Skip to Main Content

ORDS, SODA & JSON in the Database

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

ORDS 24.4 configuration failed: the supplied user does not have the ORDS_RUNTIME_ROLE role

Hi everyone,

I’m trying to configure my own ORDS 24.4 (installed from the repos) on a new OCI instance. The target database is an Autonomous Database (ADB) 23ai running APEX 24.1.7 and ORDS 24.3.2.

When I execute the ORDS configuration script as the oracle user, I encounter the following error (see below).

What I’ve done so far:

  • Installed ORDS 24.4 from repositories
  • Attempted configuration using multiple user accounts
  • Verified database connection details (host, port, service name)

Has anyone faced a similar issue?

Thanks in advance!

Angelo

[opc@proxy-02 ~]$ sudo su - oracle
[oracle@proxy-02 ~]$ ords install adb --interactive --prompt-password
2025-02-03T08:55:34Z INFO   ORDS has not detected the option '--config' and this will be set up to the default directory.

ORDS: Release 24.4 Production on Mon Feb 03 08:55:37 2025

Copyright (c) 2010, 2025, Oracle.

Configuration:
  /etc/ords/config

The configuration folder /etc/ords/config does not contain any configuration files.

Oracle REST Data Services - Interactive Customer Managed ORDS for Autonomous Database

  Enter the Autonomous Database Wallet path: /opt/oracle/APEXDB.zip
  Enter a number to select the TNS Network alias to use
    [1] APEXDB_LOW
    [2] APEXDB_MEDIUM 
    [3] APEXDB_HIGH
    [4] APEXDB_TP
    [5] APEXDB_TPURGENT
  Choose [1]: 3
  Provide database user name with administrator privileges.
    Enter the administrator username [ADMIN]: admin
  Enter the database password for admin: 
Connecting to Autonomous database user: admin TNS Service: APEXDB_HIGH
  Enter the ORDS runtime database username [ORDS_PUBLIC_USER2]: ords_public_user2
  Enter the database password for ords_public_user2: 
Confirm password: 
  Enter the PL/SQL Gateway database username: ords_plsql_gateway2
  Enter the database password for ords_plsql_gateway2: 
Confirm password: 
Retrieving information
  Enter a number to select additional feature(s) to enable:
    [1] Database Actions  (Enables all features)
    [2] REST Enabled SQL and Database API
    [3] REST Enabled SQL
    [4] Database API
    [5] None
  Choose [1]: 1
  Enter a number to configure and start ORDS in standalone mode
    [1] Configure and start ORDS in standalone mode
    [2] Skip
  Choose [1]: 1
  Enter a number to select the protocol
    [1] HTTP
    [2] HTTPS
  Choose [1]: 1
  Enter the HTTP port [8080]: 
The setting named: db.wallet.zip.path was set to: /opt/oracle/APEXDB.zip in configuration: default
The setting named: db.wallet.zip.service was set to: APEXDB_HIGH in configuration: default
The setting named: db.username was set to: ords_public_user2 in configuration: default
The setting named: db.password was set to: ****** in configuration: default
The setting named: plsql.gateway.mode was set to: proxied in configuration: default
The setting named: feature.sdw was set to: true in configuration: default
The global setting named: database.api.enabled was set to: true
The setting named: restEnabledSql.active was set to: true in configuration: default
The setting named: security.requestValidationFunction was set to: ords_util.authorize_plsql_gateway in configuration: default
The global setting named: standalone.http.port was set to: 8080
The global setting named: standalone.context.path was set to: /ords
The global setting named: standalone.doc.root was set to: /etc/ords/config/global/doc_root
2025-02-03T08:58:40.092Z INFO        Created folder /home/oracle/logs
2025-02-03T08:58:40.101Z INFO        The log file is defaulted to the current working directory located at /home/oracle/logs
2025-02-03T08:58:40.339Z INFO        Connecting to Autonomous database user: admin TNS Service: APEXDB_HIGH
2025-02-03T08:58:43.321Z INFO        ... Verifying Autonomous Database runtime user
2025-02-03T08:58:44.323Z SEVERE      Error occurred configuring database users for Autonomous Database.
Error executing script: ords_gateway_user.sql Error: ORA-20032: The supplied user does not have the ORDS_RUNTIME_ROLE role.
ORA-06512: at "ORDS_METADATA.ORDS_ADMIN", line 1216
ORA-06512: at "ORDS_METADATA.ORDS_INTERNAL", line 723
ORA-06512: at "ORDS_METADATA.ORDS_ADMIN", line 1205
ORA-06512: at line 48
ORA-06512: at line 78

https://docs.oracle.com/error-help/db/ora-20032/
 Refer to log file /home/oracle/logs/ords_adb_2025-02-03_085840_10176.log for details

And this is the output file.

[oracle@proxy-02 ~]$ cat /home/oracle/logs/ords_adb_2025-02-03_085840_10176.log
------------------------------------------------------------
Date       : 03 Feb 2025 08:58:40
Release    : Oracle REST Data Services 24.4.0.r3451601

Database   : Oracle Database 23ai Enterprise Edition  
DB Version : 23.7.0.25.02
------------------------------------------------------------
Container Name: GB6B1483A83D755_APEXDB
------------------------------------------------------------

[*** script: ords_runtime_user.sql] 

PL/SQL procedure successfully completed.

[*** script: ords_gateway_user.sql] 
declare
*
ERROR at line 1:
ORA-20032: The supplied user does not have the ORDS_RUNTIME_ROLE role.
ORA-06512: at "ORDS_METADATA.ORDS_ADMIN", line 1216
ORA-06512: at "ORDS_METADATA.ORDS_INTERNAL", line 723
ORA-06512: at "ORDS_METADATA.ORDS_ADMIN", line 1205
ORA-06512: at line 48
ORA-06512: at line 78

https://docs.oracle.com/error-help/db/ora-20032/


More Details :
https://docs.oracle.com/error-help/db/ora-20032/
https://docs.oracle.com/error-help/db/ora-06512/
This post has been answered by thatJeffSmith-Oracle on Feb 4 2025
Jump to Answer

Comments

thatJeffSmith-Oracle Feb 13 2025

Your ENTRA users will get authenticated via JSON Web Tokens, and their Entra roles will determine which ORDS REST APIs they can hit.

When they hit an endpoint, it'll execute code in the database as the database user that owns the schema where the REST API is defined, not as Entra defiend end user. In fact, the Entra users won't have accounts in the database (they could, but wont' need to).

The :current_user field as far as ords is concerned would be the corresponding oauth2 client or JWT issued for the authorizied session.

Your prehook should be able to alter the session to set the context that would put your RLS/VPD security policy in play.

1 - 1

Post Details

Added on Feb 3 2025
3 comments
166 views