Home -> Mailing Lists -> Oracle-L -> RE: Grid owner cannot start the database?

RE: Grid owner cannot start the database?

From: Matthew Parker <dimensional.dba_at_comcast.net>
Date: Sat, 2 Sep 2017 12:50:06 -0700
Message-ID: <03ee01d32424$adc49300$094db900$_at_comcast.net> 








The separation of duties goes both ways. It is not new to 12cr2.

 



You have control of the configuration and what groups are associated to each user oracle/grid that would allow it.

 

 

 



Matthew Parker



Chief Technologist



Dimensional DBA



425-891-7934 (cell)



D&B 047931344



CAGE 7J5S7


 <mailto:Dimensional.dba_at_comcast.net> Dimensional.dba_at_comcast.net



 <http://www.linkedin.com/pub/matthew-parker/6/51b/944/> View Matthew Parker's profile on LinkedIn



 <http://www.dimensionaldba.com/> www.dimensionaldba.com

 

 



From: Mladen Gogala [mailto:gogala.mladen_at_gmail.com] 
Sent: Saturday, September 2, 2017 12:35 PM
To: Matthew Parker <dimensional.dba_at_comcast.net>; 'oracle-l' <oracle-l_at_freelists.org>
Subject: Re: Grid owner cannot start the database?

 



I understand that, that is why I haven't asked whether this is a bug or not. I was under the impression that the separation of duties serves to prevent the DBA personnel from messing up storage configuration on the system. In other words,  I assumed that "grid" can do everything that "oracle" can do, while reverse is not the case. In any case, my question was whether this behaviour is new with 12cR2 or was this the case with the previous releases as well?



Another problem with RAC is TNS names resolution. The default TNS_ADMIN is $ORACLE_HOME/network/admin, while the listener is on $GRID_HOME/network/admin.  If I want to maintain both the listener and tnsnames.ora in the same location, for reasons of practicality, I have to set TNS_ADMIN for the database:



[oracle_at_rac1 ~]$ srvctl getenv database -d rac12


rac12:


TNS_ADMIN=/app/grid/12.2.0/network/admin


[oracle_at_rac1 ~]$ 





That means that the user "grid" has control over the TNS configuration of the database. It is strange that user grid, with all that power cannot start and stop database instances.

 



On 09/02/2017 03:11 PM, Matthew Parker wrote:



Standard separation of duties, which was the purpose of having a grid and an oracle user.

 

 



Matthew Parker



Chief Technologist



Dimensional DBA



425-891-7934 (cell)



D&B 047931344



CAGE 7J5S7


 <mailto:Dimensional.dba_at_comcast.net> Dimensional.dba_at_comcast.net



 <http://www.linkedin.com/pub/matthew-parker/6/51b/944/> View Matthew Parker's profile on LinkedIn



 <http://www.dimensionaldba.com/> www.dimensionaldba.com

 

 



From: oracle-l-bounce_at_freelists.org <mailto:oracle-l-bounce_at_freelists.org>  [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Mladen Gogala
Sent: Saturday, September 2, 2017 11:39 AM
To: oracle-l  <mailto:oracle-l_at_freelists.org> <oracle-l_at_freelists.org>
Subject: Grid owner cannot start the database?

 



Hi!



I was playing with my brand new 12.2 RAC and I tried starting it from the user "grid":



[grid_at_rac2 ~]$ srvctl start db -d rac12


PRCR-1079 : Failed to start resource ora.rac12.db
CRS-2527: Unable to start 'ora.rac12.db' because it has a 'hard' dependency on 'ora.acfs.acfs.acfs'CRS-0245:  User doesn't have enough privilege to perform the operation



Apparently, the GI owner doesn't have enough privileges for this operation. When I log in as "oracle", I have no problems whatsoever:



mgogala_at_umajor:~/mp3$ ssh oracle_at_rac1
Last login: Thu Aug 31 21:15:06 2017


[oracle_at_rac1 ~]$ srvctl start db -d rac12


[oracle_at_rac1 ~]$ srvctl status db -d rac12

Instance rac121 is running on node rac1


Instance rac122 is running on node rac2


[oracle_at_rac1 ~]$ [oracle_at_rac1 ~]$ sqlplus scott/tiger_at_scan12/orclpdb.home.com <mailto:scott/tiger_at_scan12/orclpdb.home.com> 





SQL*Plus: Release 12.2.0.1.0 Production on Sat Sep 2 14:33:51 2017



Copyright (c) 1982, 2016, Oracle.  All rights reserved.



Last Successful login time: Sat Sep 02 2017 14:33:30 -04:00



Connected to:


Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production



SQL> 


 

This looks a bit counter-intuitive. Why would the user grid not be allowed to start the databases? This is the only RAC configuration I have, so I can't check releases 11G and 12cR1. Does the same thing happen there or is it specific to the new release?



Regards

 


-- 
Mladen Gogala
Oracle DBA
Tel: (347) 321-1217





-- 
Mladen Gogala
Oracle DBA
Tel: (347) 321-1217


--
http://www.freelists.org/webpage/oracle-l


Received on Sat Sep 02 2017 - 21:50:06 CEST












Original text of this message