Oracle | Autonomous Database

Oracle Autonomous Database Version 21c

General Information

Library Note

Morgan's Library Page Header

ACE Director Alum Daniel Morgan, founder of Morgan's Library, is scheduling complimentary technical Workshops on Database Security for the first 30 Oracle Database customers located anywhere in North America, EMEA, LATAM, or APAC that send an email to asra_us@oracle.com. Request a Workshop for your organization today.

Purpose This page will serve as a landing page for information discovered that can be shared about the Autonomous Database. It has been put together as a collaborative effort with Oracle ACE Ric Van Dyke and we will add to it as new discoveries are made.

Where there is demo code it will be from a 21c autonomous database. Comments on it, unless identified as "confirmed" will contain some amount of speculation and should be read with that in mind. But, equally important to keep in mind ... Oracle Autonomous Database is DBaaS in the purest form of the acronym. It is not your database ... it is Oracle's ... and you are renting it. Will you be able to perform necessary management functionality? Yes. Will you be able to perform it the way you used to when you could just declare yourself SYSDBA, compromise all least privileges aspects of security and do whatever you wanted? No. And, both you and your employer will be far better off because of it though it may not make you happy, at least at first.

Definitions

These are purely speculative and readers should expect them to be incorrect or incomplete but its all we have to go with at the moment.

Keyword	Meaning
APPLICATION	In version 12c Oracle introduced a new data dictionary view "DBA_APPLICATIONS" which didn't seem justified until now. Look below to see how it is being used in the Autonomous Database.
POD	An Application Root Container.
SEED	The seed container used to create an Application Root Container.
TENANT	The owner of an Application Root Container.

Security There is little question that the Autonomous Database is more secure than the standard Oracle Database. Not, it is likely, because Oracle invested a huge amount of extra effort in security but rather because they implemented something they should implement across all future version of the product which is getting rid of the overly permissive SYSDBA as the standard management access point.

Autonomous Database Version (new 21c)

In the auto SELECT * FROM v$version; BANNER BANNER_FULL BANNER_LEGACY CON_ID ----------------------------------------------------------------------- Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production Version 21.2.0.0.0 Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production 0

Admin User (new 21c)

In the autonomous database the user SYS is not available to DBAs. The top level management schema is ADMIN.

A couple of things are interesting here. The first is DEFAULT COLLATION is returned because that does not occur in 21.3. The other is that the profile is not DEFAULT. SELECT dbms_metadata.get_ddl('USER', 'ADMIN') FROM dual; DBMS_METADATA.GET_DDL('USER','ADMIN') --------------------------------------------------------------------------------- CREATE USER "ADMIN" IDENTIFIED BY VALUES 'S:0DC7E52B1A4BE9A913F868711E1329D35 BD6A5ED85DA3B0B3B16442159C9;T:DC98E8800E1A73CFCA5547B057778C4D92BBB6B363BD560BDC 970862FCFDA13E3A52D5F1B320E1EA507E5A3407241DEB0B6E21D8679D0197284926EAE9A65DC25F 40D072AECC68AA7E4BEE71506D42EF' DEFAULT COLLATION "USING_NLS_COMP" DEFAULT TABLESPACE "DATA" TEMPORARY TABLESPACE "TEMP" PROFILE "ORA_ADMIN_PROFILE"

Admin Profile (new 21c)

In the autonomous database the user SYS is not available to DBAs. The top level management schema is ADMIN SELECT resource_name, resource_type, limit FROM dba_profiles WHERE profile = 'ORA_ADMIN_PROFILE' ORDER BY 2,1; RESOURCE_NAME RESOURCE LIMIT ------------------------- --------- ------ COMPOSITE_LIMIT KERNEL DEFAULT CONNECT_TIME KERNEL DEFAULT CPU_PER_CALL KERNEL DEFAULT CPU_PER_SESSION KERNEL DEFAULT IDLE_TIME KERNEL DEFAULT LOGICAL_READS_PER_CALL KERNEL DEFAULT LOGICAL_READS_PER_SESSION KERNEL DEFAULT PRIVATE_SGA KERNEL DEFAULT SESSIONS_PER_USER KERNEL DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED INACTIVE_ACCOUNT_TIME PASSWORD DEFAULT PASSWORD_GRACE_TIME PASSWORD 30 PASSWORD_LIFE_TIME PASSWORD 360 PASSWORD_LOCK_TIME PASSWORD 1 PASSWORD_REUSE_MAX PASSWORD 4 PASSWORD_REUSE_TIME PASSWORD 1 PASSWORD_ROLLOVER_TIME PASSWORD DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD FROM ROOT 18 rows selected.

C##CLOUD$SERVICE User (new 21c)

Objects owned by this user are required to satisfy dependencies in the POD_CDB packages SELECT dbms_metadata.get_ddl('USER', 'C##CLOUD$SERVICE') AS USER_DDL FROM dual; USER_DDL ------------------------------------------------------------ CREATE USER "C##CLOUD$SERVICE" IDENTIFIED BY VALUES 'S:<many space>;T:<many_spaces>' DEFAULT COLLATION "USING_NLS_COMP" DEFAULT TABLESPACE "SYSAUX" TEMPORARY TABLESPACE "TEMP" 1 row selected.

C##CLOUD$SERVICE User's Roles (new 21c)

Roles granted to the CLOUD$SERVICE common user

Key:
ADW = Autonomous Data Warehouse
DBFS = DataBase File System
DV = Database Vault
OML = Oracle Machine Learning SELECT granted_role FROM dba_role_privs WHERE grantee = 'C##CLOUD$SERVICE' ORDER BY 1; GRANTED_ROLE ------------------------------ AUDIT_VIEWER CAPTURE_ADMIN CONNECT C##ADWC_ADMIN C##ADWC_MONITOR C##ADWC_OPERATOR DBA DBFS_ROLE DV_ACCTMGR DV_OWNER DV_PATCH_ADMIN OML_DEVELOPER OML_SYS_ADMIN RECOVERY_CATALOG_OWNER SELECT_CATALOG_ROLE

Tablespaces (new 21c)

Tablespaces created SELECT dbms_metadata.get_ddl('USER', 'ADMIN') FROM dual ORDER BY 1; TABLEPACE_NAME BIG_FILE --------------- --------- DATA YES DBFS_DATA YES SAMPLESCHEMA YES SYSAUX YES SYSTEM YES TEMP YES UNDO_2 YES 7 rows selected.

POD_CDB Objects (new 21c)

$ORACLE_HOME/rdbms/admin in 21.3 has a number of scripts with names in the form POD_CDB.

A review of these scripts led to the belief that POD is a keyword that translates to AUTONOMOUS DB.

Much of the syntax was in the POD_CDB_ADMIN package was written by someone almost completely clueless about Oracle Database administration, or to be charitable, written by someone trying to frustrate anyone interested in understanding how the database works. -- from 21.3 [oracle@test21 admin]$ ls -l pod_cdb* -rw-r----- 1 oracle oinstall 143716 Jul 27 11:56 pod_cdb_admin.plb -rw-r----- 1 oracle oinstall 1858 Jul 27 11:56 pod_cdb_admin_common.plb -rw-r----- 1 oracle oinstall 1888 Jul 20 2020 pod_cdb_admin_common_spec.sql -rw-r----- 1 oracle oinstall 2859 Jul 27 11:56 pod_cdb_admin_http.plb -rw-r----- 1 oracle oinstall 3416 Jul 20 2020 pod_cdb_admin_http_spec.sql -rw-r----- 1 oracle oinstall 9133 Jul 27 11:56 pod_cdb_admin_job.plb -rw-r----- 1 oracle oinstall 3492 Jul 20 2020 pod_cdb_admin_job_spec.sql -rw-r----- 1 oracle oinstall 47510 Jul 20 2020 pod_cdb_admin_spec.sql -rw-r----- 1 oracle oinstall 19192 Jul 20 2020 pod_cdb_admin_tables.sql -rw-r----- 1 oracle oinstall 4213 Jul 27 11:56 pod_cdb_admin_util.plb -rw-r----- 1 oracle oinstall 5011 Jul 20 2020 pod_cdb_admin_util_spec.sql -rw-r----- 1 oracle oinstall 8580 Jul 20 2020 pod_cdb_admin_views.sql

POD_CDB Objects Owned By Admin (new 21c)

Due to a lack of full access, as ADMIN, only a limited view of which of these POD_CDB objects has been installed is possible so it is very probable the listing, at right, is deceiving.

That said, it is obvious that a common user C##CLOUD$SERVICE has been created to host one of the packages. SELECT owner, object_name, object_type FROM dba_objects WHERE object_name LIKE 'POD_CDB%'; OWNER OBJECT_NAME OBJECT_TYPE ----------------- --------------------- ----------------------- C##CLOUD$SERVICE POD_CDB_ADMIN_COMMON PACKAGE C##CLOUD$SERVICE POD_CDB_ADMIN_COMMON PACKAGE BODY 2 rows selected.

Applications (new 21c)

We have insufficient information to decipher this listing but our suspicion that Oracle intended something more for DBA_APPLICATIONS has been confirmed.

Some of the application names appear to fit neatly into a working DBA's framework and our speculations have been appended to each row

IDM may stand for Identity Management

Note: ORDS has an important function in Autonomous Database but we do not currently understand that purpose well enough to speculate upon it. SELECT app_name, app_status, app_capture_service FROM dba_applications ORDER BY 3,1; APP_NAME APP_STATUS APP_CAPTURE_SERVICE speculation --------------------------- ---------- ------------------------------- ------------- APP$CDB$POSTUPGRADE$APX NORMAL dwcsseed APEX Upgrades APP$CDB$POSTUPGRADE$DV NORMAL dwcsseed DB Vault Upgrade APP$CDB$PDBONLY$OMLMOD NORMAL dwcsseed Machine Learning APP$CDB$PDBONLY$POSTUPGRADE NORMAL dwcsseed Upgrades APP$CDB$POSTUPGRADE$SPL NORMAL dwcsseed SPL Plug-ins APP$CDB$POSTUPGRADE$TXT NORMAL dwcsseed Ora Text Upgrade APP$CDB$APEXPATCH NORMAL SYS$USERS Patching APP$CDB$PDBONLY$GRAPH NORMAL SYS$USERS Graph DB APP$CDB$PDBONLY$RMAN NORMAL SYS$USERS Backup/Recovery APP$CDB$POSTUPGRADE$ADP NORMAL SYS$USERS Upgrade APP$CDB$POSTUPGRADE$OML4PY NORMAL SYS$USERS Machine Learning APP$CDB$SYSTEM NORMAL SYS$USERS APP$CDB$ALL$ADWC NORMAL vlrdsjseszc3wkl_db202103231419 Automomous DW APP$CDB$ALL$OMLIDM NORMAL vlrdsjseszc3wkl_db202103231419 Machine Learning APP$CDB$DATAPATCH NORMAL vlrdsjseszc3wkl_db202103231419 Patching APP$CDB$PDBONLY$ADWC NORMAL vlrdsjseszc3wkl_db202103231419 Autonomous DW APP$CDB$PDBONLY$OLTP NORMAL vlrdsjseszc3wkl_db202103231419 APP$CDB$PDBONLY$ORDSPATCH NORMAL vlrdsjseszc3wkl_db202103231419 ORDS Patching 18 rows selected.