ORA-01536: space quota exceeded for tablespace案例

 

最近在做數據治理的過程中，回收了部分賬號的權限，因為角色RESOURCE里擁有CREATE TABLE的權限，所以我想回收RESOURCE角色。例如，對於TEST賬號，收回其創建表的權限，就收回了授予其的RESOURCE的角色，結果不到幾小時，SUPPORT人員就反饋這個賬號遇到了ORA-01536錯誤。開始還有點懵，后面梳理清楚后，才感慨自己踩了一個大坑。下面簡單的重新構造、模擬這樣的一個案例。

 

SQL> select * from v$version;

BANNER
----------------------------------------------------------------
Oracle Database 10g Release 10.2.0.5.0 - 64bit Production
PL/SQL Release 10.2.0.5.0 - Production
CORE    10.2.0.5.0      Production
TNS for Linux: Version 10.2.0.5.0 - Production
NLSRTL Version 10.2.0.5.0 - Production

SQL>CREATE TABLESPACE TBS_TEST_DATA
DATAFILE '/u03/oradata/gps/tbs_test_data.dbf'
SIZE 200M
EXTENT MANAGEMENT LOCAL
SEGMENT SPACE MANAGEMENT AUTO ONLINE;


SQL> CREATE USER TEST IDENTIFIED BY "Test#1232134$#3" DEFAULT TABLESPACE TBS_TEST_DATA TEMPORARY TABLESPACE  TEMP;

User created.

SQL> GRANT CONNECT, RESOURCE TO TEST;

Grant succeeded.

SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='TEST';

GRANTEE                        PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
TEST                           UNLIMITED TABLESPACE                     NO

SQL> SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTEE='TEST';

GRANTEE                        GRANTED_ROLE                   ADM DEF
------------------------------ ------------------------------ --- ---
TEST                           RESOURCE                       NO  YES
TEST                           CONNECT                        NO  YES

SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='RESOURCE';

GRANTEE                        PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
RESOURCE                       CREATE TRIGGER                           NO
RESOURCE                       CREATE SEQUENCE                          NO
RESOURCE                       CREATE TYPE                              NO
RESOURCE                       CREATE PROCEDURE                         NO
RESOURCE                       CREATE CLUSTER                           NO
RESOURCE                       CREATE OPERATOR                          NO
RESOURCE                       CREATE INDEXTYPE                         NO
RESOURCE                       CREATE TABLE                             NO

8 rows selected.

 

 

 

用賬號TEST登錄數據庫，創建了一個test表

 

SQL> show user;
USER is "TEST"
SQL> create table test
  2  as
  3  select * from all_objects;

Table created.

SQL> select count(*) from test;

  COUNT(*)
----------
     34859

SQL>

 

然后收回賬號TEST的RESOURCE角色，如下所示：

 

SQL> show user;
USER is "SYS"
SQL> REVOKE RESOURCE FROM TEST;

Revoke succeeded.

SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='TEST';

no rows selected

 

然后此時TEST做DML操作就會報ORA-01536錯誤，如下

 

SQL> show user;
USER is "TEST"
SQL> insert into test
  2  select * from test;
insert into test
            *
ERROR at line 1:
ORA-01536: space quota exceeded for tablespace 'TBS_TEST_DATA'

 

 

那么為什么出現這種情況呢？ 其實剛開始我也有點懵，檢查表空間發現表空間正常，檢查RESOURCE角色，發現里面沒有關於表空間的配額限制。怎么回收RESOURCE角色，就整出這么一檔子事呢？那么到底是怎么一回事呢，直到我看到Doc ID 465737.1才豁然開朗。

 

其實細心的人應該也有所發現（上面截圖），如果您授予或撤銷用戶的 RESOURCE 或 DBA 角色，ORACLE會隱式授予或撤銷該用戶的 UNLIMITED TABLESPACE 系統權限。Doc ID 465737.1中介紹，其實當角色在Oracle 7.0 中首次引入時，RESOURCE 和 DBA 的權限從舊的Oracle V6中遷移到新的角色中。 但是由於不允許為 RESOURCE 和 DBA 角色授予 UNLIMITED TABLESPACE權限，為了保持與Oracle V6版本的向后兼容性，解析器會自動將語句轉換為“grant resource to abc”自動變為“grant resource,unlimited tablespace to abc” 並且將“revoke resource from abc”自動變為“revoke resource, unlimited tablespace from abc”。 授予和撤銷 DBA 角色時也是如此。 也就是說UNLIMITED TABLESPACE的系統權限已經被硬編碼到RESOURCE角色。而我們創建用戶時，沒有額外授予用戶關於表空間使用配額。所以一旦系統權限UNLIMITED TABLESPACE被收回，就出現問題了。

 

解決這個問題也比較簡單，設置賬號使用表空間的配額限制或不限制用戶使用表空間，如下所示

 

GRANT UNLIMITED TABLESPACE TO TEST;

或

ALTER USER TEST QUOTA UNLIMITED ON TBS_TEST_DATA;

 

 

ORA-01536 After Revoking DBA Role (Doc ID 465737.1)

To Bottom

In this Document

	Symptoms
	Cause
	Solution
	References

 

APPLIES TO:

Oracle Database - Enterprise Edition - Version 8.1.7.4 to 11.2.0.4 [Release 8.1.7 to 11.2]
Information in this document applies to any platform.

SYMPTOMS

ORA-01536: space quota exceeded for tablespace '<Tablespace_Name>'
After revoking DBA or Resource Role from a user

Example:

SQL> conn /as sysdba
Connected.
SQL> create user testrights identified by testos;
User created.
SQL> grant connect, resource to testrights;
Grant succeeded.
SQL> connect testrights/testos;
Connected.

SQL> CREATE TABLE "TESTRIGHTS"."TESTTAB" ( "TESTFIELD" VARCHAR2(200) NOT NULL
, CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE ) TABLESPACE "USERS" STORAGE ( INITIAL 64M) ;
Table created.

SQL> conn /as sysdba
Connected.
SQL> grant dba to testrights;
Grant succeeded.
SQL> revoke dba from testrights;
Revoke succeeded.
SQL> show user
USER is "SYS"
SQL> drop table testrights.testtab;
Table dropped.
SQL> conn testrights/testos;
Connected.
SQL> CREATE TABLE "TESTRIGHTS"."TESTTAB" ( "TESTFIELD" VARCHAR2(200) NOT NULL
, CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE ) TABLESPACE "USERS"  STORAGE ( INITIAL 64M) ;

CREATE TABLE "TESTRIGHTS"."TESTTAB" ( "TESTFIELD" VARCHAR2(200) NOT NULL ,
CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE ) TABLESPACE "USERS"
STORAGE ( INITIAL 64M)
*
ERROR at line 1:
ORA-1536: space quota exceeded for tablespace 'USERS'

SQL> conn /as sysdba
Connected.
SQL> grant connect, resource to testrights;
Grant succeeded.

SQL> conn testrights/testos;
Connected.
SQL>
SQL> CREATE TABLE "TESTRIGHTS"."TESTTAB" ( "TESTFIELD" VARCHAR2(200) NOT NULL , CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE ) TABLESPACE "USERS"
STORAGE ( INITIAL 64M) ;

Table created.

CAUSE

This issue has been discussed in bug 6494010.
The behavior seen in the above example is expected and not a bug

When roles were first introduced into Oracle in 7.0, the old Oracle V6 privileges of RESOURCE and DBA were migrated to use the new role functionality. But because the RESOURCE and DBA roles are not allowed to be granted UNLIMITED TABLESPACE, in order to preserve the backwards compatibility with V6, the parser automatically transforms statements such that "grant resource to abc" automatically becomes "grant resource, unlimited tablespace to abc" and "revoke resource from abc" automatically becomes "revoke resource, unlimited tablespace from abc". The same is true when granting and revoking the DBA role. This behaviour used to be well documented in the SQL reference guide which read:

Note: If you grant or revoke the RESOURCE or DBA role to or from a user, Oracle implicitly grants or revokes the UNLIMITED TABLESPACE system privilege to or from the user.

SOLUTION

To Resolve this issue you need to :

1] Grant DBA or Resource Role back to the user from whom it was revoked.

REFERENCES

BUG:6494010 - ORA-01536 AFTER GRANTING,REVOKING ROLE DBA

 

 

 

 參考資料：

 

ORA-01536 After Revoking DBA Role (Doc ID 465737.1)