Minimum Requirements to Use Export DataPump and IMP(System Privileges)_351598.1
Export/Import DataPump: The Minimum Requirements to Use Export DataPump and Import DataPump (System Privileges) (Doc ID 351598.1)
In this Document
| Goal |
| Solution |
| 1. Minimum Requirements. |
| 2. How to grant privileges. |
| 3. Privileged User. |
| 4. Useful queries. |
| 5. Possible errors. |
| Additional Resources |
| References |
Applies to:
Oracle Database - Enterprise Edition - Version 10.1.0.2 to 11.2.0.3 [Release 10.1 to 11.2]
Information in this document applies to any platform.
***Checked for relevance on 7-Feb-2011***
Goal
In Oracle10g, the new database export and import utilities Export DataPump (expdp) and Import DataPump (impdp) were introduced. This document describes the minimum requirements to run an Export DataPump or Import DataPump job.
Solution
1. Minimum Requirements.
The minimum requirements to run an Export DataPump or Import DataPump job on an Oracle10g or any higher release database are:
- system privilege CREATE TABLE
- object privileges READ and WRITE on an valid directory object (or the CREATE DIRECTORY privilege with which a valid directory object was created)
- sufficient tablespace quota on the user's default tablespace (needed to create the so-called Master Table that is used by the DataPump job).
In addition, the role EXP_FULL_DATABASE is needed:
- to run a full database Export DataPump job or
- to run a transport_tablespace Export DataPump job or
- to run an Export DataPump job with the TRACE parameter or
- to run an Export DataPump job that exports a different schema.
In addition, the role IMP_FULL_DATABASE is needed:
- to run a full database Import DataPump job or
- to run a transport_datafiles Import DataPump job or
- to run an Import DataPump job with the TRACE parameter or
- to run an Import DataPump job that imports a different schema.
Note that these requirements apply to the user that connects to the database when running the Export DataPump or Import DataPump job, not to the user that is exported/imported.
2. How to grant privileges.
The privileges can be granted explicitly or via a role. E.g.:
CREATE DIRECTORY my_dir AS 'full_pre_existing_directory_path_here';
GRANT create session, create table TO scott IDENTIFIED BY tiger;
GRANT read, write ON DIRECTORY my_dir TO scott;
ALTER USER scott DEFAULT TABLESPACE USERS;
ALTER USER scott QUOTA unlimited ON users;
-- or:
CONNECT system/manager
CREATE DIRECTORY my_dir AS 'full_pre_existing_directory_path_here>>';
CREATE ROLE expdp_role;
GRANT create session, create table TO expdp_role;
GRANT read, write ON DIRECTORY my_dir TO expdp_role;
GRANT expdp_role TO scott;
ALTER USER scott DEFAULT ROLE all;
ALTER USER scott DEFAULT TABLESPACE USERS;
ALTER USER scott QUOTA unlimited ON users;
3. Privileged User.
A privileged user is a user that has the EXP_FULL_DATABASE role for an Export DataPump and the IMP_FULL_DATABASE role for an Import DataPump job, or the DBA role that contains both these roles:
COL privilege FOR a40
SELECT grantee, granted_role, default_role
FROM dba_role_privs
WHERE granted_role IN ('DBA', 'EXP_FULL_DATABASE', 'IMP_FULL_DATABASE')
ORDER BY 1,2;
GRANTEE GRANTED_ROLE DEF
-------------------- ------------------------------ ---
DBA EXP_FULL_DATABASE YES
DBA IMP_FULL_DATABASE YES
SCOTT EXP_FULL_DATABASE YES
SCOTT IMP_FULL_DATABASE YES
SYS DBA YES
SYS EXP_FULL_DATABASE YES
SYS IMP_FULL_DATABASE YES
SYSMAN DBA YES
SYSTEM DBA YES
4. Useful queries.
-- (replace SCOTT with the username that connects to the database when
-- running the DataPump job):
SET lines 80 pages 50
COL privilege FOR a40
SELECT grantee, privilege
FROM dba_sys_privs
WHERE (grantee IN ('SCOTT', 'PUBLIC')
OR grantee IN (SELECT granted_role FROM dba_role_privs
WHERE grantee IN ('SCOTT', 'PUBLIC')))
AND privilege IN ('CREATE SESSION', 'CREATE TABLE')
ORDER BY 1,2;
GRANTEE PRIVILEGE
------------------------------ ----------------------------------------
SCOTT CREATE SESSION
SCOTT CREATE TABLE
-- check for granted roles and the default role (replace SCOTT with the
-- username that connects to the database when running the DataPump job):
SET lines 80
SELECT grantee, granted_role, default_role
FROM dba_role_privs
WHERE grantee IN ('SCOTT', 'PUBLIC') ORDER BY 1,2;
GRANTEE GRANTED_ROLE DEF
------------------------------ ------------------------------ ---
SCOTT EXP_FULL_DATABASE YES
SCOTT IMP_FULL_DATABASE YES
-- check for granted privileges on directory objects (replace SCOTT with
-- the username that connects to the database when running the DataPump job):
SET lines 100
COL privilege FOR a10
COL grantee FOR a20
COL owner FOR a20
SELECT p.grantee, p.privilege, p.owner, d.directory_name
FROM dba_tab_privs p, dba_directories d
WHERE p.table_name=d.directory_name
AND (grantee IN ('SCOTT', 'PUBLIC')
OR grantee IN (SELECT granted_role FROM dba_role_privs
WHERE grantee IN ('SCOTT', 'PUBLIC')))
ORDER BY 4,3,2;
GRANTEE PRIVILEGE OWNER DIRECTORY_NAME
-------------------- ---------- -------------------- ----------------------
IMP_FULL_DATABASE READ SYS DATA_PUMP_DIR
EXP_FULL_DATABASE READ SYS DATA_PUMP_DIR
EXP_FULL_DATABASE WRITE SYS DATA_PUMP_DIR
IMP_FULL_DATABASE WRITE SYS DATA_PUMP_DIR
SCOTT READ SYS MY_DIR
SCOTT WRITE SYS MY_DIR
-- check for the default tablespace (replace SCOTT with the username that
-- connects to the database when running the DataPump job):
SET lines 80
SELECT username, default_tablespace
FROM dba_users WHERE username IN ('SCOTT');
USERNAME DEFAULT_TABLESPACE
------------------------------ ------------------------------
SCOTT USERS
-- check for the tablespace quota (replace SCOTT with the username that
-- connects to the database when running the DataPump job):
SET lines 100 numwidth 12
SELECT q.username, q.tablespace_name, q.bytes, q.max_bytes
FROM dba_ts_quotas q, dba_users u
WHERE q.username=u.username AND q.username in ('SCOTT');
USERNAME TABLESPACE_NAME BYTES MAX_BYTES
-------------------- -------------------- ------------ ------------
SCOTT USERS 393216 -1
5. Possible errors.
Possible errors if user SCOTT tries to run an Export DataPump job with:
LOGFILE=exp_s.log SCHEMAS=scott
5.1. Session related.
ORA-01045: user SCOTT lacks CREATE SESSION privilege; logon denied
Solution: grant the CREATE SESSION privilege to the user that runs the export (scott) or grant it to the role (expdp_role) that is granted to the user that runs the export, e.g.:
-- or:
GRANT create session TO expdp_role;
Alternatively, run the export with a different privileged user that has the 'CREATE SESSION' privilege, or the old 'CONNECT' role (which has the CREATE SESSION privilege), e.g.: run the export while connecting with the SYSTEM schema.
5.2. Master table related.
ORA-31633: unable to create master table "SCOTT.SYS_EXPORT_SCHEMA_01"
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 95
ORA-06512: at "SYS.KUPV$FT", line 863
ORA-01031: insufficient privileges
Solution: grant the CREATE TABLE privilege to the user that runs the export (scott) or grant it to the role (expdp_role) that is granted to the user that runs the export, e.g.:
-- or:
GRANT create table TO expdp_role;
Alternatively, run the export with a different privileged user that has the 'CREATE TABLE' privilege, e.g.: run the export while connecting with the SYSTEM schema.
5.3. Directory related.
ORA-39070: Unable to open the log file.
ORA-39087: directory name MY_DIR is invalid
ORA-39000: bad dump file specification
ORA-39087: directory name MY_DIR is invalid
ORA-39070: Unable to open the log file.
ORA-31631: privileges are required
ORA-39000: bad dump file specification
ORA-31631: privileges are required
Solution: grant the READ and WRITE privilege on the DIRECTORY object to the user that runs the export (scott) or grant it to the role (expdp_role) that is granted to the user that runs the export, e.g.:
-- or:
GRANT read, write ON DIRECTORY my_dir TO expdp_role;
Alternatively, run the export with a different privileged user that has the 'READ' and 'WRITE' privilege on the directory object, e.g.: run the export while connecting with the user that created the directory object.
Note: If the errors reproduce after (re-)granting the privileges, then the directory on disk may have been created after the directory object was created. In that case:
- drop the directory object in the database;
- ensure that the directory exists on the filesystem on the server where the Oracle database is installed, and that the Oracle user has access to it;
- re-create the directory object in the database;
- grant the read and write privileges on the directory object to the user(s) who connect to the database when starting the expdp / impdp job.
5.4. Tablespace quota related.
ORA-31633: unable to create master table "SCOTT.SYS_EXPORT_SCHEMA_01"
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 95
ORA-06512: at "SYS.KUPV$FT", line 863
ORA-01536: space quota exceeded for tablespace 'USERS'
ORA-31633: unable to create master table "SCOTT.SYS_EXPORT_SCHEMA_01"
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 95
ORA-06512: at "SYS.KUPV$FT", line 863
ORA-01950: no privileges on tablespace 'USERS'
Solution: grant tablespace quota on the default tablespace of the user that runs the export (scott), or change the default tablespace of the user that runs the export to a tablespace on which this user has sufficient quota, e.g.:
-- or:
ALTER USER scott DEFAULT TABLESPACE scott_tbsp;
Alternatively, run the export with a different privileged user that has sufficient quota on their default tablespace.
5.5. Privileged User related.
LOGFILE=expdp_s.log TRANSPORT_TABLESPACES=users
Export: Release 10.2.0.3.0 - Production on Monday, 30 July, 2007 10:03:59
Copyright (c) 2003, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, Oracle Label Security, OLAP and Data Mining Scoring Engine options
ORA-31631: privileges are required
ORA-39162: Transportable tablespace job require privileges
LOGFILE=expdp_s.log TABLES=hugo.emp
Export: Release 10.2.0.3.0 - Production on Monday, 30 July, 2007 11:51:25
Copyright (c) 2003, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, Oracle Label Security, OLAP and Data Mining Scoring Engine options
ORA-31631: privileges are required
ORA-39109: Unprivileged users may not operate upon other users' schemas
Solution: grant the DBA role or the EXP_FULL_DATABASE role to the user that runs the export (scott) or grant it to the role (expdp_role) that is granted to the user that runs the export, e.g.:
-- or:
GRANT dba TO expdp_role;
Alternatively, run the export with a privileged user (i.e. a user who has the DBA or the EXP_FULL_DATABASE role).
5.6. Database link related.
If a privileged user (e.g. SYSTEM) is exporting or importing data with the NETWORK_LINK parameter and is using a (public) database link that connects to a remote database as a non-privileged user (e.g. SCOTT), then the Import DataPump or Export DataPump job will fail with:
SCHEMAS=scott REMAP_SCHEMA=scott:hugo
Import: Release 10.2.0.3.0 - Production on Thursday, 23 August, 2007 11:49:30
Copyright (c) 2003, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, Oracle Label Security, OLAP and Data Mining Scoring Engine options
ORA-31631: privileges are required
ORA-39149: cannot link privileged user to non-privileged user
Solution: ensure that the user in the remote database with which the database link connects to, has the DBA role or the EXP_FULL_DATABASE role, or grant it to the role (expdp_role) that is granted to the user that the database link connects to, e.g.:
GRANT exp_full_database TO scott;
-- or in remote database:
GRANT dba TO expdp_role;
Alternatively, have the privileged user that runs the job create a private database link of its own, that connects as another privileged user to the remote database.
CONNECT system/manager
CREATE DATABASE LINK system_to_remote
CONNECT TO system IDENTIFIED BY manager
USING 'remote_db.oracle.com';
> impdp system/manager NOLOGFILE=y NETWORK_LINK=system_to_remote \
SCHEMAS=scott REMAP_SCHEMA=scott:hugo
5.7. Trace file related.
If a non-privileged user is exporting or importing data with the TRACE parameter, then the Export DataPump or Import DataPump job will fail with:
LOGFILE=expdp_s.log TABLES=emp TRACE=480300
Export: Release 10.2.0.3.0 - Production on Monday, 30 July, 2007 12:44:30
Copyright (c) 2003, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, Oracle Label Security, OLAP and Data Mining Scoring Engine options
ORA-31631: privileges are required
Solution: when the Data Pump TRACE parameter is used in Oracle10g Release 2 or higher, then the user who connects to the database and runs the export DataPump job needs to have the DBA role or the EXP_FULL_DATABASE role (the same applies to Import DataPump with TRACE parameter: DBA or IMP_FULL_DATABASE role required), e.g.:
-- or:
GRANT dba TO expdp_role;
Alternatively, run the export with TRACE parameter with a privileged user (i.e. a user who has the DBA or the EXP_FULL_DATABASE role).
Reference:
Bug:5152186 "EXPDP/IMPDP JOB WITH TRACE AND STARTED WITH NON-DBA USER FAILS: ORA-31631"
5.8. Flashback query related.
If a user with the EXP_FULL_DATABASE role is exporting a table that is owned by a different schema and that table has as SYS.XMLTYPE column, then the Export DataPump job will fail with:
-----------------
DIRECTORY = my_dir
DUMPFILE = expdp_s.dmp
LOGFILE = expdp_s.log
FLASHBACK_TIME = "to_timestamp(to_char(sysdate, 'YYYY-MM-DD HH24:MI:SS'), 'YYYY-MM-DD HH24:MI:SS')"
> expdp scott/tiger SCHEMAS=hugo parfile=expdp_s.par
Processing object type SCHEMA_EXPORT/TABLE/TABLE
ORA-31693: Table data object "HUGO"."MYXMLTAB" failed to load/unload and is being skipped due to error:
ORA-01031: insufficient privileges
...
Solution: explicitly grant the FLASHBACK privilege to the schema that runs the Export DataPump job. The privilege can be granted on specific objects (privilege: FLASHBACK), or on all tables (privilege: FLASHBACK ANY TABLE), e.g.:
-- or:
GRANT flashback any table TO expdp_role;
Alternatively, grant the DBA role to the schema that runs the export DataPump job or run the export with a schema that has the DBA role.
5.9. Change Data Capture (CDC) related.
If a user with the EXP_FULL_DATABASE role performs a full database export, and the database has a change table (SELECT * FROM change_tables), then the Export DataPump job may fail with:
Estimate in progress using BLOCKS method...
Processing object type DATABASE_EXPORT/SCHEMA/TABLE/TABLE_DATA
ORA-39125: Worker unexpected fatal error in KUPW$WORKER.GET_TABLE_DATA_OBJECTS while calling DBMS_METADATA.FETCH_XML_CLOB []
ORA-31642: the following SQL statement fails:
BEGIN "SYS"."DBMS_CDC_EXPDP".SCHEMA_CALLOUT(:1,0,1,'10.02.00.03.00'); END;
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
ORA-06512: at "SYS.DBMS_METADATA", line 907
ORA-01031: insufficient privileges
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 95
ORA-06512: at "SYS.KUPW$WORKER", line 6249
...
Estimate in progress using BLOCKS method...
Processing object type DATABASE_EXPORT/SCHEMA/TABLE/TABLE_DATA
ORA-39125: Worker unexpected fatal error in KUPW$WORKER.GET_TABLE_DATA_OBJECTS while calling DBMS_METADATA.FETCH_XML_CLOB []
ORA-31642: the following SQL statement fails:
BEGIN "SYS"."DBMS_CDC_EXPDP".SCHEMA_CALLOUT(:1,0,1,'10.02.00.03.00'); END;
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
ORA-06512: at "SYS.DBMS_METADATA", line 907
ORA-00942: table or view does not exist
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 95
ORA-06512: at "SYS.KUPW$WORKER", line 6249
...
Reference: Bug:6078613 "EXPORT DATAPUMP AFTER INSTALLING CDC FAILS WITH ORA-942"
Workaround: explicitly grant the following privileges to the schema that runs the full database Export DataPump job, e.g.:
GRANT insert any table TO scott;
GRANT drop any table TO scott;
GRANT select on cdc_change_sources$ TO scott;
GRANT select on cdc_change_sets$ TO scott;
GRANT select on cdc_change_tables$ TO scott;
GRANT select on cdc_subscribers$ TO scott;
Alternatively, grant the DBA role to the schema that runs the export DataPump job or run the export with a schema that has the DBA role.
5.10. Exported schema privileges related.
If the schema that is being exported (i.e. not the user that started the Export DataPump job) has scheduler jobs that need to be exported, and that user does not have (enough) tablespace quota, then the Export DataPump job will fail with:
ORA-31642: the following SQL statement fails:
BEGIN "SYS"."DBMS_SCHED_EXPORT_CALLOUTS".SCHEMA_CALLOUT(:1,0,1,'10.02.00.03.00'); END;
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
ORA-06512: at "SYS.DBMS_METADATA", line 907
ORA-01950: no privileges on tablespace 'USERS'
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 95
ORA-06512: at "SYS.KUPW$WORKER", line 6249
----- PL/SQL Call Stack -----
object line object
handle number name
2DFB4638 14938 package body SYS.KUPW$WORKER
2DFB4638 6314 package body SYS.KUPW$WORKER
2DFB4638 9129 package body SYS.KUPW$WORKER
2DFB4638 1882 package body SYS.KUPW$WORKER
2DFB4638 6875 package body SYS.KUPW$WORKER
2DFB4638 1260 package body SYS.KUPW$WORKER
2DC76BE4 2 anonymous block
Job "SYSTEM"."SYS_EXPORT_SCHEMA_02" stopped due to fatal error at 14:38:18
Solution: grant tablespace quota to the default tablespace of the schema that needs to be exported, or change the default tablespace of the schema that needs to be exported to a tablespace on which this schema has sufficient quota, e.g.:
-- or:
ALTER USER scott DEFAULT TABLESPACE scott_tbsp;
Additional Resources
Community: Database Utilities
Still have questions? Use the above community to search for similar discussions or start a new discussion on this subject.
References
BUG:4540755 - ABOUT A MINIMUM PRIVILEGE NECESSARY TO EXECUTE DATA PUMP
BUG:5152186 - EXPDP/IMPDP JOB WITH TRACE AND STARTED WITH NON-DBA USER FAILS: ORA-31631
BUG:5169420 - IMPORT FROM DATABASE VIA NETWORK_LINK FAILED WITH ERROR ORA-39149
BUG:6078613 - EXPORT DATAPUMP AFTER INSTALLING CDC FAILS WITH ORA-942
NOTE:266875.1 - Export/Import DataPump Parameter DIRECTORY - How to Specify a Directory
BUG:4540755 - ABOUT A MINIMUM PRIVILEGE NECESSARY TO EXECUTE DATA PUMP
NOTE:286496.1 - Export/Import DataPump Parameter TRACE - How to Diagnose Oracle Data Pump
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/17252115/viewspace-1160592/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- Difference of Revoke System Privileges and Object PrivilegesObject
- DataPump Export/Import Of LOBs Are Not Executed in ParallelExportImportParallel
- System Requirements for WebSphere Application ServerUIREMWebAPPServer
- 使用datapump 匯出匯入同義詞(export and import synonym using datapump)ExportImport
- Run Out Of Space On UNDO Tablespace Using DataPump Import/ExportImportExport
- 【metalink】Export/Import DataPump Parameter TRACE (文件 ID 286496.1)ExportImport
- IMP-00009: abnormal end of export fileORMExport
- How to perform FULL System Export/ImportsORMExportImport
- DataPump Export (EXPDP) Fails With Error LPX-216 Invalid CharacterExportAIError
- Your host does not meet minimum requirements to run VMware workstation with hyper-v or device/credenUIREMdev
- Oracle Fusion Middleware Supported System check,jdk,java .etc requirementsOracleJDKJavaUIREM
- IMP-00010: not a valid export file tipsExport
- Oracle10g Export/Import DataPump Does Not Work with Tapes or UNIX Named Pipes [ID 276521.1]OracleExportImport
- IMP-00008: unrecognized statement in the export file: string的問題分析ZedExport
- Listings of System and Object Privileges--系統和物件許可權列表Object物件
- /dev/sdb1 is apparently in use by the system; will not make a filesystem here!devAPP
- HDD Drilling Mud Cleaning System export to South KoreaExport
- RMAN system 遠端連線 ORA-01031: insufficient privileges
- Index of system requirements for Notes, Domino, Domino Administrator, Domino Designer & Notes TravelIndexUIREM
- Export and import right application or execute import imp-00010 error solveExportImportAPPError
- ORA-01552: cannot use system rollback segment for non-system tablespace 'USERS'錯誤解決
- ORA-31626 ORA-31650 While Using DataPump Export in RAC Environment [ID 454639.1]WhileExport
- 【DATAPUMP】使用DataPump遷移Oracle資料庫Oracle資料庫
- ORA-01552: cannot use system rollback錯誤解決方法
- @EXPORT and @EXPORT_OKExport
- about datapump parallelParallel
- Speedup Datapump ImportImport
- ORA-31633: unable to create master table "SYSTEM.SYS_EXPORT_FULL_XX"ASTExport
- Flashback Data Archive RequirementsHiveUIREM
- export 和 export default 區別Export
- datapump簡介(一)
- Oracle DataPump之二Oracle
- Oracle DataPump之一Oracle
- Oracle Datapump 學習Oracle
- db2_privilegesDB2
- exportExport
- JavaScript中的export、export default、exports和module.exports(export、export default、exports使用詳細)JavaScriptExport
- export和export default的區別Export