session | Neil Chandler's DB Blog

Proxy Accounts Tracking

08/04/2016 Leave a comment

If you are using Proxy accounts to access users, for example as a DBA to do a release to a schema owner, how do you know the login was via proxy instead of directly with the password? This information is handily recorded in the audit, assuming you have audit switched on and use “audit session”.

I would recommend that everyone does this anyway, as it’s a useful tool when troubleshooting connection problems – you can easily see if the connection is making it to the database (not getting beyond the listener) which narrows the problem scope. If it does get to the database, you can see the returncode of why the connection has a problem; ORA-1005 (no password), 1017 (wrong password) or 28000’s (expired password, locked account, etc)

Lets have a look at what we get in the audit record when logging on using proxy authentication. I will create a “schema owner”, give the DBA “neil” permission to proxy to it, and then see what we get in the audit trail. I’ll truncate the audit trail first, so it’s nice and clean.

SQL> connect sys/oracle as sysdba
Connected.

SQL> truncate table sys.aud$;
Table truncated.

SQL> drop user schema_owner;
User dropped.

SQL> create user schema_owner identified by icantrememberthepassword;
User created.

SQL> grant connect,resource,select any dictionary to schema_owner;
Grant succeeded.

SQL> alter user schema_owner grant connect through neil;
User altered.

SQL> show user
USER is "SYS"

SQL> connect neil[schema_owner]/neil
Connected.

SQL> show user
USER is "SCHEMA_OWNER"

SQL> select username,returncode,action_name,sessionid,proxy_sessionid
SQL> from dba_audit_session;

USERNAME        RETURNCODE ACTION_NAME                  SESSIONID  PROXY_SESSIONID
~~~~~~~~~~~~~~- ~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~~~~~~
SCHEMA_OWNER             0 LOGON                           9530094         9530093

Only 1 record in there. I can see the login, but where’s the proxy session identified? We need to use dba_audit_trail, not dba_audit_session

SQL> select username,returncode,action_name,comment_text,sessionid,proxy_sessionid from dba_audit_trail order by sessionid;
USERNAME        RETURNCODE ACTION_NAME                  COMMENT_TEXT                                                                                         SESSIONID  PROXY_SESSIONID
~~~~~~~~~~~~~~- ~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~~~~~~
NEIL                     0 PROXY AUTHENTICATION ONLY    Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=48287))        9530093
SCHEMA_OWNER             0 LOGON                        Authenticated by: PROXY; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=48287))           9530094         9530093

And there you go. The session and the proxy used to authenticate into it.

Filed under Administration, audit, oracle, Security Tagged with account, audit, connect, dba_audit_session, dba_audit_trail, oracle, proxy, session

Developers Killing Sessions

29/05/2014 3 Comments

When you end up spending a far great a percentage of your day than seems sensible killing off Java connections that Developers have carelessly left lying around, locking objects all over the place, you need a solution to get them to go away. The solution is to let them do it themselves!

I’m not advocating granting ALTER SYSTEM to Developers! That way madness lies, or certainly some unintended consequences. I’m all for Dev’s having a lot of freedom in the database, just not freedom with the database.

So, creating a stored procedure (in this example as sys, but as any user with an explicit ALTER SYSTEM privilege granted will do) to kill sessions without allowing too much latitude to do anything else seems appropriate. Here’s one I built earlier:

create or replace procedure sys.kill_session 
 ( p_sid IN number, p_serial IN number, p_instance IN number) as
 -- Neil Chandler. Grant the ability to kill session on a restricted basis. 21.07.2010
 l_username varchar2(30) := null;
 l_priv number := 1;
begin
 -- Who owns the session?
 select username into l_username
 from gv$session
 where sid = p_sid and serial#=p_serial and inst_id = p_instance;
 -- Check for DBA role
 select count(*) into l_priv
 from dba_role_privs
 where grantee = l_username and granted_role = 'DBA';
 -- If the user has the DBA priv, deny the kill request
 if l_priv > 0 or l_username is null
 then
 dbms_output.put_line 
  ('User request to kill session '||p_sid||','||p_serial||',@'||p_instance||
   ' denied. Session is for privileged user '||l_username||'.');
 else
 dbms_output.put_line 
   ('Killing user '||l_username||' - '||p_sid||','||p_serial||',@'||p_instance);
 execute immediate 'alter system disconnect session '''||
                    p_sid||','||p_serial||',@'||p_instance||
                   ''' immediate';
 end if;
end;
/

-- and let the proc be seen and used
create or replace public synonym kill_session for sys.kill_session; 
grant execute on kill_session to (whomever);

Then a nifty bit of sql to generate the kill commands for the Developers. 
Please include your favourite columns from gv$session:

select username,status,blocking_session,
 'exec kill_session ('|| sid||','||serial#||','||inst_id||')' Kill_Command 
 from gv$session
where username is not null
  and type <> 'BACKGROUND'
/

USERNAME  STATUS  BLOCKING_SESSION KILL_COMMAND
--------- ------- ---------------- ------------------------------------ 
SYS       ACTIVE                   exec kill_session (31,65,1)
SYSTEM    INACTIVE                 exec kill_session (58,207,1)
USER_1    INACTIVE                 exec kill_session (59,404,1)
USER_2    INACTIVE                 exec kill_session (72,138,1)
USER_2    INACTIVE                 exec kill_session (46,99,2)

May the odds be forever in your favour. Let the killing commence…

Filed under Administration, Programming Tagged with disconnect, gv$session, kill, oracle, session, v$session

Killing a session. Dead!

25/07/2013 2 Comments

… or what ALTER SYSTEM KILL SESSION doesn’t do.

So, you have a runaway session and you want it to stop now, please. You enter “ALTER SYSTEM KILL SESSION (sid,serial#) IMMEDIATE” – supplying the parameters from GV$SESSION (adding @instance_id if it’s running in a different node) and you wait a minute…. and eventually it gets “ORA-00031: session marked for kill” [“KILLED”]. So why didn’t it die immediately? What’s going on? Isn’t KILL a strong enough command?

What actually happened when you submit “ALTER SYSTEM KILL SESSION” is that a flag within the session it set to for the session to kill itself. It’s not so much KILL, as please commit suicide when you notice that I’ve asked. The session needs to wait for a chance to notice the flag, die and clean-up the session.

While you’re waiting for this to happen, it’s not uncommon for DBA’s to hop onto the operating system and do a “kill -9” (or orakill on Windows) to wipe out the process/thread that was running. This then causes SMON to clean up the mess, rather than the user process (which may or may not be desirable – SMON can spawn parallel clean-up slaves which can speed things up).

So, what if you have no access to the O/S, or want neater, tidier (and safer?) results? Use the ALTER SYSTEM DISCONNECT SESSION command instead. Get the same SID and SERIAL# from (g)v$session and give it a go. You have 3 options;

ALTER SYSTEM DISCONNECT SESSION ‘sid,serial#’ POST_TRANSACTION
( waits for in-flight transactions to complete )
ALTER SYSTEM DISCONNECT SESSION ‘sid,serial#’
(I have read it works like ALTER SYSTEM KILL… IMMEDIATE? Yet to confirm by experiment)
ALTER SYSTEM DISCONNECT SESSION ‘sid,serial#’ IMMEDIATE
(just like kill -9; wipes the O/S process out.)

So, the next time you want that session real dead, real quick, you know what to do.

Filed under Administration, Unix Tagged with disconnect, kill, kill -9, ORA-00031, session

Neil Chandler's DB Blog

Proxy Accounts Tracking

Developers Killing Sessions

Killing a session. Dead!

Categories

Archives

Meta