ORA-01536: space quota exceeded for tablespace案例

 

最近在做数据治理的过程中，回收了部分账号的权限，因为角色RESOURCE里拥有CREATE TABLE的权限，所以我想回收RESOURCE角色。例如，对于TEST账号，收回其创建表的权限，就收回了授予其的RESOURCE的角色，结果不到几小时，SUPPORT人员就反馈这个账号遇到了ORA-01536错误。开始还有点懵，后面梳理清楚后，才感慨自己踩了一个大坑。下面简单的重新构造、模拟这样的一个案例。

 

SQL> select * from v$version;

BANNER
----------------------------------------------------------------
Oracle Database 10g Release 10.2.0.5.0 - 64bit Production
PL/SQL Release 10.2.0.5.0 - Production
CORE    10.2.0.5.0      Production
TNS for Linux: Version 10.2.0.5.0 - Production
NLSRTL Version 10.2.0.5.0 - Production

SQL>CREATE TABLESPACE TBS_TEST_DATA
DATAFILE '/u03/oradata/gps/tbs_test_data.dbf'
SIZE 200M
EXTENT MANAGEMENT LOCAL
SEGMENT SPACE MANAGEMENT AUTO ONLINE;


SQL> CREATE USER TEST IDENTIFIED BY "Test#1232134$#3" DEFAULT TABLESPACE TBS_TEST_DATA TEMPORARY TABLESPACE  TEMP;

User created.

SQL> GRANT CONNECT, RESOURCE TO TEST;

Grant succeeded.

SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='TEST';

GRANTEE                        PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
TEST                           UNLIMITED TABLESPACE                     NO

SQL> SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTEE='TEST';

GRANTEE                        GRANTED_ROLE                   ADM DEF
------------------------------ ------------------------------ --- ---
TEST                           RESOURCE                       NO  YES
TEST                           CONNECT                        NO  YES

SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='RESOURCE';

GRANTEE                        PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
RESOURCE                       CREATE TRIGGER                           NO
RESOURCE                       CREATE SEQUENCE                          NO
RESOURCE                       CREATE TYPE                              NO
RESOURCE                       CREATE PROCEDURE                         NO
RESOURCE                       CREATE CLUSTER                           NO
RESOURCE                       CREATE OPERATOR                          NO
RESOURCE                       CREATE INDEXTYPE                         NO
RESOURCE                       CREATE TABLE                             NO

8 rows selected.

 

 

 

用账号TEST登录数据库，创建了一个test表

 

SQL> show user;
USER is "TEST"
SQL> create table test
  2  as
  3  select * from all_objects;

Table created.

SQL> select count(*) from test;

  COUNT(*)
----------
     34859

SQL>

 

然后收回账号TEST的RESOURCE角色，如下所示：

 

SQL> show user;
USER is "SYS"
SQL> REVOKE RESOURCE FROM TEST;

Revoke succeeded.

SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='TEST';

no rows selected

 

然后此时TEST做DML操作就会报ORA-01536错误，如下

 

SQL> show user;
USER is "TEST"
SQL> insert into test
  2  select * from test;
insert into test
            *
ERROR at line 1:
ORA-01536: space quota exceeded for tablespace 'TBS_TEST_DATA'

 

 

那么为什么出现这种情况呢？ 其实刚开始我也有点懵，检查表空间发现表空间正常，检查RESOURCE角色，发现里面没有关于表空间的配额限制。怎么回收RESOURCE角色，就整出这么一档子事呢？那么到底是怎么一回事呢，直到我看到Doc ID 465737.1才豁然开朗。

 

其实细心的人应该也有所发现（上面截图），如果您授予或撤销用户的 RESOURCE 或 DBA 角色，ORACLE会隐式授予或撤销该用户的 UNLIMITED TABLESPACE 系统权限。Doc ID 465737.1中介绍，其实当角色在Oracle 7.0 中首次引入时，RESOURCE 和 DBA 的权限从旧的Oracle V6中迁移到新的角色中。 但是由于不允许为 RESOURCE 和 DBA 角色授予 UNLIMITED TABLESPACE权限，为了保持与Oracle V6版本的向后兼容性，解析器会自动将语句转换为“grant resource to abc”自动变为“grant resource,unlimited tablespace to abc” 并且将“revoke resource from abc”自动变为“revoke resource, unlimited tablespace from abc”。 授予和撤销 DBA 角色时也是如此。 也就是说UNLIMITED TABLESPACE的系统权限已经被硬编码到RESOURCE角色。而我们创建用户时，没有额外授予用户关于表空间使用配额。所以一旦系统权限UNLIMITED TABLESPACE被收回，就出现问题了。

 

解决这个问题也比较简单，设置账号使用表空间的配额限制或不限制用户使用表空间，如下所示

 

GRANT UNLIMITED TABLESPACE TO TEST;

或

ALTER USER TEST QUOTA UNLIMITED ON TBS_TEST_DATA;

ORA-01536 After Revoking DBA Role (Doc ID 465737.1)

To Bottom

In this Document

	Symptoms
	Cause
	Solution
	References

 

APPLIES TO:

Oracle Database - Enterprise Edition - Version 8.1.7.4 to 11.2.0.4 [Release 8.1.7 to 11.2]
Information in this document applies to any platform.

SYMPTOMS

ORA-01536: space quota exceeded for tablespace '<Tablespace_Name>'
After revoking DBA or Resource Role from a user

Example:

SQL> conn /as sysdba
Connected.
SQL> create user testrights identified by testos;
User created.
SQL> grant connect, resource to testrights;
Grant succeeded.
SQL> connect testrights/testos;
Connected.

SQL> CREATE TABLE "TESTRIGHTS"."TESTTAB" ( "TESTFIELD" VARCHAR2(200) NOT NULL
, CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE ) TABLESPACE "USERS" STORAGE ( INITIAL 64M) ;
Table created.

SQL> conn /as sysdba
Connected.
SQL> grant dba to testrights;
Grant succeeded.
SQL> revoke dba from testrights;
Revoke succeeded.
SQL> show user
USER is "SYS"
SQL> drop table testrights.testtab;
Table dropped.
SQL> conn testrights/testos;
Connected.
SQL> CREATE TABLE "TESTRIGHTS"."TESTTAB" ( "TESTFIELD" VARCHAR2(200) NOT NULL
, CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE ) TABLESPACE "USERS"  STORAGE ( INITIAL 64M) ;

CREATE TABLE "TESTRIGHTS"."TESTTAB" ( "TESTFIELD" VARCHAR2(200) NOT NULL ,
CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE ) TABLESPACE "USERS"
STORAGE ( INITIAL 64M)
*
ERROR at line 1:
ORA-1536: space quota exceeded for tablespace 'USERS'

SQL> conn /as sysdba
Connected.
SQL> grant connect, resource to testrights;
Grant succeeded.

SQL> conn testrights/testos;
Connected.
SQL>
SQL> CREATE TABLE "TESTRIGHTS"."TESTTAB" ( "TESTFIELD" VARCHAR2(200) NOT NULL , CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE ) TABLESPACE "USERS"
STORAGE ( INITIAL 64M) ;

Table created.

CAUSE

This issue has been discussed in bug 6494010.
The behavior seen in the above example is expected and not a bug

When roles were first introduced into Oracle in 7.0, the old Oracle V6 privileges of RESOURCE and DBA were migrated to use the new role functionality. But because the RESOURCE and DBA roles are not allowed to be granted UNLIMITED TABLESPACE, in order to preserve the backwards compatibility with V6, the parser automatically transforms statements such that "grant resource to abc" automatically becomes "grant resource, unlimited tablespace to abc" and "revoke resource from abc" automatically becomes "revoke resource, unlimited tablespace from abc". The same is true when granting and revoking the DBA role. This behaviour used to be well documented in the SQL reference guide which read:

Note: If you grant or revoke the RESOURCE or DBA role to or from a user, Oracle implicitly grants or revokes the UNLIMITED TABLESPACE system privilege to or from the user.

SOLUTION

To Resolve this issue you need to :

1] Grant DBA or Resource Role back to the user from whom it was revoked.

REFERENCES

BUG:6494010 - ORA-01536 AFTER GRANTING,REVOKING ROLE DBA

 

 

 

 参考资料：

 

ORA-01536 After Revoking DBA Role (Doc ID 465737.1)