{"id":997,"date":"2017-07-02T13:52:20","date_gmt":"2017-07-02T13:52:20","guid":{"rendered":"http:\/\/blog.tiran.info\/?p=997"},"modified":"2017-07-02T13:52:20","modified_gmt":"2017-07-02T13:52:20","slug":"ora-06598-sur-rqsys-rqevalimpl","status":"publish","type":"post","link":"https:\/\/blog.tiran.stream\/?p=997","title":{"rendered":"ORA-06598 sur RQSYS.RQEVALIMPL"},"content":{"rendered":"<p style=\"text-align: justify;\">Lorsqu&rsquo;on utilise ORE avec une instance 12c, certaines commandes \u00e9chouent avec l&rsquo;exception ORA-06598.<\/p>\n<p style=\"text-align: justify;\">Exemple:<\/p>\n<pre class=\"brush: js; ruler: true;\">\u00a0\n&gt; ore.connect(user=&quot;c##rafa&quot;, password=&quot;Password1#&quot;, conn_string=&quot;\/\/clorai2-scan:1521\/pdb_hodba08&quot;)\n&gt; ore.doEval(function() {}, ore.connect = TRUE)\nError in .oci.GetQuery(conn, statement, data = data, prefetch = prefetch,  : \n  ORA-06598: insufficient INHERIT PRIVILEGES privilege\nORA-06512: at line 11\nORA-06512: at &quot;RQSYS.RQEVALIMPL&quot;, line 5\nORA-06512: at line 6\n&gt; \n<\/pre>\n<p style=\"text-align: justify;\">Je suis pourtant connect\u00e9 avec un utilisateur (C##RAFA) disposant des <a href=\"https:\/\/docs.oracle.com\/cd\/E67822_01\/OREAD\/ore_admin.htm#OREAD186\" target=\"_blank\" rel=\"noopener\">droits requis<\/a>:<\/p>\n<pre class=\"brush: sql; ruler: true;\">\u00a0\nSQL&gt; select privilege from dba_sys_privs where grantee=&#039;C##RAFA&#039;;\n\nPRIVILEGE\n----------------------------------------\nCREATE TABLE\nCREATE VIEW\nCREATE MINING MODEL\nCREATE SESSION\nCREATE PROCEDURE\nUNLIMITED TABLESPACE\n\n6 rows selected.\n\nSQL&gt; select granted_role from dba_role_privs where grantee=&#039;C##RAFA&#039;;\n\nGRANTED_ROLE\n--------------------------------------------------------------------------------\nRQADMIN\n\nSQL&gt;\n<\/pre>\n<p style=\"text-align: justify;\">Le probl\u00e8me est en fait li\u00e9 \u00e0 une <a href=\"http:\/\/docs.oracle.com\/database\/121\/DBSEG\/dr_ir.htm#DBSEG660\" target=\"_blank\" rel=\"noopener\">s\u00e9curisation additionnelle de la version 12c<\/a>.<br \/>\nL&rsquo;id\u00e9e \u00e9tant d&rsquo;\u00e9viter que les programmes PLSQL d\u00e9finis comme utilisant les privil\u00e8ges de l&rsquo;appelant (AUTHID CURRENT_USER) ne puissent en profiter pour r\u00e9aliser une \u00e9l\u00e9vation de privil\u00e8ges \u00e0 l&rsquo;insu de l&rsquo;appelant.<\/p>\n<p style=\"text-align: justify;\">On peut effectivement v\u00e9rifier que le type RQEVALIMPL est d\u00e9fini avec AUTHID CURRENT_USER:<\/p>\n<pre class=\"brush: sql; ruler: true;\">\u00a0\nSQL&gt; SELECT DISTINCT authid\n  2  FROM dba_procedures\n  3  WHERE owner = &#039;RQSYS&#039; AND object_name = &#039;RQEVALIMPL&#039;;\n\nAUTHID\n------------\nCURRENT_USER\n\nSQL&gt;\n<\/pre>\n<p style=\"text-align: justify;\">Une solution consiste \u00e0 autoriser RQSYS (via le privil\u00e8ge INHERIT PRIVILEGES) \u00e0 utiliser les privil\u00e8ges de l&rsquo;appelant (C##RAFA dans mon cas):<\/p>\n<pre class=\"brush: sql; ruler: true;\">\u00a0\nSQL&gt; grant inherit privileges on user C##RAFA to RQSYS;\n\nGrant succeeded.\n\nSQL&gt;\n<\/pre>\n<p style=\"text-align: justify;\">L&rsquo;exception dispara\u00eet alors:<\/p>\n<pre class=\"brush: js; ruler: true;\">\u00a0\n&gt; ore.doEval(function() {}, ore.connect = TRUE)\nNULL\n&gt;\n<\/pre>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lorsqu&rsquo;on utilise ORE avec une instance 12c, certaines commandes \u00e9chouent avec l&rsquo;exception ORA-06598. Exemple: \u00a0 &gt; ore.connect(user=&quot;c##rafa&quot;, password=&quot;Password1#&quot;, conn_string=&quot;\/\/clorai2-scan:1521\/pdb_hodba08&quot;) &gt;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[6,9],"tags":[],"class_list":["post-997","post","type-post","status-publish","format-standard","hentry","category-oracle","category-oracle-r-enterprise"],"_links":{"self":[{"href":"https:\/\/blog.tiran.stream\/index.php?rest_route=\/wp\/v2\/posts\/997","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.tiran.stream\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tiran.stream\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tiran.stream\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tiran.stream\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=997"}],"version-history":[{"count":0,"href":"https:\/\/blog.tiran.stream\/index.php?rest_route=\/wp\/v2\/posts\/997\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.tiran.stream\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tiran.stream\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tiran.stream\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}