Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,390 --> 00:00:03,640 In this lesson, we'll be talking about the password 2 00:00:03,640 --> 00:00:07,270 file and administrative privileges in Oracle. 3 00:00:07,270 --> 00:00:11,050 So in order to do the operations that a DBA must do, 4 00:00:11,050 --> 00:00:12,880 it's often necessary that you connect 5 00:00:12,880 --> 00:00:16,150 with the highest administrative privileges possible. 6 00:00:16,150 --> 00:00:18,100 So there's two types of ways that we 7 00:00:18,100 --> 00:00:21,040 could make an administrative connection to an Oracle 8 00:00:21,040 --> 00:00:21,820 database. 9 00:00:21,820 --> 00:00:26,200 One is locally-- that is to say, actually on the server itself-- 10 00:00:26,200 --> 00:00:27,160 or remote. 11 00:00:27,160 --> 00:00:30,700 So you would be connecting in with a remote tool of some sort 12 00:00:30,700 --> 00:00:33,340 in order to administer the database. 13 00:00:33,340 --> 00:00:36,250 Now, not every action that a DBA takes 14 00:00:36,250 --> 00:00:38,320 requires administrative privileges. 15 00:00:38,320 --> 00:00:41,560 Normally, we think of things like shutdown and startup, 16 00:00:41,560 --> 00:00:44,890 the creation of a new database, backup and recovery, 17 00:00:44,890 --> 00:00:47,500 those types of operations, as requiring 18 00:00:47,500 --> 00:00:49,360 administrative privileges. 19 00:00:49,360 --> 00:00:52,390 The thing that either a local or a remote connection 20 00:00:52,390 --> 00:00:57,130 will require is that the user have the SYSDBA privilege. 21 00:00:57,130 --> 00:00:59,080 And that's the highest role that we 22 00:00:59,080 --> 00:01:03,890 can give to an administrator in the database. 23 00:01:03,890 --> 00:01:07,490 So local connections are made using the SYSDBA role. 24 00:01:07,490 --> 00:01:09,530 And that might be something like, 25 00:01:09,530 --> 00:01:11,150 if we're using a Linux database, we 26 00:01:11,150 --> 00:01:14,720 might use Secure Shell to connect to the server itself. 27 00:01:14,720 --> 00:01:17,210 And then we're actually on the server. 28 00:01:17,210 --> 00:01:20,120 And we connect using the SYSDBA role. 29 00:01:20,120 --> 00:01:23,510 And even though that is a connection from a remote place, 30 00:01:23,510 --> 00:01:25,430 or can be, that we don't actually 31 00:01:25,430 --> 00:01:28,890 have to be using the keyboard at the server itself, 32 00:01:28,890 --> 00:01:31,370 we call that a local connection because you're 33 00:01:31,370 --> 00:01:33,830 using SSA, Telnet, or, in Windows, 34 00:01:33,830 --> 00:01:37,370 you might use Remote Desktop connection to being virtually 35 00:01:37,370 --> 00:01:38,880 on the machine. 36 00:01:38,880 --> 00:01:40,950 And so we call those a local connection. 37 00:01:40,950 --> 00:01:43,970 And those are made using the SYSDBA role. 38 00:01:43,970 --> 00:01:48,010 Remote connections, however, require a password file. 39 00:01:48,010 --> 00:01:49,990 A password file is going to be an encrypted 40 00:01:49,990 --> 00:01:53,080 file out on the operating system actually in the Oracle home 41 00:01:53,080 --> 00:01:56,890 directory that will store information about users that 42 00:01:56,890 --> 00:02:00,010 can connect with remote administrative privileges 43 00:02:00,010 --> 00:02:02,000 and the password that they have. 44 00:02:02,000 --> 00:02:04,330 And so we use a tool, a command line tool, 45 00:02:04,330 --> 00:02:08,560 called orapwd to create a password file. 46 00:02:08,560 --> 00:02:11,530 The password file will be located in the Oracle 47 00:02:11,530 --> 00:02:14,710 $ORACLE_HOME/dbs on Linux. 48 00:02:14,710 --> 00:02:19,270 And the name of the file will be orapwd and then the SID. 49 00:02:19,270 --> 00:02:22,930 On Windows, it will be in the Oracle home directory 50 00:02:22,930 --> 00:02:26,630 under the database directory with a slightly different name. 51 00:02:26,630 --> 00:02:29,950 So even though we can't open the password file and look at it, 52 00:02:29,950 --> 00:02:37,000 we can see information about the users from the v$pwfile_users 53 00:02:37,000 --> 00:02:39,850 dynamic data dictionary view. 54 00:02:39,850 --> 00:02:42,190 So let's take a look here at making 55 00:02:42,190 --> 00:02:44,750 a local administrative connection. 56 00:02:44,750 --> 00:02:46,750 So when we do this, we're going to use something 57 00:02:46,750 --> 00:02:48,260 like the sqlplus user. 58 00:02:48,260 --> 00:02:51,690 And we'll do sqlplus slash as sysdba. 59 00:02:51,690 --> 00:02:54,610 We're connected to the database with the system, highest system 60 00:02:54,610 --> 00:02:55,490 privileges. 61 00:02:55,490 --> 00:02:57,610 And we're able to work on the database from there-- 62 00:02:57,610 --> 00:03:00,800 startups, shutdowns, those types of things. 63 00:03:00,800 --> 00:03:02,220 But let's look at this again. 64 00:03:02,220 --> 00:03:05,060 So what are we actually logging in as whenever 65 00:03:05,060 --> 00:03:08,510 we use sqlplus slash as sysdba? 66 00:03:08,510 --> 00:03:11,360 Well, another way that we can make a connection with SQL Plus 67 00:03:11,360 --> 00:03:14,570 would be username/password. 68 00:03:14,570 --> 00:03:18,020 So it's username slash password. 69 00:03:18,020 --> 00:03:20,860 And if we put in the incorrect password, 70 00:03:20,860 --> 00:03:24,480 we get an invalid username/password. 71 00:03:24,480 --> 00:03:27,510 So what are we doing when we do this, 72 00:03:27,510 --> 00:03:31,710 because we haven't logged in with any given particular user? 73 00:03:31,710 --> 00:03:34,050 What we're actually doing is something called operating 74 00:03:34,050 --> 00:03:35,940 system authentication. 75 00:03:35,940 --> 00:03:38,130 So operating system authentication 76 00:03:38,130 --> 00:03:42,400 is not authenticating our user with a username and password. 77 00:03:42,400 --> 00:03:45,510 So it's basically like a blank username and a blank password 78 00:03:45,510 --> 00:03:47,860 separated by a slash. 79 00:03:47,860 --> 00:03:49,960 What we're actually doing is authenticating 80 00:03:49,960 --> 00:03:53,560 to the user or group on the operating system. 81 00:03:53,560 --> 00:03:56,260 So on-- the best example, probably, is in Linux, 82 00:03:56,260 --> 00:03:59,830 where the user that you're logged into on the system, not 83 00:03:59,830 --> 00:04:02,920 the database, but the system, server itself, 84 00:04:02,920 --> 00:04:05,500 belongs to a group called DBA. 85 00:04:05,500 --> 00:04:08,080 And if you belong to that group, than you 86 00:04:08,080 --> 00:04:11,200 are able to connect as SYSDBA. 87 00:04:11,200 --> 00:04:14,020 So if we connect sqlplus slash as sysdba, 88 00:04:14,020 --> 00:04:16,830 let's do a select user from dual. 89 00:04:16,830 --> 00:04:21,660 And that tells us that we're logged in using the SYS user. 90 00:04:21,660 --> 00:04:25,690 So what if we were to log in as SYS? 91 00:04:25,690 --> 00:04:27,040 Well, that's legitimate as well. 92 00:04:27,040 --> 00:04:29,910 We could do it that way. 93 00:04:29,910 --> 00:04:33,350 However, just to give an example of how this works, 94 00:04:33,350 --> 00:04:36,360 let's put a wrong password in there. 95 00:04:36,360 --> 00:04:37,670 And it connects. 96 00:04:37,670 --> 00:04:39,210 So SYS does have a password. 97 00:04:39,210 --> 00:04:41,550 And that would be necessary for a remote connection. 98 00:04:41,550 --> 00:04:44,580 But since we're using operating system authentication, 99 00:04:44,580 --> 00:04:48,700 then the username and password are essentially ignored. 100 00:04:48,700 --> 00:04:52,070 So let's talk about remote authentication. 101 00:04:52,070 --> 00:04:55,920 So here we are in the Oracle home directory. 102 00:04:55,920 --> 00:04:57,200 So what we said on Windows-- 103 00:04:57,200 --> 00:05:01,130 that the password file necessary for a remote connection 104 00:05:01,130 --> 00:05:05,210 would be in the Oracle home directory in the database 105 00:05:05,210 --> 00:05:06,480 directory-- 106 00:05:06,480 --> 00:05:09,220 we can see PWDorcl.ora. 107 00:05:09,220 --> 00:05:12,360 And that's the password file. 108 00:05:12,360 --> 00:05:16,860 If we want to look at the users that are granted the ability 109 00:05:16,860 --> 00:05:24,520 to be a SYSDBA, we would look from v$pwfile_users. 110 00:05:24,520 --> 00:05:28,360 And so at this point, we see the user SYS, as we might expect, 111 00:05:28,360 --> 00:05:30,820 and then a couple of other SYS-related ones 112 00:05:30,820 --> 00:05:33,730 that are fairly new in 12c. 113 00:05:33,730 --> 00:05:36,360 But we don't see any other users. 114 00:05:36,360 --> 00:05:41,950 So what if I was to do grant sysdba to scott 115 00:05:41,950 --> 00:05:45,270 and now select from it again? 116 00:05:45,270 --> 00:05:47,720 And now we can see that the SCOTT user can connect 117 00:05:47,720 --> 00:05:50,000 in remotely as a SYSDBA. 118 00:05:50,000 --> 00:05:53,660 And that validation would occur when his information 119 00:05:53,660 --> 00:05:56,780 is in the password file and is read from that 120 00:05:56,780 --> 00:05:59,210 and validates him as a SYSDBA that 121 00:05:59,210 --> 00:06:01,780 can connect to the database. 9868