Amazon RDS Oracle in Multitenant

Franck Pachot - May 29 '21 - - Dev Community

AWS has just added the possibility to create your oracle Database as as CDB (Container Database), the "new" architecture of Oracle where an instance can manage multiple databases, adding a new level between the heavy instance and lightweight schema:

At the time I'm writing this, I see it only in the "old" console ("original interface") not in "new database creation flow". It is displayed as a different Edition, however it is exactly the same price even when license is included.

The CDB name is always RDSCDB but you can choose the PDB name as "Database name" - I left the default "ORCL" here:


ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL>

 select con_id, cdb, dbid, con_dbid, name, created, log_mode, open_mode, database_role, force_logging, platform_name, flashback_on, db_unique_name from v$database;

   CON_ID    CDB             DBID       CON_DBID      NAME      CREATED        LOG_MODE     OPEN_MODE    DATABASE_ROLE    FORCE_LOGGING       PLATFORM_NAME    FLASHBACK_ON    DB_UNIQUE_NAME
_________ ______ ________________ ______________ _________ ____________ _______________ _____________ ________________ ________________ ___________________ _______________ _________________
        0 YES       3,360,638,310    490,545,968 RDSCDB    07-MAY-21    NOARCHIVELOG    READ WRITE    PRIMARY          NO               Linux x86 64-bit    NO              RDSCDB_A

ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL>

SELECT pdb_id,pdb_name,dbid,con_uid,guid,status,con_id FROM dba_pdbs;

   PDB_ID    PDB_NAME           DBID        CON_UID                                GUID    STATUS    CON_ID
_________ ___________ ______________ ______________ ___________________________________ _________ _________
        3 ORCL           490,545,968    490,545,968 C3395C709E011676E0530100007F3932    NORMAL            3

ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL> 

select service_id, name, network_name, creation_date, pdb, sql_translation_profile from dba_services;

   SERVICE_ID    NAME    NETWORK_NAME    CREATION_DATE     PDB    SQL_TRANSLATION_PROFILE
_____________ _______ _______________ ________________ _______ __________________________
            7 ORCL    ORCL            26-MAY-21        ORCL

ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL>

This is not a best practice, but there's no services declared there which mean that I can connect only with the default service registered from the PDB name. The documentation even recommends to connect with (CONNECT_DATA=(SID=pdb_name)) - I filled a feedback about this as this is a bad practice for 20 years.

I use EZCONNECT and create my own service:

ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL>

connect oracle19c/franck@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL
Connected.

ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL>

 exec dbms_service.start_service(service_name=>'MY_APP')

PL/SQL procedure successfully completed.

ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL> select name,network_name,creation_date,con_id from v$active_services
  2  /

     NAME    NETWORK_NAME    CREATION_DATE    CON_ID
_________ _______________ ________________ _________
orcl      orcl            26-MAY-21                3
MY_APP    MY_APP          26-MAY-21                3

I can now connect as oracle19c/franck@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/MY_APP

Even if it is multitenant and I have only one PDB there, the whole CDB is mine:


ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL> 

select listagg(rownum ||': '||con_id_to_con_name(rownum),', ') con_name from xmltable('1 to 5000') where con_id_to_con_name(rownum) is not null;

                            CON_NAME
____________________________________
1: CDB$ROOT, 2: PDB$SEED, 3: ORCL

This lists all containers around me. Of course, I cannot go to CDB$ROOT as I have only a local user here.


ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL> 

show parameter max_pdbs

NAME     TYPE    VALUE
-------- ------- -----
max_pdbs integer 5

The MAX_PDBS is set to 5 anyway because of Oracle detection of AWS hypervisor (see Oracle disables your multitenant option when you run on EC2)


ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL>

 select listagg(role,',') within group (order by role) from session_roles;

                                                                                                                            LISTAGG(ROLE,',')
______________________________________________________________________________________________________________________________________________________________
AQ_ADMINISTRATOR_ROLE,AQ_USER_ROLE,CAPTURE_ADMIN,CONNECT,CTXAPP,DATAPUMP_EXP_FULL_DATABASE,DATAPUMP_IMP_FULL_DATABASE,DBA,EM_EXPRESS_ALL,EM_EXPRESS_BASIC
,EXECUTE_CATALOG_ROLE,EXP_FULL_DATABASE,GATHER_SYSTEM_STATISTICS,HS_ADMIN_EXECUTE_ROLE,HS_ADMIN_SELECT_ROLE,IMP_FULL_DATABASE,OEM_ADVISOR,OEM_MONITOR
,OPTIMIZER_PROCESSING_RATE,PDB_DBA,RDS_MASTER_ROLE,RECOVERY_CATALOG_OWNER,RESOURCE,SCHEDULER_ADMIN,SELECT_CATALOG_ROLE,SODA_APP,XDBADMIN,XDB_SET_INVOKER

ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL>

 select * from dba_sys_privs where grantee='PDB_DBA';

   GRANTEE                    PRIVILEGE    ADMIN_OPTION    COMMON    INHERITED
__________ ____________________________ _______________ _________ ____________
PDB_DBA    CREATE PLUGGABLE DATABASE    NO              NO        NO
PDB_DBA    CREATE SESSION               NO              NO        NO


ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL>

 show parameter pdb_lockdown

NAME         TYPE   VALUE
------------ ------ ---------------------
pdb_lockdown string RDSADMIN_PDB_LOCKDOWN

ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/ORCL>

 select * from v$lockdown_rules;

   RULE_TYPE                        RULE                        CLAUSE    CLAUSE_OPTION     STATUS    USERS    CON_ID
____________ ___________________________ _____________________________ ________________ __________ ________ _________
STATEMENT    ALTER PLUGGABLE DATABASE                                                   DISABLE    ALL              3
STATEMENT    ALTER PLUGGABLE DATABASE    ADD SUPPLEMENTAL LOG DATA                      ENABLE     ALL              3
STATEMENT    ALTER PLUGGABLE DATABASE    DROP SUPPLEMENTAL LOG DATA                     ENABLE     ALL              3
STATEMENT    ALTER PLUGGABLE DATABASE    ENABLE FORCE LOGGING                           ENABLE     ALL              3
STATEMENT    ALTER PLUGGABLE DATABASE    OPEN RESTRICTED FORCE                          ENABLE     ALL              3
STATEMENT    ALTER PLUGGABLE DATABASE    RENAME GLOBAL_NAME                             ENABLE     ALL              3

I have many roles, including RDS_MASTER_ROLE, DBA and PDB_DBA (CREATE PLUGGABLE DATABASE) and it seems that the only lockdown profile rues are about ALTER PLUGGABLE DATABASE.

The documentation says that the RDSADMIN user is a common user. How is it possible?


ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/MY_APP> select username, account_status, lock_date, expiry_date, created, profile,  password_versions, common, oracle_maintained from dba_users;

                 USERNAME      ACCOUNT_STATUS    LOCK_DATE    EXPIRY_DATE      CREATED     PROFILE    PASSWORD_VERSIONS    COMMON    ORACLE_MAINTAINED
_________________________ ___________________ ____________ ______________ ____________ ___________ ____________________ _________ ____________________
XS$NULL                   EXPIRED & LOCKED    07-MAY-21                   07-MAY-21    DEFAULT     11G                  YES       Y
OUTLN                     LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
SYS                       OPEN                                            07-MAY-21    RDSADMIN    11G 12C              YES       Y
SYSTEM                    OPEN                                            07-MAY-21    RDSADMIN    11G 12C              YES       Y
APPQOSSYS                 LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
DBSFWUSER                 LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
GGSYS                     LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
ANONYMOUS                 LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
CTXSYS                    OPEN                                            07-MAY-21    DEFAULT                          YES       Y
GSMADMIN_INTERNAL         LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
XDB                       LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
DBSNMP                    LOCKED              07-MAY-21                   07-MAY-21    RDSADMIN                         YES       Y
GSMCATUSER                LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
REMOTE_SCHEDULER_AGENT    LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
SYSBACKUP                 LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
GSMUSER                   LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
SYSRAC                    LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
ORACLE19C                 OPEN                             22-NOV-21      26-MAY-21    DEFAULT     11G 12C              NO        N
AUDSYS                    LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
DIP                       LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
SYSKM                     LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
SYS$UMF                   LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
SYSDG                     LOCKED              07-MAY-21                   07-MAY-21    DEFAULT                          YES       Y
RDSADMIN                  OPEN                                            26-MAY-21    RDSADMIN    11G 12C              YES       N

24 rows selected.

ORACLE19C@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/MY_APP>

 show parameter common%prefix
NAME                      TYPE   VALUE
------------------------- ------ --------
common_user_prefix        string

Yes, RDSADMIN is a common user, probably created with COMMON_USER_PREFIX='' as we see no C## here. That's not really a problem if it is correctly managed, and anyway, for the moment there's no plug and clone operations on this PDB.

This is a start to support the Oracle Multitenant architecture. I hope we will be able to benefit from multitenant: multiple PDBs (you can have up to 3 without additional license, in any edition), data movement (imagine a cross-region refreshable PDB with ability to switchover...), thin clones...

On Performance Insight, we see the CDB level statistics without a PDB dimension ("pdb" is the name of my RDS instance here)

Note that in order to connect to your Oracle database, the easiest is to download SQLcl:


wget -qc https://download.oracle.com/otn_software/java/sqldeveloper/sqlcl-latest.zip && unzip -qo sqlcl-latest.zip

sqlcl/bin/sql oracle19c/franck@//pdb.cywlwrcont2f.us-east-1.rds.amazonaws.com/MY_APP

This is how I connected to run all this.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .