Oracle作業系統使用者組

  Oracle軟體在安裝維護過程中長要和操作使用者組(OS user group)打交道，從早前的只有oracle使用者和dba組發展到今天中的grid使用者和asm組，Oracle管理的日新月異可見一斑。
   oinstall使用者組

oinstall 組是Oracle推薦建立的OS使用者組之一，建議在系統第一次安裝oracle軟體產品之前建立該oinstall組，理論上該oinstall組應當擁有oracle軟體產品目錄(例如$CRS_HOME和$ORACLE_HOME)和oracle Inventory資訊目錄倉庫，oracle Inventory資訊目錄記錄了系統上安裝過的oracle產品的記錄。

若系統中已有安裝過oracle產品軟體，則現有的oracle Inventory目錄的所有組必須是今後用來安裝新oracle軟體產品的使用者的主組(primary group)。

現有的oracle Inventory擁有者組可以透過/etc/oraInst.loc位置檔案瞭解:

inventory_loc=/u01/app/oracle/oraInventory
inst_group=oinstall

若/etc/oraInst.loc(少數平臺不在該位置)位置檔案不存在，那麼建議建立oinstall使用者組，注意在RAC環境中要保持各節點上使用者組的gid一致:

# /usr/sbin/groupadd -g GID oinstall OSDBA使用者組(dba) OSDBA是我們必須要建立的一種系統DBA使用者組(dba)，
若沒有該使用者組我們將無法安裝資料庫軟體及執行管理資料庫的任務。 OSOPER使用者組(oper) 

	OSOPER是一種額外的使用者組(oper)，我們可以選擇要不要建立該使用者組，
建立該使用者組可以滿足讓os使用者行使某些資料庫管理許可權(包括SYSOPER角色許可權)的目的。
注意SYSOPER的許可權包括startup和shutdown，所以要小心為該使用者組新增成員。



	建立OSOPER使用者組的方法:
# /usr/sbin/groupadd oper
綜上所述在單機環境(single-instance)中oracle軟體擁有者使用者(常見的oracle或者orauser)，
因該同時是oinstall、dba、oper使用者組的成員。同時該使用者的主使用者組必須是oinstall。
Oracle Database 11g release 2中選擇Privileged Operating System Groups
而在11.2的GI/CRS環境中資料庫軟體擁有者使用者(oracle或orauser)還必須是asmdba使用者組的成員。
usermod -g oinstall -G dba,oper,asmdba [oracle|orauser]
id oracle
uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),701(asmdba),54324(oper)
注意OSDBA和OSOPER使用者組都受到$ORACLE_HOME/rdbms/lib/config.c 原始檔的影響，
該檔案定義了預設的 SS_DBA_GRP “dba” 和SS_OPER_GRP “oper”,該原始檔內容如下:


/*  Refer to the Installation and User's Guide for further information.  */
/* IMPORTANT: this file needs to be in sync with
              rdbms/src/server/osds/config.c, specifically regarding the
              number of elements in the ss_dba_grp array.
 */
#define SS_DBA_GRP "dba"
#define SS_OPER_GRP "oper"
#define SS_ASM_GRP ""
char *ss_dba_grp[] = {SS_DBA_GRP, SS_OPER_GRP, SS_ASM_GRP};

	11g release2中oracle建議獨立地管理Grid Infrastructure和ASM例項，因此有必要建立更多的os使用者組以滿足不同的許可權分配。



	我們在11.2的GI中常用的ASM使用者組有以下三個：



	OSASM(asmadmin)使用者組



	如果使用ASM，那麼我們必須建立osasm(asmadmin)使用者組，該OSASM使用者組的成員將被賦予SYSASM許可權，
以滿足組成員管理Oracle Clusterware和Oracle ASM的許可權需求。



	OSDBA for ASM group(asmdba)使用者組



	OSDBA(asmdba)使用者組的成員將被賦予讀寫訪問ASM檔案的許可權。
GI/CRS擁有者使用者和所有oracle資料庫軟體的擁有者必須是該組的成員。
同時所有OSDBA(dba)使用者組的成員也必須是asmdba組的成員。



	OSOPER for ASM(asmoper)使用者組



	asmoper和osoper類似都是額外的可選擇建立的使用者組，建立該獨立的使用者組以滿足賦予使用者一套受限的ASM例項管理許可權
(ASM的SYSOPER角色)，  該許可權包括了啟動和停止ASM例項，預設情況下OSASM(asmadmin)組成員將擁有所有SYSOPER的ASM管理許可權。



	在11.2的GI/CRS環境中一般會建立grid或griduser使用者來管理GI軟體和ASM例項，以如下方式建立grid使用者:

 useradd -g oinstall -G asmadmin,asmdba,asmoper grid
 id grid
 uid=54322(grid) gid=54321(oinstall) groups=54321(oinstall),700(asmadmin),701(asmdba),55000(asmoper)
	

software component	os User	primary group	supplementary group	home directory	oracle base / oracle home
grid infrastructure	grid	oinstall	asmadmin,asmdba,asmoper	/home/grid	/u01/app/grid /u01/app/11.2.0/grid
Oracle RAC	oracle	oinstall	dba,oper,asmdba	/home/oracle	/u01/app/oracle /u01/app/oracle/product/11.2.0/dbhome_1

更多內容可以參考下文:

The OSDBA group (typically, dba)

You must create this group the first time you install Oracle Database software on the system. This group identifies operating system user accounts that have database administrative privileges (the SYSDBA privilege). If you do not create separate OSDBA, OSOPER and OSASM groups for the Oracle ASM instance, then operating system user accounts that have the SYSOPER and SYSASM privileges must be members of this group. The name used for this group in Oracle code examples is dba. If you do not designate a separate group as the OSASM group, then the OSDBA group you define is also by default the OSASM group.

To specify a group name other than the default dba group, then you must choose the Advanced installation type to install the software or start Oracle Universal Installer (OUI) as a user that is not a member of this group. In this case, OUI prompts you to specify the name of this group.

Members of the OSDBA group formerly were granted SYSASM privileges on Oracle ASM instances, including mounting and dismounting disk groups. This privileges grant is removed with Oracle Grid Infrastructure 11g release 2, if different operating system groups are designated as the OSDBA and OSASM groups. If the same group is used for both OSDBA and OSASM, then the privilege is retained.

The OSOPER group for Oracle Database (typically, oper)

This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of database administrative privileges (the SYSOPER privilege). By default, members of the OSDBA group also have all privileges granted by the SYSOPER privilege.

To use the OSOPER group to create a database administrator group with fewer privileges than the default dba group, then you must choose the Advanced installation type to install the software or start OUI as a user that is not a member of the dba group. In this case, OUI prompts you to specify the name of this group. The usual name chosen for this group is oper.

The Oracle Automatic Storage Management Group (typically asmadmin)

This is a required group. Create this group as a separate group if you want to have separate administration privilege groups for Oracle ASM and Oracle Database administrators. In Oracle documentation, the operating system group whose members are granted privileges is called the OSASM group, and in code examples, where there is a group specifically created to grant this privilege, it is referred to as asmadmin.

If you have multiple databases on your system, and use multiple OSDBA groups so that you can provide separate SYSDBA privileges for each database, then you should create a separate OSASM group, and use a separate user from the database users to own the Oracle Grid Infrastructure installation (Oracle Clusterware and Oracle ASM). Oracle ASM can support multiple databases.

Members of the OSASM group can use SQL to connect to an Oracle ASM instance as SYSASM using operating system authentication. The SYSASM privileges permit mounting and dismounting disk groups, and other storage administration tasks. SYSASM privileges provide no access privileges on an RDBMS instance.

The Oracle ASM Database Administrator group (OSDBA for ASM, typically asmdba)

Members of the Oracle ASM Database Administrator group (OSDBA for ASM) are granted read and write access to files managed by Oracle ASM. The Oracle Grid Infrastructure installation owner and all Oracle Database software owners must be a member of this group, and all users with OSDBA membership on databases that have access to the files managed by Oracle ASM must be members of the OSDBA group for ASM.

Members of the Oracle ASM Operator Group (OSOPER for ASM, typically asmoper)

This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of Oracle ASM instance administrative privileges (the SYSOPER for ASM privilege), including starting up and stopping the Oracle ASM instance. By default, members of the OSASM group also have all privileges granted by the SYSOPER for ASM privilege.

To use the Oracle ASM Operator group to create an ASM administrator group with fewer privileges than the default asmadmin group, then you must choose the Advanced installation type to install the software, In this case, OUI prompts you to specify the name of this group. In code examples, this group is asmoper.

An Oracle central inventory group, or oraInventory group (oinstall). Members who have the central inventory group as their primary group, are granted the OINSTALL permission to write to the oraInventory directory.

A single system privileges group that is used as the OSASM, OSDBA, OSDBA for ASM, and OSOPER for ASM group (dba), whose members are granted the SYSASM and SYSDBA privilege to administer Oracle Clusterware, Oracle ASM, and Oracle Database, and are granted SYSASM and OSOPER for ASM access to the Oracle ASM storage.

An Oracle grid installation for a cluster owner (grid), with the oraInventory group as its primary group, and with the OSASM group as the secondary group, with its Oracle base directory /u01/app/grid.

An Oracle Database owner (oracle) with the oraInventory group as its primary group, and the OSDBA group as its secondary group, with its Oracle base directory /u01/app/oracle.

/u01/app owned by grid:oinstall with 775 permissions before installation, and by root after the root.sh script is run during installation. This ownership and permissions enables OUI to create the Oracle Inventory directory, in the path /u01/app/oraInventory.

/u01 owned by grid:oinstall before installation, and by root after the root.sh script is run during installation.

/u01/app/11.2.0/grid owned by grid:oinstall with 775 permissions. These permissions are required for installation, and are changed during the installation process.

/u01/app/grid owned by grid:oinstall with 775 permissions before installation, and 755 permissions after installation.

/u01/app/oracle owned by oracle:oinstall with 775 permissions.

An Oracle central inventory group, or oraInventory group (oinstall), whose members that have this group as their primary group are granted permissions to write to the oraInventory directory.

A separate OSASM group (asmadmin), whose members are granted the SYSASM privilege to administer Oracle Clusterware and Oracle ASM.

A separate OSDBA for ASM group (asmdba), whose members include grid, oracle1 and oracle2, and who are granted access to Oracle ASM.

A separate OSOPER for ASM group (asmoper), whose members are granted limited Oracle ASM administrator privileges, including the permissions to start and stop the Oracle ASM instance.

An Oracle grid installation for a cluster owner (grid), with the oraInventory group as its primary group, and with the OSASM (asmadmin), OSDBA for ASM (asmdba) group as a secondary group.

Two separate OSDBA groups for two different databases (dba1 and dba2) to establish separate SYSDBA privileges for each database.

Two Oracle Database software owners (oracle1 and oracle2), to divide ownership of the Oracle database binaries, with the OraInventory group as their primary group, and the OSDBA group for their database (dba1 or dba2) and the OSDBA for ASM group (asmdba) as their secondary groups.

An OFA-compliant mount point /u01 owned by grid:oinstall before installation.

An Oracle base for the grid installation owner /u01/app/grid owned by grid:oinstall with 775 permissions, and changed during the installation process to 755 permissions.

An Oracle base /u01/app/oracle1 owned by oracle1:oinstall with 775 permissions.

An Oracle base /u01/app/oracle 2 owned by oracle2:oinstall with 775 permissions.

A Grid home /u01/app/11.2.0/grid owned by grid:oinstall with 775 (drwxdrwxr-x) permissions. These permissions are required for installation, and are changed during the installation process to root:oinstall with 755 permissions (drwxr-xr-x).

/u01/app/oraInventory. This path remains owned by grid:oinstall, to enable other Oracle software owners to write to the central inventory.