Tuesday, June 27, 2017

Summary of Austrian Oracle User Group (AOUG) 2017 conference

Last week (on June 20th) I presented a session about the Oracle Database Locking Mechanism at the Austrian Oracle User Group (AOUG) conference.
This event took place in beautiful Vienna and was my first attending this event.
It's a small, one-day event . There were 180 attendees - small, but still very fun well-organized.
I particularly enjoyed the keynote of Maria Colgan & Gerald Venzl (both Product Managers for Oracle) about Oracle Database 12c and DevOps - it was a very amusing show in which Maria played the role of the DBA and Gerald played the role of the developer and together they showed how they can work together happily by leveraging Oracle Database 12c features and technologies.
Another session that I particularly enjoyed was presented by Maris Elsins about Mining the AWR and how to find alternative Methods for Identification of the Top SQLs in order to address various performance issues.

You can find in event page links to my presentation as well as other presentations from this event.
I'd like to thank everyone who attended my session, and I hope to see you again next year.



Monday, May 29, 2017

SYSBACKUP and SYSDG permissions in Oracle 12c

Introduction

In many companies there is a clear separation of duties for various Oracle Database related tasks such as administering ASM and backing up/restoring Oracle databases.
In the past, DBAs used SYSDBA permission for administering ASM and RMAN. As you probably know, SYSDBA is the most powerful permission in Oracle Database which even allows viewing all the application data.

Oracle realized that they need to address the separation of duties requirement of many customers and therefore they have provided in Oracle 11g a dedicated permission for administering ASM - I've written a dedicated blog post in the past for this matter. The SYSASM permission cannot access application data, but it can perform various ASM related management tasks (such as altering diskgroup, adding disks, etc.)

What about RMAN?

Until Oracle Database version 12cR1, there wasn't a good solution from a separation of duties when it comes to RMAN backups as users had to use SYSDBA which also allows them to access any application data (as well as other strong permissions).
In Oracle 12cR1, Oracle introduced the SYSBACKUP permission which allows a user to perform backup and recovery operations either from Oracle Recovery Manager (RMAN) or SQL*Plus.
You can view here the full list of operations allowed by this administrative privilege

And what about Data Guard?

Very similar to RMAN, Oracle also introduced in version 12cR1 a dedicated privilege named SYSDG which can be used with the Data Guard Broker and the DGMGRL command-line interface. 


Demo

First, we can connect to a 12c instance and look for those accounts. Next step would be to connect / AS SYSBACKUP since I'm logged with a user that has OS permissions to connect without any username and password

SQL> SELECT username, account_status
  FROM dba_users
 WHERE username LIKE '%SYS%';

USERNAME   ACCOUNT_STATUS
---------- --------------------------------
SYS        OPEN
SYSTEM     OPEN
SYS$UMF    EXPIRED & LOCKED
APPQOSSYS  EXPIRED & LOCKED
GGSYS      EXPIRED & LOCKED
WMSYS      EXPIRED & LOCKED
SYSBACKUP  EXPIRED & LOCKED
SYSRAC     EXPIRED & LOCKED
AUDSYS     EXPIRED & LOCKED
SYSKM      EXPIRED & LOCKED
SYSDG      EXPIRED & LOCKED

SQL> connect / as sysbackup
Connected.
SQL> show user
USER is "SYSBACKUP"

I can also create a new user and grant him the SYSBACKUP or SYSDG permissions
SQL> connect / as sysdba
Connected.

SQL> create user C##PINI identified by PINI;
User created.

SQL> grant SYSBACKUP to C##PINI;
Grant succeeded.

SQL> select username,SYSBACKUP, SYSDG from V$PWFILE_USERS;

USERNAME   SYSBA SYSDG
---------- ----- -----
SYS        FALSE FALSE
SYSDG      FALSE TRUE
SYSBACKUP  TRUE  FALSE
SYSKM      FALSE FALSE
C##PINI    TRUE  FALSE
Note that in order to connect to the database as either SYSDG or SYSBACKUP using a password, there must be a password file for it because it is possible to connect even when the database is not up and running, as follows
SQL> connect / as sysdba
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup mount
ORACLE instance started.

Total System Global Area 1644167168 bytes
Fixed Size                  8793400 bytes
Variable Size             989856456 bytes
Database Buffers          637534208 bytes
Redo Buffers                7983104 bytes
Database mounted.
SQL> connect c##pini/pini
ERROR:
ORA-01033: ORACLE initialization or shutdown in progress
Process ID: 0
Session ID: 0 Serial number: 0
Warning: You are no longer connected to ORACLE.

SQL> connect c##pini/pini as SYSBACKUP;
Connected.

Summary

In this post we've reviewed the SYSDG and SYSBACKUP users and permissions in Oracle 12c which could be useful in case that in your company there is a requirement to have a separation of duties for backup/recovery as well as for Data Guard related administration tasks. I hope you find it useful for you.

Sunday, April 9, 2017

OracleDBPro - One of the Top 60 Database Blogs on the web!

Last week I've received a very kind notification from Anuj Agarwal, the Founder of Feedspot, that this blog has been selected by their panelist as one of the Top 60 Database Blogs on the web as well as one of the Top 60 Oracle Blogs on the web.
I'd like to thank you all for following this blog and for finding the information here to be interesting and useful for your job as DBAs.

Thank you Anuj Agarwal and Feedspot for this nice recognition.




Wednesday, March 29, 2017

Changes in AWR behavior in versions 12cR1 and 12cR2

Introduction

AWR reports are available as part of the Diagnostics pack (extra cost option to the Enterprise Edition). AWR reports are commonly used by Oracle DBAs and they can be extremely useful when diagnosing performance issues. In this short article I will show the differences between AWR in version 12c Release 1 (12.1) and 12c Release 2 (12.2)


12c Release 1 (12.1) with Multitenant

In Oracle 12c Release 1, Oracle introduced the Multitenant architecture (I've posted a separate article to cover the great benefits of Oracle Multitenant. Read more here). However, the main challenge with Oracle 12cR1 is that AWR data is stored at the CDB$ROOT container level. This has several implications:
  • AWR reports are available only at CDB level - it is not possible to run AWR for a specific pluggable database.
  • AWR management operations (e.g. snapshots schedule, data retention, taking manual snapshots, purging snapshots) could be done only at CDB level.
  • Unplugged PDB does not contain AWR information, so when unplugging a PDB and plugging it into a different CDB all the AWR data will be lost.
Having said that, it's important to mention that even that it is only possible to generate AWR reports at CDB level, Oracle added column "PDB Name" to the tables in the AWR so it allows us to understand to which PDB the information is associated with. Here is an example:



12c Release 2 (12.2) with Multitenant

Good new is that in Oracle 12c Release 2, Oracle added AWR at PDB-Level meaning that AWR information will also be stored in each PDB (under SYSAUX tablespace). This has several implications:
  • AWR reports are available at both CDB and PDB level
  • AWR management operations (e.g. snapshots schedule, data retention, taking manual snapshots, purging snapshots) can be done at both CDB and PDB level
  • Unplugged PDB does contain AWR information, so when unplugging a PDB and plugging it into a different CDB all the AWR data will be available.
Let's see an example of how it looks like when running AWR report in 12c Release 2:


As you can see, Oracle enables us to choose whether we would like to run a CDB-level AWR report by specifying "AWR_ROOT" which is the default, or running a PDB-level AWR report by specifying "AWR_PDB". If you choose PDB-level AWR, Oracle will generate a report that displays performance data only for a particular PDB, as follows:


Pro Tip

In Oracle 12c Release 2, Oracle will automatically create AWR snapshots only at CDB-level by default. If you would like to change this default behavior and enable automatic AWR snapshots for PDBs, you would need to alter the new AWR_PDB_AUTOFLUSH_ENABLED parameter which can be set at either CDB level or PDB level.

Tuesday, February 28, 2017

My Upcoming Speaker Events for H1 2017

I'm very excited to share with you that I've been accepted to speak at 2 Oracle events that will take place in the first half of 2017: The OUGN and IOUG Collaborate.

OUGN 17

This year the Oracle User Group Norway event will take place from 8 - 11 February in Norway.
The title of my presentation is "Winning Performance Challenges in Oracle Multitenant Architecture". In this session we will cover how to effectively monitor and diagnose performance issues in Oracle Multitenant environments and if needed implement resource management plans to ensure high QoS (Quality of Service) for the pluggable databases. 
Here is a link to my session: https://guidebook.com/guide/85471/event/15235506/

IOUG Collaborate 17

This year the IOUG Collaborate event will take place from 2- 6 April in Las Vegas.
The title of my presentation is "Database Consolidation Using the Oracle Multitenant Architecture". In this session we will explore the new Oracle Multitenant architecture as well as some tools and best practices that will help you consolidate your databases and ensure a high SLA for each pluggable database. I've already presented this session at the IOUG COLLABORATE 16 and OOW 16 so I'm very happy to present this interesting topic again at the IOUG Collaborate 17. 
Here is a link to my session: https://app.attendcollaborate.com/event/member/318780

Hope to see you there!