Two ways to see predicates added by VPD or FGAC
http://www.bobbydurrettdba.com/2012/07/17/two-ways-to-see-predicates-added-by-vpd-or-fgac/
Two ways to see predicates added by VPD or FGAC
We use a feature called “Virtual Private Database” or VPD on our 11g database. This looks a lot like what used to be called “Fine Grained Access Control” or FGAC on our 10g database. The idea behind both of these features is that a particular user in a particular situation would see a tailored view of the data rather than have all users see all of the data all the time. VPD or FGAC accomplishes this feat by secretly adding predicates to a user’s query’s where clause predicates so they only see the rows allowed by that predicate.
The problem is that when you need to tune a poorly performing query that accesses tables protected by VPD you can’t see the real query through any of the normal methods. Even a 10046 trace just gives you the unmodified query as the user ran it not the one with the new VPD additions. I found two ways to see what the real where clause conditions are after the query is modified by VPD – dbms_xplan.display_cursor and 10053 trace.
Here is how to use dbms_xplan.display_cursor to show the VPD predicates:
SQL> select count(*) from test.table_list; COUNT(*)
----------
1858 SQL> select * from table(
dbms_xplan.display_cursor(null,null,'ALLSTATS')); PLAN_TABLE_OUTPUT
-------------------------------------------------------
SQL_ID 2fuam6x1dyt5v, child number 0
-------------------------------------
select count(*) from test.table_list Plan hash value: 1374414456 --------------------------------------------------
| Id | Operation | Name | E-Rows |
--------------------------------------------------
| 0 | SELECT STATEMENT | | |
| 1 | SORT AGGREGATE | | 1 |
|* 2 | TABLE ACCESS FULL| TABLE_LIST | 2028 |
-------------------------------------------------- Predicate Information (identified by operation id):
--------------------------------------------------- 2 - filter("OWNER"<>'SYS')
Note that the predicate owner<>’SYS’ isn’t in the query but was added by the VPD. The idea here is that the table TEST.TABLE_LIST contains a list of table names but the user doing the query doesn’t have permission to see the names of the tables owned by SYS.
Here is how to use a 10053 trace to see the VPD predicates:
ALTER SESSION SET EVENTS
'10053 trace name context forever, level 1'; select /* comment to force parse */ count(*) from test.table_list; ALTER SESSION SET EVENTS '10053 trace name context OFF'; trace output: Final query after transformations:******* UNPARSED QUERY IS *******
SELECT COUNT(*) "COUNT(*)" FROM "TEST"."TABLE_LIST" "TABLE_LIST"
WHERE "TABLE_LIST"."OWNER"<>'SYS'
I had to add the comment to make sure the query got reparsed. The 10053 trace only produces a trace when a query is parsed. Note that the trace file has the description: “Final query after transformations”. I’m not sure what all transformations are possible but it stands to reason that using a 10053 trace will give you a clearer picture of the real query being parsed. It shows you the text the parser itself starts with before it starts to break it down into an execution plan that can be run.
alter session set tracefile_identifier='test_lv123';
ALTER SESSION SET EVENTS
'10053 trace name context forever, level 1';
SELECT /* comment to force parse */ * FROM oe_order_headers;
ALTER SESSION SET EVENTS '10053 trace name context OFF';
SELECT U_DUMP.VALUE || '/' || DB_NAME.VALUE || '_ora_' || V$PROCESS.SPID ||
NVL2(V$PROCESS.TRACEID, '_' || V$PROCESS.TRACEID, NULL) || '.trc' "Trace File"
FROM V$PARAMETER U_DUMP
CROSS JOIN V$PARAMETER DB_NAME
CROSS JOIN V$PROCESS
JOIN V$SESSION
ON V$PROCESS.ADDR = V$SESSION.PADDR
WHERE U_DUMP.NAME = 'user_dump_dest'
AND DB_NAME.NAME = 'db_name'
AND V$SESSION.AUDSID = SYS_CONTEXT('userenv', 'sessionid');
Two ways to see predicates added by VPD or FGAC的更多相关文章
- C++ Knowledge series 3
Programming language evolves always along with Compiler's evolvement The Semantics of Data The size ...
- 【leetcode】Decode Ways(medium)
A message containing letters from A-Z is being encoded to numbers using the following mapping: 'A' - ...
- ASP.NET MVC3 Dynamically added form fields model binding
Adding new Item to a list of items, inline is a very nice feature you can provide to your user. Thi ...
- QMP ( qemu monitor protocol ) and Different ways of accessing it
The QEMU Monitor Protocol (QMP) is a JSON-based protocol which allows applications to communicate wi ...
- dapper extensions (predicates)
https://github.com/tmsmith/Dapper-Extensions/wiki/Predicates The predicate system in Dapper Extensio ...
- [AngularJS] 5 simple ways to speed up your AngularJS application
Nowdays, Single page apps are becoming increasingly popular among the fornt-end developers. It is th ...
- ASP.NET MVC:4 Ways To Prevent Duplicate Form Submission(转载)
原文地址:http://technoesis.net/prevent-double-form-submission/. Double form submission in a multi-user w ...
- Four Ways to Create a Thread
Blaise Pascal Magazine Rerun #5: Four Ways to Create a Thread This article was originally written ...
- Recommend ways to overwrite hashCode() in java
Perface In the former chapter, I talk about topics about hashCode, And I will continue to finish the ...
随机推荐
- Eclipse编辑jsp不显示预览效果页面
转载链接:https://blog.csdn.net/fishsr/article/details/22662787 转载 2014年03月31日 13:35:35 1.Eclipse打开jsp后,在 ...
- haproxy 参数说明
说明: 1.haproxy的配置段有"global","defaults","listen","frontend"和&q ...
- SVN服务器的安装和使用
------------------siwuxie095 SVN 服务器的安装 1.SVN 服务器,选择 VisualS ...
- 判断RadioButtonList是否选中
RadioButtonList有很多指示用户选择项的属性,如SelectedIndex 当该属性 = -1时表示用户没选择项SelectedItem 当该属性为null时也表示用户没选择项
- Pull to RefreshListView 添加HeaderView
使用listView.addHeaderView(view) 可以在 listView 上方添加一个view视图 ,使listView和这个view连接在一起 效果上看上去是一个整体 一般用于上拉刷新 ...
- OpenSSL编程
简介 OpenSSL是一个功能丰富且自包含的开源安全工具箱.它提供的主要功能有:SSL协议实现(包括SSLv2.SSLv3和TLSv1).大量软算法(对称/非对称/摘要).大数运算.非对称算法密钥生成 ...
- spring mvc leaning
解读 web.xml文件 <servlet>-----配置前端控制器的servlet <servlet-name>springMVC</servlet-name> ...
- Executor(一)ExecutorService 线程池
Executor(一)ExecutorService 线程池 本篇主要涉及到的是 java.util.concurrent 包中的 ExecutorService.ExecutorService 就是 ...
- IE8以下支持css3 border-radius渲染方法
这两天在做个集团网站,web前端妹子技术水平不咋样,写个web和wap 真够费劲的,对之前流行的H5和css3 响应式看来不太会用,扔给我一个半成品~~·非说各种canvas和border-radiu ...
- easyui-tabs及其内容展示
方案一<div class="easyui-panel"> <div class="easyui-tabs" fit=" ...