How to restrict data pump logon to localhost

datapumporacleoracle-12c

I have a user in Oracle 12c database that will be used to run full data pump export and import. I would like to restrict logons from that user to localhost.

I have tried to create logon trigger:

create or replace trigger logon_trigger 
  after logon on database
declare
  host varchar2(50);
begin 
  host := trim(lower(sys_context('USERENV', 'HOST')));
  if lower(user) = '<data pump user>' then
    if host <> '<hostname>' then
      raise_application_error(-20000, 'Login not allowed');
    end if;
  end if;
end;
/

I can see from the audit trail that this trigger has fired (ORA-20000: Login not allowed) but the user is still allowed to logon from remote host.

This restriction works for normal users but not for the data pump user. I suspect this has something to do with the roles exp_full_database and imp_full_database.

Is there some way to make this trigger work or should I use local OS authentication?

Best Answer

ADMINISTER DATABASE TRIGGER Privilege Causes Logon Trigger to Skip Errors (Doc ID 265012.1)

ADMINISTER DATABASE TRIGGER Privilege Behavior with Database Logon Trigger
--------------------------------------------------------------------------
Logon triggers can be used to mediate database access: when the restrictive 
conditions are not met, an application error with a message is raised that 
causes the logon to be denied.

...

However, we need to keep at least one user who can still connect when there is 
a problem : a fallback mechanism must exist where an administrative user is 
exempt from such errors of a prohibited connection. 

Any user granted the ADMINISTER DATABASE TRIGGER system privilege can still 
connect : instead of getting the error causing the session to be terminated, 
the error is recorded in the alert.log and a trace file in user_dump_dest.

And:

select * from dba_sys_privs where privilege = 'ADMINISTER DATABASE TRIGGER';

GRANTEE                        PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
WMSYS                          ADMINISTER DATABASE TRIGGER              NO 
DBA                            ADMINISTER DATABASE TRIGGER              YES
SYS                            ADMINISTER DATABASE TRIGGER              NO 
IMP_FULL_DATABASE              ADMINISTER DATABASE TRIGGER              NO

So yes, you can try local OS authentication.

Related Solutions

How to find the schema name of a data pump dmp file

Use the sqlfile= parameter of impdp to generate a file containing all of the DDL/DML in the dump.

For example:

[oracle@oel61 ~]$ impdp phil/phil directory=oracledmp dumpfile=phil.dmp logfile=phil.log sqlfile=philddl.txt

Import: Release 11.2.0.2.0 - Production on Wed Mar 13 15:15:03 2013

Copyright (c) 1982, 2009, Oracle and/or its affiliates.  All rights reserved.

Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, Automatic Storage Management, OLAP, Data Mining
and Real Application Testing options
Master table "PHIL"."SYS_SQL_FILE_FULL_01" successfully loaded/unloaded
Starting "PHIL"."SYS_SQL_FILE_FULL_01":  phil/******** directory=oracledmp dumpfile=phil.dmp logfile=phil.log sqlfile=philddl.txt 
Processing object type SCHEMA_EXPORT/USER
Processing object type SCHEMA_EXPORT/SYSTEM_GRANT
Processing object type SCHEMA_EXPORT/ROLE_GRANT
Processing object type SCHEMA_EXPORT/DEFAULT_ROLE
Processing object type SCHEMA_EXPORT/TABLESPACE_QUOTA
Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA
Processing object type SCHEMA_EXPORT/SEQUENCE/SEQUENCE
Processing object type SCHEMA_EXPORT/TABLE/TABLE
Processing object type SCHEMA_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS
Job "PHIL"."SYS_SQL_FILE_FULL_01" successfully completed at 15:15:05

[oracle@oel61 ~]$

Looking for CREATE USER DDL statements in the file should show you what schemas are needed in order to perform an import.

For example, from my test dump:

-- new object type path: SCHEMA_EXPORT/USER
-- CONNECT SYSTEM
 CREATE USER "PHIL" IDENTIFIED BY VALUES 'S:924B2E756404611021428644B4DF06A4A7BAB886837FCCFA510151E0FC44;181446AE258EE2F6'
      DEFAULT TABLESPACE "PHILDATA"
      TEMPORARY TABLESPACE "TEMP";
-- new object type path: SCHEMA_EXPORT/SYSTEM_GRANT
GRANT UNLIMITED TABLESPACE TO "PHIL";
GRANT CREATE SESSION TO "PHIL";
-- new object type path: SCHEMA_EXPORT/ROLE_GRANT
 GRANT "DBA" TO "PHIL";
-- new object type path: SCHEMA_EXPORT/DEFAULT_ROLE
 ALTER USER "PHIL" DEFAULT ROLE ALL;

The only drawback is that if the .dmp file is large the resulting SQL dump will be huge.

Linux – Using environment variables in data pump query

Of course, you can. Here is an example:

$ cat expdp.sh
#!/bin/bash

DIR_NAME=dummy
DIR_PATH=/oracle/base/export
QUERY='employees:"WHERE employee_id = 100"'
mkdir -p $DIR_PATH
sqlplus / as sysdba<<EOF
create directory $DIR_NAME as '$DIR_PATH';
exit
EOF
expdp \"/ as sysdba\" directory=$DIR_NAME tables=hr.employees query=$QUERY

Output:

$ ./expdp.sh

SQL*Plus: Release 12.1.0.1.0 Production on Sun Mar 30 20:06:26 2014

Copyright (c) 1982, 2013, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL>
Directory created.

SQL> Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

Export: Release 12.1.0.1.0 - Production on Sun Mar 30 20:06:26 2014

Copyright (c) 1982, 2013, Oracle and/or its affiliates.  All rights reserved.

Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
Starting "SYS"."SYS_EXPORT_TABLE_01":  "/******** AS SYSDBA" directory=dummy tables=hr.employees query=employees:"WHERE employee_id = 100"
Estimate in progress using BLOCKS method...
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Total estimation using BLOCKS method: 64 KB
Processing object type TABLE_EXPORT/TABLE/TABLE
Processing object type TABLE_EXPORT/TABLE/GRANT/OWNER_GRANT/OBJECT_GRANT
Processing object type TABLE_EXPORT/TABLE/COMMENT
Processing object type TABLE_EXPORT/TABLE/INDEX/INDEX
Processing object type TABLE_EXPORT/TABLE/CONSTRAINT/CONSTRAINT
Processing object type TABLE_EXPORT/TABLE/INDEX/STATISTICS/INDEX_STATISTICS
Processing object type TABLE_EXPORT/TABLE/CONSTRAINT/REF_CONSTRAINT
Processing object type TABLE_EXPORT/TABLE/TRIGGER
Processing object type TABLE_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS
Processing object type TABLE_EXPORT/TABLE/STATISTICS/MARKER
. . exported "HR"."EMPLOYEES"                            9.570 KB       1 rows
Master table "SYS"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SYS.SYS_EXPORT_TABLE_01 is:
  /oracle/base/export/expdat.dmp
Job "SYS"."SYS_EXPORT_TABLE_01" successfully completed at Sun Mar 30 20:06:47 2014 elapsed 0 00:00:19

Best Answer

Related Solutions

How to find the schema name of a data pump dmp file

Linux – Using environment variables in data pump query

Related Question