PDBADMIN 的作用,命名,重建 以及能否DROP
Creating a pluggable database using below SQL:
create pluggable database psample1 admin user psample_admin identified by "XXXXXXXXXXXXXXX' roles=(connect) create_file_dest='+DGEHDB';
What if user psample_admin gets dropped accidentally? Is it important? How to recreate it?
CHANGES
psample_admin gets dropped accidentally.
CAUSE
Admin User created at the time of creating PDB, it gets dropped, how to overcome the situation.
SOLUTION
As per documentation:
For admin_user_name, specify name of the user to be created. Use the IDENTIFIED BY clause to specify the password for admin_user_name. Oracle Database creates a local user in the PDB and grants the PDB_DBA local role to that user. Use this clause to create an administrative user who can be granted the privileges required to perform administrative tasks on the PDB.
This account is important. If the user gets dropped you can recreate a new local PDB user and grant the PDB_DBA local role to it.
GOAL
How to create desired PDB admin's username during PDB creation with DBCA ?
When create new PDB with DBCA, the username of PDB admin is always PDBADMIN no matter what is choose.
Example:
dbca -silent -createPluggableDatabase -sourceDB cdXXX -pdbName devXXX -createPDBFrom DEFAULT -pdbAdminUserName XXXX_ADMIN -pdbAdminPassword '******' -createUserTableSpace true
then "PDBADMIN" User gets created instead of "XXXX_ADMIN":
select username, created, con_id from cdb_users where (username like 'PDB%' or username like 'TEST%') and con_id in (select pdb_id from DBA_PDBS where PDB_NAME='TEST');
USERNAME CREATED CON_ID
-------------------------------------------------------------------------------
PDBADMIN 24-FEB-20 3
SOLUTION
There is an option for this in DBCA itself as below:
dbca -sourceDB <sourceDB> -pdbName <pdbName> -createPluggableDatabase
-createNewPDBAdminUser -pdbAdminUserName <pdbAdminUserName>
-createUserTableSpace false -responseFile <rspFilePath>
a. Example with Response Rile:
dbca -silent -createPluggableDatabase -sourceDB cdXXXX -pdbName devXXX -createNewPDBAdminUser -pdbAdminUserName XXX_ADMIN -createUserTableSpace false -responseFile /home/oracle/dbca-create-cdb-example-seeded-AFD.erb.rsp
b. Example without Responsible File:
dbca -silent -createPluggableDatabase -sourceDB cdXXXX -pdbName devXXX -createNewPDBAdminUser -pdbAdminUserName XXX_ADMIN -pdbAdminPassword '******' -createUserTableSpace true
GOAL
Can the local administrator user account (usually named as PDBADMIN, but not necessarily) of a pluggable database (PDB) be safely locked without causing issues to the database functionality?
SOLUTION
As described in this and this documents, when creating a pluggable database, a local account is created and granted with the PDB_DBA predefined role. This role allows the granted user account to perform administrative tasks in the pluggable database, hence, the purpose of this local administrator: administer the PDB. However, the administrative tasks that this local administrator is capable of can be also taken care of by the common user accounts SYS and SYSTEM. Due to this, if necessary (and if not in use), this local administrator account can be locked (and expired); the required administrative tasks in the pluggable database can still be performed by SYS as SYSTEM, should it be required.
REFERENCES
Creating a PDB from Scratch
Configuring Privilege and Role Authorization