1 配置文件
create profile 配置文件名 limit
配置参数1 值1
配置参数2 值2
……;
启动参数resource_limit设置后, 只对profile文件中的资源部分生效. 口令管理部分不依赖于这个参数.
2 口令管理
2.1 failed_login_attempts
failed_login_attempts指定在帐户被锁定之前所允许尝试登陆的的最大次数。
SQL> select * from dba_profiles where profile='DEFAULT' and resource_name='FAILED_LOGIN_ATTEMPTS';
PROFILE RESOURCE_NAME RESOURCE LIMIT
---------- -------------------------------- -------- ----------
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 10
// 改成不受限
SQL> alter profile default limit failed_login_attempts unlimited;
Profile altered.
// 改成受限3次
SQL> alter profile default limit failed_login_attempts 3;
Profile altered.
SQL> select * from dba_profiles where profile='DEFAULT' and resource_name='FAILED_LOGIN_ATTEMPTS';
PROFILE RESOURCE_NAME RESOURCE LIMIT
---------- -------------------------------- -------- ----------
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 3
// 登录系统密码错误3次后, 再登录就会提示用户已锁定.
[oracle@cent4 ~]$ sqlplus hr/hr
SQL*Plus: Release 10.2.0.1.0 - Production on 星期一 6月 6 16:00:26 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-28000: the account is locked
SQL> select a.username, a.account_status, a.lock_date from dba_users a where a.username = 'HR';
USERNAME ACCOUNT_STATUS LOCK_DATE
---------- -------------------------------- -------------------
HR LOCKED(TIMED) 2011-06-06 16:00:23
// 解除用户锁定
SQL> alter user hr account unlock;
User altered.
SQL> select a.username, a.account_status, a.lock_date from dba_users a where a.username = 'HR';
USERNAME ACCOUNT_STATUS LOCK_DATE
---------- -------------------------------- -------------------
HR OPEN
2.2 password_lock_time
password_lock_time指定帐户被锁定的天数. 1/24/60对应的是1分钟. 但是, 1分钟后只有密码正确了, 才可以自动解锁. 如果该参数最后的值是UNLIMITED, 或需要立即给帐户解锁, 就需要DBA用手动方式来给帐户解锁.
SQL> select a.username, a.account_status, a.lock_date from dba_users a where a.username = 'HR';
USERNAME ACCOUNT_STATUS LOCK_DATE
---------- -------------------------------- -------------------
HR LOCKED(TIMED) 2011-06-06 16:13:07
SQL> alter profile default limit password_lock_time 1/24/60;
Profile altered.
SQL> conn hr/hr
Connected.
SQL> conn sys/sys as sysdba
Connected.
SQL> select a.username, a.account_status, a.lock_date from dba_users a where a.username = 'HR';
USERNAME ACCOUNT_STATUS LOCK_DATE
---------- -------------------------------- -------------------
HR OPEN
2.3 password_life_time与password_grace_time
password_life_time指定用户帐户的有效期, 达到这个天数的帐户叫做到期帐户. 到期帐户在登陆时会被提示口令将在多少天过期,但仍可以使用该口令, 最多宽限的天数由password_grace_time参数指定. 如果在宽限期中没有更改帐户的口令, 则帐户过期, 即叫过期帐户. 如果不更改到期帐户的口令, 就不能登陆数据库.
{1} {2} {3} 到期 {4} 过期
----------------------------------------------------------------------
|---à life_time ß---| |---à grace_time ß---|
{1} 创建用户或修改配置文件的时间
{2} life_time的结束时间
{3} life_time的结束时间后, 用户第一次的登陆时间. 此后用户称为到期帐户, 用户状态由open变成了expire(grace), 但此时用户仍可以登陆系统.
{4} grace_time的结束时间. 此后用户称为过期帐户, 用户状态由expire(grace)变成了expire, 但此时用户登陆系统时要求要改新的密码. 改完密码后, 用户状态由expire变成了open.
l 初始状态
SQL> create user u1 identified by u1;
User created.
SQL> col username format a10;
SQL> col account_status format a15;
SQL> select username, account_status, lock_date, expiry_date from dba_users a where a.username = 'U1';
USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DATE
---------- --------------- ------------------- -------------------
U1 OPEN
l 修改配置文件的password_life_time的值后(或者password_life_time的值不为unlimited, 创建用户后), 用户属性中的EXPIRY_DATE字段将有值生成
SQL> set time on;
19:38:42 SQL> alter profile default limit password_grace_time 10 password_life_time 3;
Profile altered.
19:38:48 SQL> select username, account_status, lock_date, expiry_date from dba_users a where a.username = 'U1';
USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DATE
---------- --------------- ------------------- -------------------
U1 OPEN 2011-06-10 19:38:42
注意: expiry_date = alter profile语句的调用的时间(19:38:42) + password_life_time(3)
l 将系统时间调到expiry_date之后, 发现用户的状态并不会发生变化, 仍然是open.
[root@cent4 ~]# date '06111200'
六 6月 11 12:00:00 CST 2011
[oracle@cent4 ~]$ sqlplus / as sysdba
SQL> col username format a10;
SQL> col account_status format a15;
SQL> select username, account_status, lock_date, expiry_date from dba_users a where a.username = 'U1';
USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DATE
---------- --------------- ------------------- -------------------
U1 OPEN 2011-06-10 19:38:42
l 将系统时间调到expiry_date之后, 用户登陆后, 该时间点才是password_grace_time的起始时间.
[root@cent4 ~]# date '06201200'
一 6月 20 12:00:00 CST 2011
[oracle@cent4 ~]$ sqlplus u1/u1
SQL*Plus: Release 10.2.0.1.0 - Production on 星期一 6月 20 12:00:23 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-28002: the password will expire within 10 days
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL>
[oracle@cent4 ~]$ sqlplus / as sysdba
SQL> select username, account_status, lock_date, expiry_date from dba_users a where a.username = 'U1';
USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DATE
---------- --------------- ------------------- -------------------
U1 EXPIRED(GRACE) 2011-06-30 12:00:23
注意: 此时的expiry_date = 上面expiry_date的时间后第一次运行sqlplus u1/u1语句调用的时候(6月 20 12:00:23 2011) + password_grace_time(10)
l 将系统时间调到password_grace_time之后, 用户要求输入新密码, 此时用户状态为expire; 输入密码后, 用户状态为open;
[oracle@cent4 ~]$ sqlplus u1/u1
SQL*Plus: Release 10.2.0.1.0 - Production on 星期三 7月 6 12:03:56 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-28001: the password has expired
Changing password for u1
New password: **
Retype new password: **
Password changed
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL>
// 输密码前
SQL> select username, account_status, lock_date, expiry_date from dba_users a where a.username = 'U1';
USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DATE
---------- --------------- ------------------- -------------------
U1 EXPIRED 2011-06-30 12:00:23
12:02:07 SQL> host date
三 7月 6 12:02:16 CST 2011
// 输密码后
SQL> select username, account_status, lock_date, expiry_date from dba_users a where a.username = 'U1';
USERNAME ACCOUNT_STATUS LOCK_DATE EXPIRY_DATE
---------- --------------- ------------------- -------------------
U1 OPEN 2011-07-09 12:04:02
2.4 password_reuse_time和password_reuse_max
使用这两个参数后, ORACLE会将各个用户的历史记录存放到SYS用户的USER_HISTORY$表中.
SQL> alter profile default limit password_reuse_time 30 password_reuse_max 10;
Profile altered.
l 第一次登陆
[oracle@cent4 ~]$ sqlplus / as sysdba
SQL*Plus: Release 10.2.0.1.0 - Production on 星期二 6月 7 11:40:46 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> alter user hr identified by hr1;
User altered.
SQL> alter user hr identified by hr2;
User altered.
l 第二次登陆
[oracle@cent4 ~]$ sqlplus / as sysdba
SQL*Plus: Release 10.2.0.1.0 - Production on 星期二 6月 7 12:06:40 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> alter user hr identified by hr1;
ORA-28007: the password cannot be reused
2.5 password_verify_function
使用系统口令校验函数verify_function, 改成校验函数后实现以下口令规则:
口令不能少于4个字符
口令不能与用户名相同
口令至少包含一个字符, 一个数字和一个特殊字符($, _, #, !等)
要使用校验函数verify_function, 必须运行脚本 @$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
SQL> alter user hr identified by hr40;
ORA-28003: password verification for the specified password failed
ORA-20003: Password should contain at least one digit, one character and one punctuation
3 资源管理
session_per_user | 指定限制用户的并发会话的数目 |
cpu_per_session | 指定会话的cpu时间限制, 单位为百分之一秒 |
cpu_per_call | 指定一次调用(解析、执行和提取)的cpu时间限制, 单位为百分之一秒 |
connect_time | 指定会话的总的连接时间, 以分钟为单位 |
idle_time | 指定会话允许连续不活动的总的时间, 以分钟为单位, 超过该时间, 会话将断开。但是长时间运行查询和其他操作的不受此限制 |
logical_reads_per_session | 指定一个会话允许读的数据块的数目, 包括从内存和磁盘读的所有数据块 |
logical_read_per_call | 指定一次执行sql(解析、执行和提取)调用所允许读的数据块的最大数目 |
private_sga | 指定一个会话可以在共享池(sga)中所允许分配的最大空间, 以字节为单位。(该限制只在使用共享服务器结构时才有效, 会话在sga中的私有空间包括私有的sql和pl/sql, 但不包括共享的sql和pl/sql) |
composite_limit | 指定一个会话的总的资源消耗, 以service units单位表示。oracle数据库以有利的方式计算cpu_per_session, connect_time, logical_reads_per_session和private-sga总的service units |