ITPub博客

首页 > 数据库 > Oracle > Oracle 账号 EXPIRED(GRACE) 意义-拾亿

Oracle 账号 EXPIRED(GRACE) 意义-拾亿

原创 Oracle 作者:Haoword_wang 时间:2021-02-08 12:02:54 0 删除 编辑

系统环境:Red Hat Enterprise Linux Server release 7.5 (Maipo)

数据库版本:SQL*Plus: Release 19.0.0.0.0 - Production  Version 19.7.0.0.0

数据库:PDB

关于oracle状态官方解释如下:

ACCOUNT_STATUS:
Account status:
OPEN
 The account is open.
EXPIRED
 The password for the account is expired, either because the PASSWORD_LIFE_TIME limit was reached or because the password was expired by the ALTER USER ... PASSWORD EXPIRE command. The user can log in with the expired password, then change the password.
EXPIRED(GRACE)
 The password for the account is expired because the PASSWORD_LIFE_TIME limit was reached, but the password change grace period (PASSWORD_GRACE_TIME) has not yet elapsed. The user can log in with the expired password, but will receive an ORA-28002 warning as a reminder that the password must soon be changed. If the PASSWORD_GRACE_TIME elapses, the user can log in with the expired password, then change the password.
LOCKED
 The account is locked, either by the ALTER USER ... ACCOUNT LOCK command, or because the number of consecutive failed login attempts exceeded the FAILED_LOGIN_ATTEMPTS limit and the value of PASSWORD_LOCK_TIME is UNLIMITED. The account can be unlocked by the ALTER USER ... ACCOUNT UNLOCK command.
LOCKED(TIMED)
 The account is locked because the number of consecutive failed login attempts exceeded the FAILED_LOGIN_ATTEMPTS limit and the PASSWORD_LOCK_TIME has not yet elapsed. The account can be unlocked either by the ALTER USER ... ACCOUNT UNLOCK command or by waiting until the PASSWORD_LOCK_TIME has elapsed.
EXPIRED & LOCKED
 The password for the account is expired, as described for the EXPIRED account status, and the account is locked as described for the LOCKED account status. The account can first be unlocked as described for the LOCKED account status, then the password can be changed as described for the EXPIRED account status.
EXPIRED(GRACE) & LOCKED
 The password for the account is expired, as described for the EXPIRED(GRACE) account status, and the account is locked as described for the LOCKED account status.
The account can first be unlocked as described for the LOCKED account status, then the password can be changed as described for the EXPIRED(GRACE) account status.

EXPIRED & LOCKED(TIMED)
 The password for the account is expired, as described for the EXPIRED account status, and the account is locked as described for the LOCKED(TIMED) account status. The account can first be unlocked as described for the LOCKED(TIMED) account status, then the password can be changed as described for the EXPIRED account status.
EXPIRED(GRACE) & LOCKED(TIMED)
The password for the account is expired, as described for the EXPIRED(GRACE) account status, and the account is locked as described for the LOCKED(TIMED) account status. The account can first be unlocked as described for the LOCKED(TIMED) account status, then the password can be changed as described for the EXPIRED(GRACE) account status.
OPEN & IN ROLLOVER
 The account is in the password rollover period. The user can log in with either the earlier password or the new password. However, at the time the user logs in, the server recalculates whether the account is still in its password rollover period. If the password rollover period has elapsed, then the login will succeed only if the new password was specified, and the account status will change to OPEN.
EXPIRED & IN ROLLOVER
 The account is in the password rollover period and the password is expired as described for the EXPIRED account status. The user can log in with either the earlier password or the new password. However, at the time the user logs in, the server recalculates whether the account is still in its password rollover period. If the password rollover period has elapsed, then the login will succeed only if the new password was specified, and the account status will change to EXPIRED. After logging in, the user will be prompted to change the password.
LOCKED & IN ROLLOVER
 The account is in the password rollover period and is also locked as described for the LOCKED account status. The account can be unlocked as described for the LOCKED account status, after which the user can log in as described for the OPEN & IN ROLLOVER account status.
EXPIRED & LOCKED & IN ROLLOVER
 The account is in the password rollover period, its password is expired as described for the EXPIRED account status, and the account is locked as described for the LOCKED account status. The account can be unlocked as described for the LOCKED account status, after which the user can log in as described for the EXPIRED & IN ROLLOVER account status.
LOCKED(TIMED) & IN ROLLOVER
 The account is in the password rollover period and is also locked as described for the LOCKED(TIMED) account status. The account can be unlocked as described for the LOCKED(TIMED) account status, after which the user can log in with either the earlier password or the new password. However, at the time the user logs in, the server recalculates whether the account is still in its password rollover period. If the password rollover period has elapsed, then the login will succeed only if the new password was specified.
EXPIRED & LOCKED(TIMED) & IN ROL
 The account is in the password rollover period, its password is expired as described for the EXPIRED account status, and the account is locked as described for the LOCKED(TIMED) account status. The account can be unlocked as described for the LOCKED(TIMED) account status, after which the user can log in as described for the EXPIRED & IN ROLLOVER account status.


此次我们只测试数据库用户状态 OPEN 和 EXPIRED(GRACE) 的expiry_date的意义

测试用户的PROFILE:

测试账号:TEST,SKY

现象:

我们设置的PRO_COMMON_USER 的PASSWORD_LIFE_TIME 为3天,PASSWORD_GRACE_TIME 为10天,但通过dba_users 查看发现:

账号SJY 是 open,同时 EXPIRY_DATE 是2021-02-10 18:21:38,而上一次密码调整时间(此次为创建时间)2021-02-07 18:21:38,时间正好是3天;

账号TEST 状态是 EXPIRED(GRACE), EXPIRY_DATE 是2021-02-17 22:10:01,上一次密码调整时间(此次为创建时间)2021-02-03 5:05:51,而时间是13天左右(此时不做时分秒的差异解释)

解释:

当数据库账号状态不同的时候,他的时间列的意义是不同的

当状态为OPEN 的时候是记录数据库过期的时间,即PASSWORD_LIFE_TIME;

当状态为 EXPIRED(GRACE)的时候是记录数据库过期的时间加密码提示过期时间,即PASSWORD_LIFE_TIME+PASSWORD_GRACE_TIME;


关于账号TEST时分秒的时间差异是由于我再测试的时候22:10:01 调整了数据库profile 属性PASSWORD_LIFE_TIME,所以触发了新的时间戳!

补充:账号的状态是变动触发后更新的,及该账号根据生命周期计算应该是 EXPIRED(GRACE) 但状态是open,我们使用该账号登陆数据库就会更新账号!

此次只是个人的一个测试,有不足地方,欢迎大家讨论!

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/26342786/viewspace-2756756/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论
Oracle MySQL DBA,DEVOPS 开发人员

注册时间:2013-03-03

  • 博文量
    13
  • 访问量
    11780