Comments on: VPD / FGAC / RLS

By: Jonathan Lewis

Jonathan Lewis — Thu, 16 Dec 2010 18:38:24 +0000

Kevan,

Thanks for that information.

It’s always interesting to see how features that individually can be very helpful don’t always work when you combine them. It’s one of the commonest types of problem that I find in my consultancy work.

By: Kevan Gelling

Kevan Gelling — Thu, 16 Dec 2010 11:08:14 +0000

ORA_ROWSCN is not available on tables with a VPD policy and I've found out why. From bug 4947170:

The problem stems from the fact that VPD builds a view to replace the table reference. The view text does not select the ORA_ROWSCN pseudo column from the underlying table even if the outer query block references it resulting in ORA-904.

An enhancement request 6609789 has been raised and Oracle is working a solution. Oracle provide the following workaround - since the ora_rowscn is available inside the policy function, add a dummy predicate as follows: ||' AND f_ora_rowscn('||object_name||'.ORA_ROWSCN) = 1'

CREATE OR REPLACE FUNCTION f_ora_rowscn( ROWSCN IN NUMBER )
RETURN NUMBER
AS
BEGIN
  DBMS_SESSION.SET_CONTEXT( 'STORE_ROWSCN', 'ROWSCN', ROWSCN ) ;
  RETURN 1 ;
END ;
/

CREATE CONTEXT store_rowscn USING f_ora_rowscn ; Also, to get the row_scn for each row, make it row dependant:

CREATE OR REPLACE FUNCTION get_rowscn ( ROW IN ROWID ) RETURN VARCHAR2
AS
BEGIN
  RETURN SYS_CONTEXT( 'STORE_ROWSCN', 'ROWSCN' ) ;
END;
/

Now to fetch the row scn in your application, use get_rowscn: SELECT t.*, get_rowscn( t.ROWID ) "ORA_ROWSCN" FROM test_table t ;

By: Yuri

Yuri — Fri, 10 Dec 2010 08:57:47 +0000

I don`t know exactly, but I can suppose that it were long chains of child cursors. At least, I saw lots of child cursors for every query which used RLS protected objects. It seemed that for every user own child cursor was created. However by design, users were divided in groups (the same security predicates were generated), and cursors were to be shared among users in group.
The V$SQL_SHARED_CURSOR showed only two causes: AUTH_CHECK_MISMATCH and LANGUAGE_MISMATCH.
By the way it was APEX application with custom authentication schema. And as I remember, policies were created with static_policy=>FALSE, but during experiments I recreated them with SHARED_CONTEXT_SENSITIVE and it relived the situation a little bit. Policy function were very lightweight, pure pl/sql without sql.

By: Jonathan Lewis

Jonathan Lewis — Fri, 10 Dec 2010 08:28:17 +0000

Yuri,

Thanks for supplying that information.

Do you know if the latching activity was caused by calls to the security functions, or by the fact that you can end up with a long chain of child cursors for the same SQL statement – which would all be covered by the same latch – when you use RLS ?

By: Yuri

Yuri — Thu, 09 Dec 2010 11:21:09 +0000

I had got bad experience with RLS on 10.2.0.1 and 10.2.0.3. It produced very heavy latch contention. But after I had made migration on 10.2.0.4 all problems disappeared. It seemed that new lightweight shared pool serialization mechanism was introduced in that release. I mean mutex. You can read about this on http://blog.tanelpoder.com/2008/08/03/library-cache-latches-gone-in-oracle-11g/

By: Jonathan Lewis

Jonathan Lewis — Sat, 04 Dec 2010 15:00:28 +0000

Rajaram,

Thanks for that – it’s the type of comment that might save someone days of pointless effort.

By: Jonathan Lewis

Jonathan Lewis — Sat, 04 Dec 2010 14:52:12 +0000

Pat,

Thanks for the comments, and especially the bug numbers, it’s the type of information that could be very helpful to anyone who finds this blog entry.
Nice to know that the Oracle developers have tried to take out the selectivity issues in 10g. (Of course there’s no perfect solution with the extra predicates; sometimes you will want a different plan, sometimes you won’t – it depends on the data, number of “private databases”, and different granularities of privilege)

By: Pat O

Pat O — Fri, 03 Dec 2010 13:47:47 +0000

In our experiences/implementation, the actual overhead of OLS is measurable, but typically not an issue (there are of course exceptions to work through, but in general it would be more of a small but noticeable to barely visible depending on the operation in question).

The performance issue(s) for us are usually a side effect of OLS’ impact on the optimizer resulting in poor plans. When we were on 9.2.0.x we discovered through some testing/10053 digging that the optimizer can’t evaluate the predicates added by OLS (bug: 5674756,4200369). The default filter factor for a predicate that can’t be evaluated is 0.05, which was being added to multiple predicates on each protected table. In our implementation the number of rows being filtered by OLS is generally small, or at least much smaller than 0.05 or (0.05*0.05) would filter. This would of course raise havoc on estimated cardinalities and resulting execution plans.

For 9.2.0.x to 10.2.x the bug was fixed by Oracle using a filter factor of 1.0 for OLS predicates instead of the default 0.05, resulting in plans that were typically identical to not having OLS at all. This has been much better over all, but we occasionally still have issues crop up where the plan for a labeled user is changed negatively compared to the same plan for a user with READ privilege that bypasses the policy.

By: Bernard Polarski

Bernard Polarski — Wed, 01 Dec 2010 11:52:35 +0000

Already implemented FGAC and it affected negatively some of the queries very negatively. Fix was easy, taking stored outlines when FGAC is off and activating them before FGAC on. After that did not notice any perf degradation. This was on OLTP, Linux blade 2 core, with avg 70tx/secs.

By: Rajaram Subramanian

Rajaram Subramanian — Wed, 01 Dec 2010 10:56:29 +0000

Most annoying issue what I have faced with OLS/VPD implementation is the following limitation in XMLDB. When OLS/VPD is implemented in a XMLDB oracle cannot use the O-R feature because of the fundamental limitation.

Metalink note : 761921.1

Regards