inventory_loc=/u01/app/oracle/oraInventory inst_group=oinstall若/etc/oraInst.loc(少数平台不在该位置)位置文件不存在,那么建议创建oinstall用户组,注意在RAC环境中要保持各节点上用户组的gid一致:
# /usr/sbin/groupadd -g GID oinstallOSDBA用户组(dba) OSDBA是我们必须要创建的一种系统DBA用户组(dba),若没有该用户组我们将无法安装数据库软件及执行管理数据库的任务。 OSOPER用户组(oper) OSOPER是一种额外的用户组(oper),我们可以选择要不要创建该用户组,创建该用户组可以满足让os用户行使某些数据库管理权限(包括SYSOPER角色权限)的目的。注意SYSOPER的权限包括startup和shutdown,所以要小心为该用户组添加成员。 创建OSOPER用户组的方法:
# /usr/sbin/groupadd oper综上所述在单机环境(single-instance)中oracle软件拥有者用户(常见的oracle或者orauser),因该同时是oinstall、dba、oper用户组的成员。同时该用户的主用户组必须是oinstall。 Oracle Database 11g release 2中选择Privileged Operating System Groups
而在11.2的GI/CRS环境中数据库软件拥有者用户(oracle或orauser)还必须是asmdba用户组的成员。
usermod -g oinstall -G dba,oper,asmdba [oracle|orauser] id oracle uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),701(asmdba),54324(oper)注意OSDBA和OSOPER用户组都受到$ORACLE_HOME/rdbms/lib/config.c 源文件的影响,该文件定义了默认的 SS_DBA_GRP "dba" 和SS_OPER_GRP "oper",该源文件内容如下:
/* Refer to the Installation and User's Guide for further information. */
/* IMPORTANT: this file needs to be in sync with
rdbms/src/server/osds/config.c, specifically regarding the
number of elements in the ss_dba_grp array.
*/
#define SS_DBA_GRP "dba"
#define SS_OPER_GRP "oper"
#define SS_ASM_GRP ""
char *ss_dba_grp[] = {SS_DBA_GRP, SS_OPER_GRP, SS_ASM_GRP};
~
11g release2中oracle建议独立地管理Grid Infrastructure和ASM实例,因此有必要创建更多的os用户组以满足不同的权限分配。 我们在11.2的GI中常用的ASM用户组有以下三个:
OSASM(asmadmin)用户组
如果使用ASM,那么我们必须创建osasm(asmadmin)用户组,该OSASM用户组的成员将被赋予SYSASM权限,以满足组成员管理Oracle Clusterware和Oracle ASM的权限需求。
OSDBA for ASM group(asmdba)用户组
OSDBA(asmdba)用户组的成员将被赋予读写访问ASM文件的权限。GI/CRS拥有者用户和所有oracle数据库软件的拥有者必须是该组的成员。同时所有OSDBA(dba)用户组的成员也必须是asmdba组的成员。
OSOPER for ASM(asmoper)用户组
asmoper和osoper类似都是额外的可选择创建的用户组,创建该独立的用户组以满足赋予用户一套受限的ASM实例管理权限(ASM的SYSOPER角色),该权限包括了启动和停止ASM实例,默认情况下OSASM(asmadmin)组成员将拥有所有SYSOPER的ASM管理权限。 在11.2的GI/CRS环境中一般会创建grid或griduser用户来管理GI软件和ASM实例,以如下方式创建grid用户:
useradd -g oinstall -G asmadmin,asmdba,asmoper grid id grid uid=54322(grid) gid=54321(oinstall) groups=54321(oinstall),700(asmadmin),701(asmdba),55000(asmoper)
Oracle 11g release2 Grid Infrastructure中选择Privileged Operating System Groups: 综合上述OS用户和用户组间的关系: 更多内容可以参考下文: The OSDBA group (typically, dba) You must create this group the first time you install Oracle Database software on the system. This group identifies operating system user accounts that have database administrative privileges (the SYSDBA privilege). If you do not create separate OSDBA, OSOPER and OSASM groups for the Oracle ASM instance, then operating system user accounts that have the SYSOPER and SYSASM privileges must be members of this group. The name used for this group in Oracle code examples is dba. If you do not designate a separate group as the OSASM group, then the OSDBA group you define is also by default the OSASM group. To specify a group name other than the default dba group, then you must choose the Advanced installation type to install the software or start Oracle Universal Installer (OUI) as a user that is not a member of this group. In this case, OUI prompts you to specify the name of this group. Members of the OSDBA group formerly were granted SYSASM privileges on Oracle ASM instances, including mounting and dismounting disk groups. This privileges grant is removed with Oracle Grid Infrastructure 11g release 2, if different operating system groups are designated as the OSDBA and OSASM groups. If the same group is used for both OSDBA and OSASM, then the privilege is retained. The OSOPER group for Oracle Database (typically, oper) This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of database administrative privileges (the SYSOPER privilege). By default, members of the OSDBA group also have all privileges granted by the SYSOPER privilege. To use the OSOPER group to create a database administrator group with fewer privileges than the default dba group, then you must choose the Advanced installation type to install the software or start OUI as a user that is not a member of the dba group. In this case, OUI prompts you to specify the name of this group. The usual name chosen for this group is oper. The Oracle Automatic Storage Management Group (typically asmadmin) This is a required group. Create this group as a separate group if you want to have separate administration privilege groups for Oracle ASM and Oracle Database administrators. In Oracle documentation, the operating system group whose members are granted privileges is called the OSASM group, and in code examples, where there is a group specifically created to grant this privilege, it is referred to as asmadmin. If you have multiple databases on your system, and use multiple OSDBA groups so that you can provide separate SYSDBA privileges for each database, then you should create a separate OSASM group, and use a separate user from the database users to own the Oracle Grid Infrastructure installation (Oracle Clusterware and Oracle ASM). Oracle ASM can support multiple databases. Members of the OSASM group can use SQL to connect to an Oracle ASM instance as SYSASM using operating system authentication. The SYSASM privileges permit mounting and dismounting disk groups, and other storage administration tasks. SYSASM privileges provide no access privileges on an RDBMS instance. The Oracle ASM Database Administrator group (OSDBA for ASM, typically asmdba) Members of the Oracle ASM Database Administrator group (OSDBA for ASM) are granted read and write access to files managed by Oracle ASM. The Oracle Grid Infrastructure installation owner and all Oracle Database software owners must be a member of this group, and all users with OSDBA membership on databases that have access to the files managed by Oracle ASM must be members of the OSDBA group for ASM. Members of the Oracle ASM Operator Group (OSOPER for ASM, typically asmoper) This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of Oracle ASM instance administrative privileges (the SYSOPER for ASM privilege), including starting up and stopping the Oracle ASM instance. By default, members of the OSASM group also have all privileges granted by the SYSOPER for ASM privilege. To use the Oracle ASM Operator group to create an ASM administrator group with fewer privileges than the default asmadmin group, then you must choose the Advanced installation type to install the software, In this case, OUI prompts you to specify the name of this group. In code examples, this group is asmoper. An Oracle central inventory group, or oraInventory group (oinstall). Members who have the central inventory group as their primary group, are granted the OINSTALL permission to write to the oraInventory directory. A single system privileges group that is used as the OSASM, OSDBA, OSDBA for ASM, and OSOPER for ASM group (dba), whose members are granted the SYSASM and SYSDBA privilege to administer Oracle Clusterware, Oracle ASM, and Oracle Database, and are granted SYSASM and OSOPER for ASM access to the Oracle ASM storage. An Oracle grid installation for a cluster owner (grid), with the oraInventory group as its primary group, and with the OSASM group as the secondary group, with its Oracle base directory /u01/app/grid. An Oracle Database owner (oracle) with the oraInventory group as its primary group, and the OSDBA group as its secondary group, with its Oracle base directory /u01/app/oracle. /u01/app owned by grid:oinstall with 775 permissions before installation, and by root after the root.sh script is run during installation. This ownership and permissions enables OUI to create the Oracle Inventory directory, in the path /u01/app/oraInventory. /u01 owned by grid:oinstall before installation, and by root after the root.sh script is run during installation. /u01/app/11.2.0/grid owned by grid:oinstall with 775 permissions. These permissions are required for installation, and are changed during the installation process. /u01/app/grid owned by grid:oinstall with 775 permissions before installation, and 755 permissions after installation. /u01/app/oracle owned by oracle:oinstall with 775 permissions. An Oracle central inventory group, or oraInventory group (oinstall), whose members that have this group as their primary group are granted permissions to write to the oraInventory directory. A separate OSASM group (asmadmin), whose members are granted the SYSASM privilege to administer Oracle Clusterware and Oracle ASM. A separate OSDBA for ASM group (asmdba), whose members include grid, oracle1 and oracle2, and who are granted access to Oracle ASM. A separate OSOPER for ASM group (asmoper), whose members are granted limited Oracle ASM administrator privileges, including the permissions to start and stop the Oracle ASM instance. An Oracle grid installation for a cluster owner (grid), with the oraInventory group as its primary group, and with the OSASM (asmadmin), OSDBA for ASM (asmdba) group as a secondary group. Two separate OSDBA groups for two different databases (dba1 and dba2) to establish separate SYSDBA privileges for each database. Two Oracle Database software owners (oracle1 and oracle2), to divide ownership of the Oracle database binaries, with the OraInventory group as their primary group, and the OSDBA group for their database (dba1 or dba2) and the OSDBA for ASM group (asmdba) as their secondary groups. An OFA-compliant mount point /u01 owned by grid:oinstall before installation. An Oracle base for the grid installation owner /u01/app/grid owned by grid:oinstall with 775 permissions, and changed during the installation process to 755 permissions. An Oracle base /u01/app/oracle1 owned by oracle1:oinstall with 775 permissions. An Oracle base /u01/app/oracle 2 owned by oracle2:oinstall with 775 permissions. A Grid home /u01/app/11.2.0/grid owned by grid:oinstall with 775 (drwxdrwxr-x) permissions. These permissions are required for installation, and are changed during the installation process to root:oinstall with 755 permissions (drwxr-xr-x). /u01/app/oraInventory. This path remains owned by grid:oinstall, to enable other Oracle software owners to write to the central inventory.
本文转自maclean_007 51CTO博客,原文链接:http://blog.51cto.com/maclean/1277995
