Oracle DBMS_SFW_ACL_ADMIN
Version 12.2.0.1

General Information
Library Note Morgan's Library Page Header
Coming to OpenWorld 2018? Be sure to visit the TidalScale booth in Moscone South and learn how to solve performance problems and lower costs with Software Defined Servers. Before you visit the booth, or if you can't make it this year, check out TidalScale at www.tidalscale.com. Be sure to click on the Solutions link and look through the Oracle resources.
Purpose This package provides the APIs to administer service Access Control List (ACL) that are used to control accesss to DB services by external Virtual Machines (VMs) or host networks.

There are two types of ACL: Exadirect and IP. Exadirect ACL is used to grant access to VMs; where as, IP ACL is used to grant access to host networks.
  • Exadirect APIs are prefixed by 'ed_'.
  • IP APIs are prefixed by 'ip_'.
  • APIs w/o prefix are generic.
AUTHID DEFINER
Constants
Name Data Type Value
DOMAIN_MASK -- Hostname mask: *.???.???...???
VARCHAR2(80)
 '\*(\.[^\.\:\/\*]+)*'
HOSTNAME_MASK -- Hostname mask: ???.???.???...???
VARCHAR2(80)
'[^\.\:\/\*]+(\.[^\.\:\/\*]+)*'
IP_ADDR_MASK -- IP address mask: xxx.xxx.xxx.xxx
VARCHAR2(80)
'([[:digit:]]+\.){3}[[:digit:]]+'
IP_SUBNET_MASK -- IP submet mask: xxx.xxx...*
VARCHAR2(80)
'([[:digit:]]+\.){0,3}\*'
Data Types -- Used in batch operation.
TYPE table_type IS TABLE OF VARCHAR(300) INDEX BY BINARY_INTEGER;
Dependencies
ACL$_OBJ DUAL XS$ACE_LIST
CDB_SERVICE$ EXADIRECT_ACL XS$ACE_TYPE
DBA_XS_ACES IP_ACL XS$NAME_LIST
DBA_XS_ACLS PLITBLM XS_ACL
DBA_XS_OBJECTS V_$DATABASE XS_ADMIN_UTIL
DBMS_ASSERT V_$PARAMETER XS_SECURITY_CLASS
DBMS_STANDARD V_$PDBS  
Documented Yes
Exceptions
Error Code Reason
ORA-20001 exadirect_sgid_in_used
ORA-20002 exadirect_dup_svc_and_uuid
ORA-20003 exadirect_null_service
ORA-20004 exadirect_null_uuid
ORA-20005 exadirect_unknown
ORA-20006 exadirect_bad_sgid
ORA-20007 exadirect_ids_mismatch
ORA-20008 exadirect_insufficient_priv
ORA-20009 ip_host_exists
ORA-20010 ip_invalid_host
ORA-20011 ip_no_host
ORA-20012 container_not_root
ORA-20013 not_exadata
First Available 12.2.0.1
Security Model Owned by DBSFWUSER with no privileges granted
Source {ORACLE_HOME}/rdbms/admin/dbmsaclsrv.sql
Subprograms
 
COMMIT_ACL (new 12.2)
Commit changes to the DB ACL table and propagate them to all access control points in the DB cluster. Exadirect ACL updates are only propagated if DB ACL control is enabled. dbms_sfw_acl_admin.commit_acl;
exec dbsfwuser.dbms_sfw_acl_admin.commit_acl;
 
ED_ADD_ACE (new 12.2)
Add a new Exadirect ACL entry dbms_sfw_acl_admin.ed_add_ace(
p_service_name IN VARCHAR2,
p_vm_uuid      IN VARCHAR2,
p_vm_sgid      IN VARCHAR2);
TBD
 
ED_ADD_PDB_ACE (new 12.2)
Add a new Exadirect ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ed_add_pdb_ace(
p_pdb_name IN VARCHAR2,
p_vm_uuid  IN VARCHAR2,
p_vm_sgid  IN VARCHAR2);
TBD
 
ED_BREMOVE_COMMIT_BY_UUIDS (new 12.2)
Batch remove and commit. This is normally called when stopping a VM. dbms_sfw_acl_admin.ed_bremove_commit_by_uuids(p_vm_uuids IN table_type);
TBD
 
ED_BUPDATE_COMMIT (new 12.2)
Batch update and commit. This is normally called when starting the VM dbms_sfw_acl_admin.ed_bupdate_commit(
p_vm_uuids    IN table_type,
p_vm_sgids    IN table_type,
p_vm_services IN table_type);
TBD
 
ED_ENABLE_ACL (new 12.2)
Enable DB ACL control, load and propagate the initial ACLs to all access control points in the DB cluster. By default, DB ACL control is disabled and all access to secure network interfaces are denied. dbms_sfw_acl_admin.ed_enable_acl;
exec dbsfwuser.dbms_sfw_acl_admin.ed_enable_acl;
BEGIN dbsfwuser.dbms_sfw_acl_admin.ed_enable_acl; END;
*
ERROR at line 1:
ORA-20013: Must be running on EXADATA
ORA-06512: at "DBSFWUSER.DBMS_SFW_ACL_ADMIN", line 342
ORA-06512: at line 1
 
ED_GET_ACES_BY_SGID (new 12.2)
Get all service Exadirect ACL entries for the specified VM SGID dbms_sfw_acl_admin.ed_get_aces_by_sgid(
p_vm_sgid  IN VARCHAR2,
p_services OUT SYS_REFCURSOR);
TBD
 
ED_GET_ACES_BY_SVC (new 12.2)
Get all VM UUIDs for the specified service. This call will be used by mgmt Stack to cleanup stalled service after the service has been removed by DBA. This call will be used in conjunction with remove_acl_svc_by_uuid. dbms_sfw_acl_admin.ed_get_aces_by_svc(
p_service_name IN  VARCHAR2,
p_vm_uuids     OUT SYS_REFCURSOR);
TBD
 
ED_GET_ACES_BY_UUID (new 12.2)
Get all service Exadirect ACL entries for the specified VM UUID dbms_sfw_acl_admin.ed_get_aces_by_uuid(
p_vm_uuid  IN  VARCHAR2,
p_services OUT SYS_REFCURSOR);
TBD
 
ED_GET_ACES_BY_UUID_SGID(new 12.2)
Get all service Exadirect ACL entries for the specified VM SGID and UUID dbms_sfw_acl_admin.ed_get_aces_by_uuid_sgid(
p_vm_uuid  IN  VARCHAR2,
p_vm_sgid  IN  VARCHAR2,
p_services OUT SYS_REFCURSOR);
TBD
 
ED_IS_ACL_ENABLED (new 12.2)
 Return the state of ACL control on the database dbms_sfw_acl_admin.ed_is_acl_enabled RETURN BOOLEAN;
BEGIN
  IF dbsfwuser.dbms_sfw_acl_admin.ed_is_acl_enabled THEN
    dbms_output.put_line('ACL is enabled');
  ELSE
    dbms_output.put_line('ACL is not enabled');
  END IF;
END;
/
 
ED_REMOVE_ACES_BY_SGID (new 12.2)
Remove all service Exadirect ACL entries for the specified VM SGID dbms_sfw_acl_admin.ed_remove_aces_by_sgid(p_vm_sgid IN VARCHAR2);
TBD
 
ED_REMOVE_ACES_BY_UUID (new 12.2)
Remove all service Exadirect ACL entries for the specified VM UUID dbms_sfw_acl_admin.ed_remove_aces_by_uuid(p_vm_uuid IN VARCHAR2);
TBD
 
ED_REMOVE_ACE_BY_SGID (new 12.2)
Remove all service Exadirect ACL entries for the specified VM SGID dbms_sfw_acl_admin.ed_remove_ace_by_sgid(
p_service_name IN VARCHAR2,
p_vm_sgid      IN VARCHAR2);
TBD
 
ED_REMOVE_ACE_BY_UUID (new 12.2)
Remove an Exadirect ACL entry for the specified service name and VM UUID dbms_sfw_acl_admin.ed_remove_ace_by_uuid(
p_service_name IN VARCHAR2,
p_vm_uuid      IN VARCHAR2);
TBD
 
ED_REMOVE_ACL (new 12.2)
Remove Exadirect ACL for the specified service name dbms_sfw_acl_admin.ed_remove_acl(p_service_name IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ed_remove_acl('pdbprod');
 
ED_REMOVE_PDB_ACE_BY_SGID (new 12.2)
Remove an Exadirect ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ed_remove_pdb_ace_by_sgid(
p_pdb_name IN VARCHAR2,
p_vm_sgid  IN VARCHAR2);
TBD
 
ED_REMOVE_PDB_ACE_BY_UUID (new 12.2)
Remove an Exadirect ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ed_remove_pdb_ace_by_uuid(
p_pdb_name IN VARCHAR2,
p_vm_uuid  IN VARCHAR2);
TBD
 
ED_REMOVE_PDB_ACL (new 12.2)
Remove the Exadirect ACL for each of the service in the specified PDB dbms_sfw_acl_admin.ed_remove_pdb_acl(p_pdb_name IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ed_remove_pdb_acl('pdbprod');
 
ED_UPDATE_ACE (new 12.2)
Update an Exadirect ACL entry dbms_sfw_acl_admin.ed_update_ace(
p_service_name IN VARCHAR2,
p_vm_uuid      IN VARCHAR2,
p_vm_sgid      IN VARCHAR2);
TBD
 
ED_UPDATE_PDB_ACE (new 12.2)
Update an Exadirect ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ed_update_pdb_ace(
p_pdb_name IN VARCHAR2,
p_vm_uuid  IN VARCHAR2,
p_vm_sgid  IN VARCHAR2);
TBD
 
GET_CDB_SVCS (new 12.2)
Return all services for the CDB, excluding GLOBAL and INTERNAL services dbms_sfw_acl_admin.get_cdb_svcs(p_services OUT SYS_REFCURSOR);
DECLARE
 rc SYS_REFCURSOR;
BEGIN
  dbsfwuser.dbms_sfw_acl_admin.get_cdb_svcs(rc);
END;
/
 
IP_ADD_ACE (new 12.2)
Add a new IP ACL entry dbms_sfw_acl_admin.ip_add_ace(
p_service_name IN VARCHAR2,
p_host         IN VARCHAR2); -- can be a hostname, dotted-decimal IPv4 or hexadecimal IPv6 address.
                             -- wildcard "*" for IPv4 and CIDR format allowed.
exec dbsfwuser.dbms_sfw_acl_admin.ip_add_ace('pdbprod', '192.168.42.15');
 
IP_ADD_PDB_ACE (new 12.2)
Add a new IP ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ip_add_pdb_ace(
p_pdb_name IN VARCHAR2,
p_host     IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ip_add_pdb_ace('ORCL', '127.0.0.1');
 
IP_GET_ACL (new 12.2)
Get all IP ACL entries for the specified service name dbms_sfw_acl_admin.ip_get_acl(
p_service_name IN  VARCHAR2,
p_hosts        OUT SYS_REFCURSOR);
DECLARE
 rc SYS_REFCURSOR;
BEGIN
  dbsfwuser.dbms_sfw_acl_admin.ip_get_acl('PDBDEV' rc)
END;
/
 
IP_GET_ACL_SVCS_BY_HOST (new 12.2)
Get all service names for a specified host dbms_sfw_acl_admin.ip_get_acl_svcs_by_host(
p_host      IN  VARCHAR2,
p_services  OUT SYS_REFCURSOR);
DECLARE
 rc SYS_REFCURSOR;
BEGIN
  dbsfwuser.dbms_sfw_acl_admin.ip_get_acl_svcs_by_host('127.0.0.1', rc);
END;
/
 
IP_REMOVE_ACE (new 12.2)
Remove an IP ACL entry for the specified service name and host dbms_sfw_acl_admin.ip_remove_ace(
p_service_name IN VARCHAR2,
p_host         IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ip_remove_ace('PDBDEV', '127.0.0.1');
 
IP_REMOVE_ACL (new 12.2)
Remove all IP ACL entries for the specified service name dbms_sfw_acl_admin.ip_remove_acl(p_service_name IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ip_remove_acl('PDBDEV');
 
IP_REMOVE_PDB_ACE (new 12.2)
Remove an IP ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ip_remove_pdb_ace(
p_pdb_name IN VARCHAR2,
p_host     IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ip_remove_pdb_ace('PDBDEV', '127.0.0.1');
 
IP_REMOVE_PDB_ACL (new 12.2)
Remove the IP ACL for each of the service in the specified PDB dbms_sfw_acl_admin.ip_remove_pdb_acl(p_pdb_name IN VARCHAR2);
exec dbsfwuser.dbms_sfw_acl_admin.ip_remove_pdb_acl('PDBDEV');

Related Topics
Built-in Functions
Built-in Packages
DBMS_NETWORK_ACL_ADMIN
DBMS_NETWORK_ACL_UTIL
Ref Cursors
Security
What's New In 12cR1
What's New In 12cR2

Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2017 Daniel A. Morgan All Rights Reserved