#########1.ACL详细解释:
11g 对于XDB UTL_HTTP or others package 的权限管控进一步加强,如果需要使用到XDB 以下包 UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, UTL_INADDR,,必须显性使用到 授予用户ACL 权限,
(
Security in Oracle 11 and greater has been enhanced by limiting access to packages and procedures that allow external access to the database.
Access to these packages, UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, UTL_INADDR, must explicitly be granted to users through Access Controls Lists (ACL)
)
如果不授予ACL 权限,那么可能在调用UTL_ 包,碰到如下报错 ORA-24247: network access denied by access control list (ACL)
#########2.详细解释如下:
How To Set Network ACLs in Oracle To Access Packages UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, UTL_INADDR (文档 ID 958129.1)
Security in Oracle 11 and greater has been enhanced by limiting access to packages and procedures that allow external access to the database.
Access to these packages, UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, UTL_INADDR, must explicitly be granted to users through Access Controls Lists (ACL)
SOLUTION
1) You can find out what users currently need access to these packages with this query
column REFERENCED_NAME format a20
SELECT OWNER, REFERENCED_NAME FROM DBA_DEPENDENCIES
WHERE referenced_name IN ('UTL_TCP','UTL_SMTP','UTL_MAIL','UTL_HTTP','UTL_INADDR')
AND owner NOT IN ('SYS','PUBLIC','ORDPLUGINS');
for example,
SQL> SELECT OWNER, REFERENCED_NAME FROM DBA_DEPENDENCIES
WHERE referenced_name IN ('UTL_TCP','UTL_SMTP','UTL_MAIL','UTL_HTTP','UTL_INADDR')
AND owner NOT IN ('SYS','PUBLIC','ORDPLUGINS');
OWNER REFERENCED_NAME
------------------------------ --------------------
TOOLS UTL_HTTP
FOO UTL_HTTP
This shows us that two schemas, TOOLS and FOO, needs access to the UTL_HTTP package
2) We can grant access to the UTL_HTTP package with this statement
BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(acl => 'UTL_HTTP.xml', description=>'UTL_HTTP access ', principal=> 'TOOLS', is_grant=>TRUE, privilege=>'connect');
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(acl => 'UTL_HTTP.xml',principal => 'FOO',is_grant => true, privilege => 'connect');
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(acl=>'UTL_HTTP.xml',host=>'YOUR_HOST_NAME_HERE');
END;
/
COMMIT;
Note the following:
(以上代码将给TOOLS,FOO 使用UTL_HTTP 权限)
The above code will grant access to UTL_HTTP to both TOOLS and FOO. If you need to add additional user, use the ADD_PRIVILEGE() procedure and add the user to the existing ACL.
There can only be one ACL assigned to a host that grants a specific privilege. As an example, if host =>'199.199.199.199', then the UTL_HTTP ACL will cover all principals associated with that host. This is true for wildcard hosts as well '*';
The "connect" privilege will grant access to all of these packages, UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP.
(如果想使用UTL_INADDR权限,需要resolve 权限,UTL_INADDR权限解释如下:)
(select utl_inaddr.get_host_name('127.0.0.1') from dual;)
If the user needs access to UTL_INADDR, they will need to be granted the 'resolve' privilege instead of the 'connect' privilege in CREATE_ACL()
More information on this can be found in the following manual
Oracle® Database PL/SQL Packages and Types Reference
11g Release 1 (11.1)
Part Number B28419-03
80 DBMS_NETWORK_ACL_ADMIN
######3.如果想规避ORA-24247这个方法,可以使用如下方法 但是有一个隐患,权限过大。
You can grant XDBADMIN to your user who are using UTL_HTTP or others package which needs ACL
it will bypass the error ORA-24247: network access denied by access control list (ACL)
如下方法:
grant XDBADMIN to marc;
(WARNING: It will give Extra Privilege to the Oracle User, So it is better to use ACL for a Security point of view.)
How To Recover From An "ORA-24247: network access denied by access control list (ACL)" Error (文档 ID 1644641.1)
########zabbix 案例
zabbix 需要XML 权限,是因为调用这个包SYS.UTL_INADDR时候,没有权限
(类似命令如下:select utl_inaddr.get_host_name('127.0.0.1') from dual;)
[root@zabbix orabbix]# tailf /opt/orabbix/logs/orabbix.log
[main] INFO Orabbix - --------- on Database -> orcl
[pool-1-thread-1] WARN Orabbix - Error while executing ->dbversion- on database ->172.20.10.183-oracle- Exception received ORA-24247: network access denied by access control list (ACL)
ORA-06512: at "SYS.UTL_INADDR", line 4
ORA-06512: at "SYS.UTL_INADDR", line 35
ORA-06512: at line 1
出现这些日志,不影响后面的操作,这个不确定,
https://www.cnblogs.com/Dev0ps/p/8886181.html (zabbix 详细解释如下,重要):
zabbix利用orabbix监控oracle
Orabbix 是一个用来监控 Oracle 数据库实例的 Zabbix 插件。(插件安装在zabbix-server端)
下载地址:http://www.smartmarmot.com/product/orabbix/download/
zabbix-server上操作
Orabbix是通过JDBC去连接oracle数据库,然后过滤想要的数据,所以需要jdk环境
我测试过jdk1.7和1.8都可以,直接yum安装,或者下载rpm包,rpm -ivh安装,都可以
这里,我是直接rpm安装的,
1
2
3
4
5
|
[root@zabbix ~]# rpm -ivh jdk-8u102-linux-x64.rpm Preparing... ########################################### [100%] 1:jdk1.8.0_102 ########################################### [100%] |
在/opt目录下新建一个orabbix目录:
1
|
[root@oracle orabbix]#midir -p /opt/orabbix |
(建议在此目录下,如果放置其他目录稍后需要更改orabbix的启动文件orabbix,启动文件默认写在opt/orabbix目录下 )
[root@zabbix opt]# cd orabbix/
上传orabbix-1.2.3.zip
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
[root@zabbix orabbix]# ls orabbix-1.2.3.zip 解压 [root@zabbix orabbix]# unzip -q orabbix-1.2.3.zip [root@zabbix orabbix]# ls conf init.d lib orabbix-1.2.3.zip orabbixw.exe run.sh uninstall.cmd doc install.cmd orabbix-1.2.3.jar orabbix.exe run.bat template 授权 [root@zabbix orabbix]# cd .. [root@zabbix opt]# chmod -R a+x orabbix/ [root@zabbix ~]# cd /opt/orabbix/conf/ [root@zabbix conf]# ls config.props log4j.properties query_a_1.props query_b.props query.props config.props.sample log4j.properties.sample query_a.props query - Copy.props query.props.sample [root@zabbix conf]# cp config.props.sample config.props |
编辑配置文件:
[root@zabbix conf]# vim config.props
源配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
[root@zabbix conf]# egrep "^[a-Z,1-9]" config.props.sample ZabbixServerList=ZabbixServer1,ZabbixServer2 ZabbixServer1.Address=IP_ADDRESS_OF_ZABBIX_SERVER ZabbixServer1.Port=PORT_OF_ZABBIX_SERVER ZabbixServer2.Address=IP_ADDRESS_OF_ZABBIX_SERVER ZabbixServer2.Port=PORT_OF_ZABBIX_SERVER OrabbixDaemon.PidFile=./logs/orabbix.pid OrabbixDaemon.Sleep=300 OrabbixDaemon.MaxThreadNumber=100 DatabaseList=DB1,DB2,DB3 DatabaseList.MaxActive=10 DatabaseList.MaxWait=100 DatabaseList.MaxIdle=1 DB1.Url=jdbc:oracle:thin:@server.domain.example.com:<LISTENER_PORT>:DB1 DB1.User=zabbix DB1.Password=zabbix_password DB1.MaxActive=10 DB1.MaxWait=100 DB1.MaxIdle=1 DB1.QueryListFile=./conf/query.props DB2.Url=jdbc:oracle:thin:@server2.domain.example.com:<LISTENER_PORT>:DB2 DB2.User=zabbix DB2.Password=zabbix_password DB2.QueryListFile=./conf/query.props DB3.Url=jdbc:oracle:thin:@server3.domain.example.com:<LISTENER_PORT>:DB3 DB3.User=zabbix DB3.Password=zabbix_password DB3.QueryListFile=./conf/query.props |
修改之后
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
[root@zabbix conf]# egrep "^[a-Z,1-9]" config.props ZabbixServerList=ZabbixServer1 #(zabbixserver的名字,下行中address和port都引用到了这个名字,所以下面两行的前缀名字要与这里的名字保持一致) ZabbixServer1.Address=127.0.0.1 #我这里就是在zabbix server上面操作的,所以这里是127.0.0.1 ZabbixServer1.Port=10051 #zabbix server的服务端口 OrabbixDaemon.PidFile=./logs/orabbix.pid OrabbixDaemon.Sleep=300 OrabbixDaemon.MaxThreadNumber=100 DatabaseList=172.20.10.183-oracle,192.168.56.99-oracle #这里很重要,跟下面的对应上 DatabaseList.MaxActive=10 DatabaseList.MaxWait=100 DatabaseList.MaxIdle=1 172.20.10.183-oracle.Url=jdbc:oracle:thin:@172.20.10.183:1521:orcl #172.20.10.183 oracle数据库的地址,1521端口,orcl数据库实例名 172.20.10.183-oracle.User=zabbix #授权的账号 172.20.10.183-oracle.Password=zabbix #授权的密码 172.20.10.183-oracle.MaxActive=10 172.20.10.183-oracle.MaxWait=100 172.20.10.183-oracle.MaxIdle=1 172.20.10.183-oracle.QueryListFile=./conf/query.props #要查询的语句都在这定义的,不满意自己改 |
oracle主机上操作(这步可以省略,只要知道数据库实例,账号,密码)
下面是oracle 11g的(12c 语法不一样)授权语句如下,创用户,授权,这些操作,我都是在oracle数据库的sqlplus下执行的
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
[oracle@oracle ~]$ sqlplus / as sysdba SQL*Plus: Release 11.2.0.3.0 Production on Wed Sep 7 18:01:54 2016 Copyright (c) 1982, 2011, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> CREATE USER ZABBIX IDENTIFIED BY zabbix DEFAULT TABLESPACE SYSTEM TEMPORARY TABLESPACE TEMP PROFILE DEFAULT ACCOUNT UNLOCK; GRANT CONNECT TO ZABBIX; GRANT RESOURCE TO ZABBIX; ALTER USER ZABBIX DEFAULT ROLE ALL; GRANT SELECT ANY TABLE TO ZABBIX; GRANT CREATE SESSION TO ZABBIX; GRANT SELECT ANY DICTIONARY TO ZABBIX; GRANT UNLIMITED TABLESPACE TO ZABBIX; GRANT SELECT ANY DICTIONARY TO ZABBIX; GRANT SELECT ON V_$SESSION TO ZABBIX; GRANT SELECT ON V_$SYSTEM_EVENT TO ZABBIX; GRANT SELECT ON V_$EVENT_NAME TO ZABBIX; GRANT SELECT ON V_$RECOVERY_FILE_DEST TO ZABBIX; |
启动orabbix
[root@zabbix orabbix]# cp init.d/orabbix /etc/init.d/
[root@zabbix orabbix]# ll /etc/init.d/orabbix
-rwxr-xr-x 1 root root 1693 Sep 14 21:40 /etc/init.d/orabbix
[root@zabbix orabbix]# /etc/init.d/orabbix start
Starting Orabbix service:
报错的话,检查配置文件,数据库地址,端口,实例名,账号,密码是否正确,需要验证对于不懂oracle的怎么办,搜命令呗,我也是一路过来,各种坑~~~~~
然后里面看日志
[root@zabbix orabbix]# tailf /opt/orabbix/logs/orabbix.log
[main] INFO Orabbix - --------- on Database -> orcl
[pool-1-thread-1] WARN Orabbix - Error while executing ->dbversion- on database ->172.20.10.183-oracle- Exception received ORA-24247: network access denied by access control list (ACL)
ORA-06512: at "SYS.UTL_INADDR", line 4
ORA-06512: at "SYS.UTL_INADDR", line 35
ORA-06512: at line 1
出现这些日志,不影响后面的操作,如果你是完美主义者,满足你
在oracle数据库的sqlplus下执行下面三条命令
exec dbms_network_acl_admin.create_acl(acl => 'resolve.xml',description =>'resolve acl', principal =>'ZABBIX', is_grant => true, privilege =>'resolve');
exec dbms_network_acl_admin.assign_acl(acl=> 'resolve.xml', host =>'*');
commit;
到此,安装配置完成,则通过web页面访问监控界面直接导入模板即可
模版放置在/opt/orabbix/template下
Orabbix_export_full.xml #只需要导入这个一个模板就好
添加主机
然后链接oracle的模板
添加完成之后的效果
查看最新数据
这时候图也有了
常见错误
[root@zabbix orabbix]# tailf /opt/orabbix/logs/orabbix.log
[main] ERROR Orabbix - Error on Configurator for database 172.20.10.183 oracle -->ORA-01017: invalid username/password; logon denied
config.props配置文件中,数据库账号密码不对,或者在oracle数据库没授权这个用户
########################
3.
使用utl_http获取某个http页面内容
首先确认浏览器可以访问IE ,如果不能访问,
vmware 查看 虚拟机 网络适配器 网络连接模式 为NAT
vmware 查看 编辑 虚拟网络编辑器 VMNET0 桥接模式 自动
SQL> select utl_http.request('http://www.SINA.com') from dual;
select utl_http.request('http://www.SINA.com') from dual
*
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1720
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at line 1
sys:
BEGIN
dbms_network_acl_admin.create_acl(acl => 'db2.xml',
DESCRIPTION => 'Normal Access',
principal => 'CONNECT',
is_grant => TRUE,
PRIVILEGE => 'connect',
start_date => NULL,
end_date => NULL);
END;
/
commit;
SELECT any_path
FROM resource_view
WHERE any_path like '/sys/acls/%.xml';
begin
dbms_network_acl_admin.add_privilege(acl => 'db2.xml',
principal => 'PENG',
is_grant => TRUE,
privilege => 'connect',
start_date => null,
end_date => null);
END;
/
commit;
begin
dbms_network_acl_admin.assign_acl(acl => 'db2.xml',
host => 'www.sina.com',
lower_port => 80,
upper_port => NULL);
end;
/
begin
dbms_network_acl_admin.assign_acl(acl => 'db2.xml',
host => 'www.sina.com',
lower_port => NULL,
upper_port => NULL);
end;
/
begin
dbms_network_acl_admin.assign_acl(acl => 'db2.xml',
host => 'www.sina.com'
);
end;
/
commit;
select utl_http.request('http://www.sina.com') from dual;
select utl_http.request('http://www.SINA.com') from dual;
#######sample
sys:
BEGIN
dbms_network_acl_admin.create_acl(acl => 'SMTP.xml',
DESCRIPTION => 'Normal Access',
principal => 'CONNECT',
is_grant => TRUE,
PRIVILEGE => 'connect',
start_date => NULL,
end_date => NULL);
END;
/
commit;
BEGIN
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(acl => 'SMTP.xml',
principal => 'PENG',
is_grant => true,
privilege => 'resolve');
END;
/
commit;
BEGIN
dbms_network_acl_admin.assign_acl (acl => 'SMTP.xml',
host => '*',
lower_port => 1,
upper_port => 9999);
END;
/
commit;
commit;
#################### sample 2
http://www.smartmarmot.com/wiki/index.php?title=Orabbix
NOTE : If you are using Oracle 11g, you will need to add the following:
exec dbms_network_acl_admin.create_acl(acl => 'resolve.xml',description => 'resolve acl', principal =>'ZABBIX', is_grant => true, privilege => 'resolve');
exec dbms_network_acl_admin.assign_acl(acl => 'resolve.xml', host =>'*');
commit;
You can verify the above is correct by running:
select utl_inaddr.get_host_name('127.0.0.1') from dual;
- For this example on RedHat, run:
chkconfig -add orabbix
- Verify with:
chkconfig -list
- Create a Host entry in Zabbix for the DB Instance/s you are planning to monitor, and import the templates found at: /opt/orabbix/template
Please note, instructions for this step can be found in the Zabbix Manual at
http://www.zabbix.com/documentation.php
With this step, ensure the name of your host in Zabbix is the same name of the SID or Oracle instance name.
############################
select utl_http.request('http://www.SINA.com') from dual;
SELECT acl,
principal,
privilege,
is_grant,
TO_CHAR(start_date, 'DD-MON-YYYY') AS start_date,
TO_CHAR(end_date, 'DD-MON-YYYY') AS end_date
FROM dba_network_acl_privileges;
select host, lower_port, upper_port, acl, aclid from dba_network_acls;
select utl_http.request('http://www.5ienet.com') from dual;
select utl_http.request('http://www.sina.com') from dual;
select utl_http.request('http://bsy.sz.bendibao.com') from dual;
###########new error
SQL> select utl_http.request('http://www.sina.com') from dual;
select utl_http.request('http://www.sina.com') from dual
*
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1720
ORA-29024: Certificate validation failure
ORA-06512: at line 1
############sample 3:
3、创建数据库账号
首先我们需要在被监控的Oracle上面创建一个账号,用于zabbix的数据获取,在oracle的sqlplus里面执行。
CREATE USER ZABBIX
IDENTIFIED BY "zabbix"
DEFAULT TABLESPACE SYSTEM
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
#2 Roles for ZABBIX
GRANT CONNECT TO ZABBIX;
GRANT RESOURCE TO ZABBIX;
ALTER USER ZABBIX DEFAULT ROLE ALL;
#5 System Privileges for ZABBIX
GRANT SELECT ANY TABLE TO ZABBIX;
GRANT CREATE SESSION TO ZABBIX;
GRANT SELECT ANY DICTIONARY TO ZABBIX;
GRANT UNLIMITED TABLESPACE TO ZABBIX;
GRANT SELECT ANY DICTIONARY TO ZABBIX;
如果我们的数据库是Oracle 11g,我们还需要执行下面的语句。
exec dbms_network_acl_admin.create_acl(acl => 'resolve.xml',description => 'resolve acl', principal =>'ZABBIX', is_grant => true, privilege => 'resolve');
exec dbms_network_acl_admin.assign_acl(acl => 'resolve.xml', host =>'*');
commit;
###############
https://blog.csdn.net/indexman/article/details/17048573
https://blog.csdn.net/indexman/article/details/17048677
https://blog.csdn.net/x6_9x/article/details/79240581