Oracle软件在安装维护过程中长要和操作用户组(OS user group)打交道,从早前的只有oracle用户和dba组发展到今天中的grid用户和asm组,Oracle管理的日新月异可见一斑。
oinstall用户组
oinstall
组是Oracle推荐创建的OS用户组之一,建议在系统第一次安装oracle软件产品之前创建该oinstall组,理论上该oinstall组应当拥有oracle软件产品目录(例如$CRS_HOME和$ORACLE_HOME)和oracle
Inventory信息目录仓库,oracle Inventory信息目录记录了系统上安装过的oracle产品的记录。
若系统中已有安装过oracle产品软件,则现有的oracle Inventory目录的所有组必须是今后用来安装新oracle软件产品的用户的主组(primary group)。
现有的oracle Inventory拥有者组可以通过/etc/oraInst.loc位置文件了解:
inventory_loc=/u01/app/oracle/oraInventory
inst_group=oinstall
若/etc/oraInst.loc(少数平台不在该位置)位置文件不存在,那么建议创建oinstall用户组,注意在RAC环境中要保持各节点上用户组的gid一致:
# /usr/sbin/groupadd -g GID oinstall OSDBA用户组(dba) OSDBA是我们必须要创建的一种系统DBA用户组(dba),
若没有该用户组我们将无法安装数据库软件及执行管理数据库的任务。 OSOPER用户组(oper)
OSOPER是一种额外的用户组(oper),我们可以选择要不要创建该用户组,
创建该用户组可以满足让os用户行使某些数据库管理权限(包括SYSOPER角色权限)的目的。
注意SYSOPER的权限包括startup和shutdown,所以要小心为该用户组添加成员。
创建OSOPER用户组的方法:
# /usr/sbin/groupadd oper
综上所述在单机环境(single-instance)中oracle软件拥有者用户(常见的oracle或者orauser),
因该同时是oinstall、dba、oper用户组的成员。同时该用户的主用户组必须是oinstall。
Oracle Database 11g release 2中选择Privileged Operating System Groups
而在11.2的GI/CRS环境中数据库软件拥有者用户(oracle或orauser)还必须是asmdba用户组的成员。
usermod -g oinstall -G dba,oper,asmdba [oracle|orauser]
id oracle
uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),701(asmdba),54324(oper)
注意OSDBA和OSOPER用户组都受到$ORACLE_HOME/rdbms/lib/config.c 源文件的影响,
该文件定义了默认的 SS_DBA_GRP “dba” 和SS_OPER_GRP “oper”,该源文件内容如下:
/* Refer to the Installation and User's Guide for further information. */
/* IMPORTANT: this file needs to be in sync with
rdbms/src/server/osds/config.c, specifically regarding the
number of elements in the ss_dba_grp array.
*/
#define SS_DBA_GRP "dba"
#define SS_OPER_GRP "oper"
#define SS_ASM_GRP ""
char *ss_dba_grp[] = {SS_DBA_GRP, SS_OPER_GRP, SS_ASM_GRP};
11g release2中oracle建议独立地管理Grid Infrastructure和ASM实例,因此有必要创建更多的os用户组以满足不同的权限分配。
我们在11.2的GI中常用的ASM用户组有以下三个:
OSASM(asmadmin)用户组
如果使用ASM,那么我们必须创建osasm(asmadmin)用户组,该OSASM用户组的成员将被赋予SYSASM权限,
以满足组成员管理Oracle Clusterware和Oracle ASM的权限需求。
OSDBA for ASM group(asmdba)用户组
OSDBA(asmdba)用户组的成员将被赋予读写访问ASM文件的权限。
GI/CRS拥有者用户和所有oracle数据库软件的拥有者必须是该组的成员。
同时所有OSDBA(dba)用户组的成员也必须是asmdba组的成员。
OSOPER for ASM(asmoper)用户组
asmoper和osoper类似都是额外的可选择创建的用户组,创建该独立的用户组以满足赋予用户一套受限的ASM实例管理权限
(ASM的SYSOPER角色), 该权限包括了启动和停止ASM实例,默认情况下OSASM(asmadmin)组成员将拥有所有SYSOPER的ASM管理权限。
在11.2的GI/CRS环境中一般会创建grid或griduser用户来管理GI软件和ASM实例,以如下方式创建grid用户:
useradd -g oinstall -G asmadmin,asmdba,asmoper gridid grid
uid=54322(grid) gid=54321(oinstall) groups=54321(oinstall),700(asmadmin),701(asmdba),55000(asmoper)software component
os User
primary group
supplementary group
home directory
oracle base / oracle home
grid infrastructure
grid
oinstall
asmadmin,asmdba,asmoper
/home/grid
/u01/app/grid
/u01/app/11.2.0/grid
Oracle RAC
oracle
oinstall
dba,oper,asmdba
/home/oracle
/u01/app/oracle
/u01/app/oracle/product/11.2.0/dbhome_1
更多内容可以参考下文:
The OSDBA group (typically, dba)
You must create this group the first time you install Oracle Database
software on the system. This group identifies operating system user
accounts that have database administrative privileges (the SYSDBA
privilege). If you do not create separate OSDBA, OSOPER and OSASM groups
for the Oracle ASM instance, then operating system user accounts that
have the SYSOPER and SYSASM privileges must be members of this group.
The name used for this group in Oracle code examples is dba. If you do
not designate a separate group as the OSASM group, then the OSDBA group
you define is also by default the OSASM group.
To specify a group name other than the default dba group, then you
must choose the Advanced installation type to install the software or
start Oracle Universal Installer (OUI) as a user that is not a member of
this group. In this case, OUI prompts you to specify the name of this
group.
Members of the OSDBA group formerly were granted SYSASM privileges on
Oracle ASM instances, including mounting and dismounting disk groups.
This privileges grant is removed with Oracle Grid Infrastructure 11g
release 2, if different operating system groups are designated as the
OSDBA and OSASM groups. If the same group is used for both OSDBA and
OSASM, then the privilege is retained.
The OSOPER group for Oracle Database (typically, oper)
This is an optional group. Create this group if you want a separate
group of operating system users to have a limited set of database
administrative privileges (the SYSOPER privilege). By default, members
of the OSDBA group also have all privileges granted by the SYSOPER
privilege.
To use the OSOPER group to create a database administrator group with
fewer privileges than the default dba group, then you must choose the
Advanced installation type to install the software or start OUI as a
user that is not a member of the dba group. In this case, OUI prompts
you to specify the name of this group. The usual name chosen for this
group is oper.
The Oracle Automatic Storage Management Group (typically asmadmin)
This is a required group. Create this group as a separate group if
you want to have separate administration privilege groups for Oracle ASM
and Oracle Database administrators. In Oracle documentation, the
operating system group whose members are granted privileges is called
the OSASM group, and in code examples, where there is a group
specifically created to grant this privilege, it is referred to as
asmadmin.
If you have multiple databases on your system, and use multiple OSDBA
groups so that you can provide separate SYSDBA privileges for each
database, then you should create a separate OSASM group, and use a
separate user from the database users to own the Oracle Grid
Infrastructure installation (Oracle Clusterware and Oracle ASM). Oracle
ASM can support multiple databases.
Members of the OSASM group can use SQL to connect to an Oracle ASM
instance as SYSASM using operating system authentication. The SYSASM
privileges permit mounting and dismounting disk groups, and other
storage administration tasks. SYSASM privileges provide no access
privileges on an RDBMS instance.
The Oracle ASM Database Administrator group (OSDBA for ASM, typically asmdba)
Members of the Oracle ASM Database Administrator group (OSDBA for
ASM) are granted read and write access to files managed by Oracle ASM.
The Oracle Grid Infrastructure installation owner and all Oracle
Database software owners must be a member of this group, and all users
with OSDBA membership on databases that have access to the files managed
by Oracle ASM must be members of the OSDBA group for ASM.
Members of the Oracle ASM Operator Group (OSOPER for ASM, typically asmoper)
This is an optional group. Create this group if you want a separate
group of operating system users to have a limited set of Oracle ASM
instance administrative privileges (the SYSOPER for ASM privilege),
including starting up and stopping the Oracle ASM instance. By default,
members of the OSASM group also have all privileges granted by the
SYSOPER for ASM privilege.
To use the Oracle ASM Operator group to create an ASM administrator
group with fewer privileges than the default asmadmin group, then you
must choose the Advanced installation type to install the software, In
this case, OUI prompts you to specify the name of this group. In code
examples, this group is asmoper.
An Oracle central inventory group, or oraInventory group (oinstall).
Members who have the central inventory group as their primary group, are
granted the OINSTALL permission to write to the oraInventory directory.
A single system privileges group that is used as the OSASM, OSDBA,
OSDBA for ASM, and OSOPER for ASM group (dba), whose members are granted
the SYSASM and SYSDBA privilege to administer Oracle Clusterware,
Oracle ASM, and Oracle Database, and are granted SYSASM and OSOPER for
ASM access to the Oracle ASM storage.
An Oracle grid installation for a cluster owner (grid), with the
oraInventory group as its primary group, and with the OSASM group as the
secondary group, with its Oracle base directory /u01/app/grid.
An Oracle Database owner (oracle) with the oraInventory group as its
primary group, and the OSDBA group as its secondary group, with its
Oracle base directory /u01/app/oracle.
/u01/app owned by grid:oinstall with 775 permissions before
installation, and by root after the root.sh script is run during
installation. This ownership and permissions enables OUI to create the
Oracle Inventory directory, in the path /u01/app/oraInventory.
/u01 owned by grid:oinstall before installation, and by root after the root.sh script is run during installation.
/u01/app/11.2.0/grid owned by grid:oinstall with 775 permissions.
These permissions are required for installation, and are changed during
the installation process.
/u01/app/grid owned by grid:oinstall with 775 permissions before installation, and 755 permissions after installation.
/u01/app/oracle owned by oracle:oinstall with 775 permissions.
An Oracle central inventory group, or oraInventory group (oinstall),
whose members that have this group as their primary group are granted
permissions to write to the oraInventory directory.
A separate OSASM group (asmadmin), whose members are granted the
SYSASM privilege to administer Oracle Clusterware and Oracle ASM.
A separate OSDBA for ASM group (asmdba), whose members include grid,
oracle1 and oracle2, and who are granted access to Oracle ASM.
A separate OSOPER for ASM group (asmoper), whose members are granted
limited Oracle ASM administrator privileges, including the permissions
to start and stop the Oracle ASM instance.
An Oracle grid installation for a cluster owner (grid), with the
oraInventory group as its primary group, and with the OSASM (asmadmin),
OSDBA for ASM (asmdba) group as a secondary group.
Two separate OSDBA groups for two different databases (dba1 and dba2) to establish separate SYSDBA privileges for each database.
Two Oracle Database software owners (oracle1 and oracle2), to divide
ownership of the Oracle database binaries, with the OraInventory group
as their primary group, and the OSDBA group for their database (dba1 or
dba2) and the OSDBA for ASM group (asmdba) as their secondary groups.
An OFA-compliant mount point /u01 owned by grid:oinstall before installation.
An Oracle base for the grid installation owner /u01/app/grid owned by
grid:oinstall with 775 permissions, and changed during the installation
process to 755 permissions.
An Oracle base /u01/app/oracle1 owned by oracle1:oinstall with 775 permissions.
An Oracle base /u01/app/oracle 2 owned by oracle2:oinstall with 775 permissions.
A Grid home /u01/app/11.2.0/grid owned by grid:oinstall with 775
(drwxdrwxr-x) permissions. These permissions are required for
installation, and are changed during the installation process to
root:oinstall with 755 permissions (drwxr-xr-x).
/u01/app/oraInventory. This path remains owned by grid:oinstall, to
enable other Oracle software owners to write to the central inventory.