 'U_DATAHUB')
BEGIN
EXECUTE IMMEDIATE 'ALTER SESSION SET EVENTS ''10046 TRACE NAME CONTEXT FOREVER,LEVEL 12''';
execute immediate 'alter session set current_schema=DATAHUB';
END;It worked for me...
/u01/app/oracle/admin/orcl/udump/orcl_ora_21932.trcOracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1
System name: Linux
Node name: caliope.localdomain
Release: 2.6.9-67.0.0.0.1.ELsmp
Version: #1 SMP Sun Nov 18 00:23:42 EST 2007
Machine: i686
Instance name: orcl
Redo thread mounted by this instance: 1
Oracle process number: 15
Unix process pid: 21932, image: [email protected] (TNS V1-V3)
*** ACTION NAME:() 2008-09-10 06:52:45.598
*** MODULE NAME:([email protected] (TNS V1-V3)) 2008-09-10 06:52:45.598
*** SERVICE NAME:(SYS$USERS) 2008-09-10 06:52:45.598
*** SESSION ID:(159.3667) 2008-09-10 06:52:45.598
=====================
PARSING IN CURSOR #2 len=40 dep=2 uid=0 oct=42 lid=0 tim=1192429263279537 hv=4026204711 ad='0'
alter session set current_schema=DATAHUB
END OF STMT
PARSE #2:c=1000,e=123,p=0,cr=0,cu=0,mis=0,r=0,dep=2,og=0,tim=1192429263279527
EXEC #2:c=0,e=48,p=0,cr=0,cu=0,mis=0,r=0,dep=2,og=0,tim=1192429263280625
=====================
PARSING IN CURSOR #1 len=186 dep=1 uid=100 oct=47 lid=0 tim=1192429263281298 hv=2889369088 ad='4177de24'
BEGIN
EXECUTE IMMEDIATE 'ALTER SESSION SET EVENTS ''10046 TRACE NAME CONTEXT FOREVER,LEVEL 12''';
execute immediate 'alter session set current_schema=DATAHUB';
END;
END OF STMT
EXEC #1:c=2999,e=2971,p=0,cr=0,cu=0,mis=1,r=1,dep=1,og=4,tim=1192429263281290
WAIT #0: nam='SQL*Net message to client' ela= 7 driver id=1650815232 #bytes=1 p3=0 obj#=-1 tim=1192429263282196
>
Enrique
Edited by: Enrique Orbegozo on Oct 24, 2008 4:29 PM -
Restrict User Connections Using Logon Trigger
Hi all,
Now I am restricting user connections from selected terminals, using following logon trigger.
It allows users with DBA privileged user.
How to restrict DBA Privileged users users ?
Note:- As per my application needs DBA privilege.
CREATE OR REPLACE TRIGGER on_logon
AFTER LOGON
ON DATABASE
DECLARE
VPROGRAM VARCHAR2(30);
Vusername VARCHAR2(30);
VTERMINAL VARCHAR2(30);
CURSOR user_prog IS
SELECT UPPER(program),UPPER(username),NVL(TERMINAL,'X') FROM v$session
WHERE audsid=sys_context('USERENV','SESSIONID');
BEGIN
OPEN user_prog;
FETCH user_prog INTO Vprogram,Vusername,VTERMINAL;
IF VTERMINAL NOT IN ( 'APP1','APP2','APP3')+
and Vusername='ABUL'+
THEN
RAISE_APPLICATION_ERROR(-20001, 'You are not allowed to login');
END IF;
CLOSE user_prog;
END;
Thanks i Advance
AbkYour application needs the DBA role? That is a terrible design-- it violates every principle of secure coding.
Login triggers don't fire for users with the DBA role, so you won't be able to use a login trigger here. You could ditch the login trigger and configure invited and excluded nodes in the listener's sqlnet.ora file, i.e.
tcp.validnode_checking = yes
tcp.excluded_nodes = (hostname1,hostname2,hostname3)You'll have to restart the listener after making that change.
Justin -
Logon trigger setting nls_date_format over ridden by sql developer?
Problem: Developers are inserting a Date record into a varchar field. I can't change this process right now. Non-Date info is stored here also. Would require a code change.
To simplify this, I wanted to get all the developers to insert using the same 'nls_date_format'. I had hoped to be able to centralize this by having Oracle set it in the database. I tried this by setting the database nls_date_format and with a logon trigger.
See test below. Seems to be over ridden.
Test case is with SQL Developer. Noticed the same thing when developers use Websphere. I think we reduce the chance for errors, if I can handle this in the database. However, my nls_date_format settings are getting over ridden.
1. s et database parameter nls_date_format to YYYY-MM-DD HH24:MI:SS , this gets over riden by SQL Developer/Websphere
2. Created a trigger with an 'alter session', but this seems to get over ridden also.
Please see test case below:
Oracle 11.2.0.3
test logging: SQLPLUS locally on the unix server, then log in using SQL Developer which is installed on my laptop.
SQL Developer NLS_DATE_FORMAT : YYYY-MON-DD HH24:MI:SS , This is different for test purposes
I have auditing turned turned on to db,extended with 'audit all by 'user' by access;' for test purposes to get more info.
create table test (username varchar2(30),sid number,mytest varchar2(300),insert_date date);
create or replace
TRIGGER LOGINTRG
AFTER LOGON ON DATABASE
BEGIN
insert into test select user, sys_context('USERENV','SID') ,value,sysdate from v$parameter where name = 'nls_date_format';
EXECUTE IMMEDIATE 'ALTER SESSION SET NLS_DATE_FORMAT=''YYYY-MM-DD HH24:MI:SS''';
insert into test select user, sys_context('USERENV','SID') ,value,sysdate from v$parameter where name = 'nls_date_format';
commit;
END LOGINTRG;
/Results/Questions
1. When I select from 'test', I confirm that my NLS_DATE_FORMAT is the same both before and after the alter session.
2. select value from v$parameter where name = 'nls_date_format'
output: YYYY-MON-DD HH24:MI:SS (so sql developer is over riding this);
3. select * from dba_audit_trail where username = 'MYUSER' order by timestamp desc;
The SQLs from the logon trigger are not captured. how do I capture logon trigger sqls? Not a huge deal, just curious
4. I do not see any alter sessions issued by my user. shouldn't audit all by access capture that? how could my session nls_date_format change without an alter session?
Edited by: Guess2 on Apr 22, 2013 10:44 AM>
Problem: Developers are inserting a Date record into a varchar field.
>
No - they aren't. That is physically impossible. The only thing that can be stored in a 'varchar field' is a string. Oracle considers ANYTHING stored in a character column to be a string.
Date values are stored in DATE columns. Perhaps you meant that developers are converting DATE values to strings and then storing the string in a 'varchar field'?
>
I can't change this process right now. Non-Date info is stored here also.
>
WONDERFUL! Why use a column to stored just one type of data? That is extremely wasteful. Hopefully you store strings that represent numbers in that same column also? It makes the data model so much easier to understand if developers only need to learn one datatype.
>
Would require a code change.
>
The horror!
You should never, ever, EVER use a code change to fix a problem if there is even the slightest possibility that you can change the ENTIRE DATABASE instead.
I've got good news though. You are now on version Oracle 11.2.0.3 and Oracle, after months of protests by some of their largest clients, has finally dropped the exhorbitant license fees for using some of the more esoteric datatypes like DATE and NUMBER.
You should suggest to your manager that they use some of the license fee money saved to hire developers that already know how to design proper data models and use those new-fangled datatypes.
Trust me - once you've made it up that steep learning curve your code will have fewer of those pesky 'dirty data' issues to deal with.
Sure - it means less job security for your current developers. But sometimes you just have to 'take one for the team'! -
The logon trigger written by me is nt returing either program or module from the V$session table. Here is my trigger
create or replace trigger PROGME
after logon on database
declare
v_SCHEMANAME varchar2(30);
t_program varchar2(64);
begin
v_SCHEMANAME := SYS_CONTEXT('USERENV','SESSION_USER');
sys_context(''userenv'',''SESSIONID'')' into t_program;
logon_proc;
select MODULE
into t_program
from v$session where username = (select
(sys_context('userenv','session_user')) from dual) and
audsid= (select(sys_context('userenv','sessionid')) from dual);
RAISE_APPLICATION_ERROR (-20000,SQLERRM || T_PROGRAM);
IF v_SCHEMANAME = 'REPADMIN' AND upper(t_PROGRAM) like '%TO%' THEN
RAISE_APPLICATION_ERROR (-20000,SQLERRM || T_PROGRAM);
END IF;
exception
when others then
RAISE_APPLICATION_ERROR (-20000,SQLERRM || v_PROGRAM);
end PROGME;
Thanks in advance
RaghuEven tried rewriting like this
create or replace trigger PROGME
after logon on database
declare
v_SCHEMANAME varchar2(30);
v_USERNAME varchar2(30);
v_PROGRAM varchar2(30);
v_SESSION NUMBER;
v_SERIALNO NUMBER;
V_ssql varchar2(100);
v_count number;
t_program varchar2(64);
begin
select program
into t_program
from v$session where username = (select
(sys_context('userenv','session_user')) from dual) and
audsid= (select(sys_context('userenv','sessionid')) from dual);
RAISE_APPLICATION_ERROR (-20000,SQLERRM || T_PROGRAM);
IF v_SCHEMANAME = 'REPADMIN' AND upper(t_PROGRAM) like '%TOAD%' THEN
RAISE_APPLICATION_ERROR (-20000,SQLERRM || T_PROGRAM);
END IF;
exception
when others then
RAISE_APPLICATION_ERROR (-20000,SQLERRM || v_PROGRAM);
end trg_no_TOAD_logon; -
Logon trigger - restrict acces using Toad, SQLPLUS...
Oracle 10.2.0.4
I have users who use oracle form - ifweb90.exe.
I want to restrict them to access database using SQL Developer, TOAD or any other tools. I create logon trigger:
CREATE OR REPLACE TRIGGER block_users
AFTER LOGON ON DATABASE
begin
FOR REC IN (SELECT USERNAME,PROGRAM
FROM V$SESSION
WHERE AUDSID = USERENV('SESSIONID'))
LOOP
if rec.username like ('X%')
and
rec.program not like ('ifweb90.exe')
then
RAISE_APPLICATION_ERROR(-20001,'ERROR MESSAGE');
end if;
end loop;
END;
This solution don’t work if the program executable is renamed (this can’t be done with SQL Developer).
1. Is there any way to solve this?
2. Whether this trigger will use resources, whether this trigger will check all connection? What is the cost to pay in terms of performance?
Thanks in advance!
Edited by: user9106065 on Nov 9, 2010 3:17 AMThis solution don’t work if the program executable is renamed (this can’t be done with SQL Developer).
1. Is there any way to solve this?Better alternative would be to change your own program, set the client_application_info and check for that using logon trigger. Anything else, can then be thrown off.
2. Whether this trigger will use resources, whether this trigger will check all connection? What is the cost to pay in terms of performance?There would be negligible usage of resources.
But this trigger won't stop any connections from any tool which come in as SYSDBA.
Maybe you are looking for
-
A series of recent problems with new MacBook Pro
Hi, I bought a new MacBook Pro last May. The spec is: Retina, 13-inch, Late 2013 Processor: 2.4 GHz Intel Core i5 I installed Yosemite in November (I think) and the Mac has been giving problems ever since. I'm not sure whether the problems are rela
-
Several mysterious problems with Solaris 11 x86 install
Hi folks, I've recently installed Solaris 11 x86 as a replacement for Solaris 9 SPARC on an Ultra 2 machine. I like the operating system, but I've promptly acquired some mysterious problems. The computer is a Fujitsu Siemens Esprimo E2500 with a Pent
-
Use this mailbox for Junk does not appear to work in Mail 4.2.
Hello, all: Have been using 10.6.x since it came out on my previous iMac [24" Early 2008 model]. Went with a fresh install of 10.6.3 on the new iMac [27" i7], and ported data over. The only problem that I've had is that setting the Use this mailbox f
-
Seagate backup plus won't read
So my seagate backup plus external hard drive won't be read by my Mac. It's functional, I can hear it running fine when I plug it into my USB port but the only place my mac show's it's connected is in the system profiler, no where else. I can't find
-
TS4062 itunes wont pick up my Iphone 4 can anyone help?
itunes wont pick up my Iphone 4 can anyone help?