12、管理用戶安全
12、管理用戶安全
1、創建和管理用戶
用戶包括如下內容:
唯一的用戶名、驗證方法、默認表空間、臨時表空間、用戶概要文件、初始使用組、用戶狀態。
schema:用戶對象的集合
模板(HR zhnagsan)
create user zhnagsan profile "DEFAULT" identified by zhnagsan default tablespace "USERS" temporary tablespace "TEMP" account unlock;
grant alter session to zhnagsan;
grant create database link to zhnagsan;
grant create sequence to zhnagsan;
grant create session to zhnagsan;
grant create synonym to zhnagsan;
grant create view to zhnagsan;
grant unlimited tablespace to zhnagsan;
grant execute on "SYS"."DBMS_STATS" to zhnagsan;
grant execute on "SYS"."DBMS_METADATA" to zhnagsan;
grant "RESOURCE" to zhnagsan;
sqlplus zhnagsan/zhnagsan
常見命令:
drop user scott;
drop user scott cascade;//刪除用戶及其對象
create user oaec identified by oaec default tablespace oaec temporary tablespace oaec account unlock;
alter user scott account unlock;
查看創建語句
set long 1000;
select SYS.DBMS_METADATA.get_ddl(‘USER‘,‘SCOTT‘) from dual;
SQL> select SYS.DBMS_METADATA.get_ddl(‘USER‘,‘SCOTT‘) from dual;
SYS.DBMS_METADATA.GET_DDL(‘USER‘,‘SCOTT‘)
--------------------------------------------------------------------------------
CREATE USER "SCOTT" IDENTIFIED BY VALUES ‘S:07921277EB685F9816BA4776231FA31B0
C0A84DD4DF70E5DEC761A6F6B53;F894844C34402B67‘
DEFAULT TABLESPACE "USERS"
TEMPORARY TABLESPACE "TEMP"
PASSWORD EXPIRE
ACCOUNT LOCK
dba_users;
col USERNAME for a30;
col ACCOUNT_STATUS for a30;
col LOCK_DATE for a30;
col EXPIRY_DATE for a30;
col DEFAULT_TABLESPACE for a30;
select USERNAME,ACCOUNT_STATUS,LOCK_DATE,EXPIRY_DATE,DEFAULT_TABLESPACE from dba_users where USERNAME=‘SCOTT‘;
create user test2 identified by test2;
select USERNAME,ACCOUNT_STATUS,LOCK_DATE,EXPIRY_DATE,DEFAULT_TABLESPACE from dba_users where USERNAME=‘TEST2‘;
desc database_properties;
desc v$pwfile_users;
2、授予及撤銷權限
系統:允許用戶在數據庫中執行特定的操作
對象:允許用戶訪問和操作特定對象
系統權限:system privilege
alter session
create database link
create session
create synonym
create view
unlimited tablespace
對象權限
execute dbms_stats
撤銷 admin option 的系統權限 不是級聯
撤銷 grant option 的對象權限 級聯撤銷權限
desc system_privilege_map; //系統權限
select * from system_privilege_map order by NAME;
grant alter tablespace to oaec;
conn oaec/oaec;
alter tablespace oaec add datafile ‘/u02/oracle/oradata/orcl/oaec02.dbf‘ size 10m;
conn / as sysdba;
revoke alter tablespace form oaec; //收回權限
例子:
系統權限的級聯授權及級聯撤銷:
alter user oaec identified by oaec;
grant create session to oaec;
grant select any dictionary to oaec;
select count(*) from dba_objects;
conn oaec/oaec;
SQL> conn oaec/oaec
Connected.
SQL> select count(*) from dba_objects;
COUNT(*)
----------
86274
SQL> grant select any dictionary to test;
grant select any dictionary to test
*
ERROR at line 1:
ORA-01031: insufficient privileges
級聯授權
conn / as sysdba;
revoke select any dictionary from oaec;
grant select any dictionary to oaec with admin option;
SQL> conn oaec/oaec;
Connected.
SQL> grant select any dictionary to test;
Grant succeeded.
####################################################################
grant option例子;
create user a identified by a account unlock;
create user b identified by b account unlock;
grant create session to a;
grant create session to b;
grant select on scott.emp to a;
conn a/a
select * from scott.emp;
grant select on scott.emp to b; //報錯 權限不足
conn / as sysdba;
revoke select on scott.emp from a;
grant select on scott.emp to a with grant option;
conn a/a
select * from scott.emp;
grant select on scott.emp to b;//可以授權
conn b/b;
select * from scott.emp; //可以查詢
下面sys用戶對a用戶撤銷select on scott.emp權限,看看b用戶可以查詢scott.emp不?結果不能查詢。
conn / as sysdba;
revoke select on scott.emp from a
conn b/b ;
select * from scott.emp; 報錯
SQL> select * from scott.emp;
select * from scott.emp
*
ERROR at line 1:
ORA-00942: table or view does not exist
#############################################################################
對象權限
desc table_privilege_map;
create user mike identified by mike account unlock;
grant create session to mike;
grant alter on scott.emp to mike;
grant delete on scott.emp to mike;
grant index on scott.emp to mike;
grant insert on scott.emp to mike;
grant references on scott.emp to mike;
grant select on scott.emp to mike;
grant update on scott.emp to mike;
查看當前用戶TEST02下面這張表A1都被那些用戶有了那些權限。
desc user_sys_privs;
select grantee,owner,table_name,grantor,privilege from user_tab_privs where owner=‘TEST02‘ and table_name=‘A1‘;
select grantee,owner,table_name,grantor,privilege from user_tab_privs where owner=‘SCOTT‘ and table_name=‘EMP‘;
3、創建和管理角色
角色:權限的集合
connect 角色包括create session
resource 包括create cluster,create indextype,create operator,create procedure,create sequence,create table,create trigger,create type
scheduler_admin包括create any job,create external job,create job,excute any class,excute any program,manage scheduler
DBA角色包括
select_catalog_role :沒有系統權限;
例子:
create role test_role;
grant create session to test_role;
grant select on scott.emp to test_role;
grant create table to test_role;
create user test3 identified by test3;
grant test_role to test3;
如何查詢一個角色擁有那些權限呢?
desc role_sys_privs;
desc role_tab_privs;
結合一起看:
select * from role_sys_privs where role=‘TEST_ROLE‘;
select * from role_tab_privs where role=‘TEST_ROLE‘;
查看所有的角色;
select * from dba_roles;
select * from role_sys_privs where role=‘RESOURCE‘;//查看role RESOURCE 有哪些權限
SQL> select * from role_sys_privs where role=‘RESOURCE‘;
ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
RESOURCE CREATE TRIGGER NO
RESOURCE CREATE SEQUENCE NO
RESOURCE CREATE TYPE NO
RESOURCE CREATE PROCEDURE NO
RESOURCE CREATE CLUSTER NO
RESOURCE CREATE OPERATOR NO
RESOURCE CREATE INDEXTYPE NO
RESOURCE CREATE TABLE NO
查看當前用戶有哪些角色role
desc user_role_privs;
SQL> conn test3/test3;
Connected.
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
TEST3 TEST_ROLE NO YES NO
備註:角色可以級聯授權,不可以級聯撤銷
create user hr identified by hr account unlock;
grant test_role to hr with admin option;
conn hr/hr;
grant test_role to b;
如果對用戶hr撤銷角色 test_role,則對用戶b沒有影響,仍然有這個角色 test_role 的權限。
desc role_role_privs;
對角色加密碼
create role r1 identified by r1;
4、創建和管理概要文件
和賬號密碼過期有關
作用:
控制資源消耗,管理用戶狀態和口令失效
desc dba_profiles;
select RESOURCE_NAME,LIMIT from dba_profiles where PROFILE=‘DEFAULT‘;
create profile p1 limit
COMPOSITE_LIMIT 3
SESSIONS_PER_USER UNLIMITED
CPU_PER_SESSION UNLIMITED
CPU_PER_CALL UNLIMITED
LOGICAL_READS_PER_SESSION UNLIMITED
LOGICAL_READS_PER_CALL UNLIMITED
IDLE_TIME UNLIMITED
CONNECT_TIME UNLIMITED
PRIVATE_SGA UNLIMITED
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
PASSWORD_VERIFY_FUNCTION NULL
PASSWORD_LOCK_TIME 1
PASSWORD_GRACE_TIME 7
查看用戶的默認概要文件
select username,profile from dba_users where username=‘SCOTT‘;
修改用戶的概要文件
alter user scott profile p1;
alter profile p1 limit
COMPOSITE_LIMIT 3;
show parameter resource_limit;
值為true才能讓 SESSIONS_PER_USER 用戶並發生效
FAILED_LOGIN_ATTEMPTS 10 表示密碼輸入10次錯誤被鎖定
cd $ORACLE_HOME/rdbms/admin 下面的腳本都有不一樣的功能。
ls -l | grep utlpwdmg.sql 密碼復雜認證
5、最小權限原則及管理限額
管理限額
將限額分配給用戶,讓用戶可以在表空間中創建對象。
drop user oaec cascade;
create user oaec identified by oaec account unlock;
grant session to oaec;
grant create table to oaec;
說明oaec用戶可以使用users表空間1M的空間
alter user oaec quota 1m on users;
alter user oaec quota unlimited on users; // 表空間有多大,就用多大。
select BLOCK_ID,BLOCKS from dba_extents where OWNER=‘OAEC‘ and SEGMENT_NAME=‘T1‘;
最小權限原則:
在計算機上面只安裝需要的軟件
只激活需要的服務
只允許需要訪問的用戶訪問操作系統
限制root或者管理員賬號
限制sysdba的訪問
只允許用戶訪問需要的數據庫對象。
本文出自 “梁小明的博客” 博客,請務必保留此出處http://7038006.blog.51cto.com/7028006/1934222
12、管理用戶安全