Oracle課程檔案,第十天
用戶管理
Authentication: 身份驗證
AAA:
Authentication: 身份驗證
Authorization: 權限管理
Audition: 審計
grant:授權
unset:撤銷(消除)
SQL>echo $ORACLE_SID ORCL 查詢數據庫的名字為ORCL
SQL>vnset ORACLE_SID 刪除數據庫名字為ORCL
SQL>export ORACLE_SID=ORCL 重新添加變量數據庫的名字為ORCL
管理員的身份驗證:
本地連接:
本地連接,預先設置ORACLE_SID,操作系統用戶是dba群組的成員
id
uid=1001(oracle) gid=1000(oinstall) groups=1000(oinstall),1031(dba),1032(oper)
$ sqlplus / as sysdba
SQL> show user
USER is "SYS"
$ su -
# usermod -G oper oracle 或 -G:附加群組 -g:主群組 -d:刪除 -a:添加
# gpasswd -d oracle dba
# exit
$ sqlplus / as sysdba
報錯,權限不夠
只要是dba群組中的成員,就可以不需要知道sys的口令,直接以sqlplus / as sysdba登錄
並且身份為sys。
恢復:
# gpasswd -a oracle dba
遠程客戶端連接:
$ sqlplus [email protected] as sysdba
$ ls $ORACLE_HOME/dbs/orapworcl
$ orapwd
操作系統中創建用戶:
$ su -
Password:
[[email protected] ~]# useradd osuser
[[email protected] ~]# passwd osuser
$ sqlplus / as sysdba
外部用戶使用固定的前綴:
SQL> show parameter os_auth
SQL> create user ops$osuser identified externally;
SQL> grant create session to ops$osuser;
不要su - osuser,環境變量保留:
$ su osuser
Password:
[[email protected]
SQL> show user
USER is "OPS$OSUSER"
或者用命令創建:
SQL> create user user01 identified by password;
SQL> grant create session to user01; grant:授權
測試:
$ sqlplus user01/password
authorization:(權限管理)
預先創建測試表
SQL> create table t1(x int);
SQL> create user user01 identified by password;
SQL> grant create session to user01;★
SQL> grant select any table to user01;★
user01測試:
$ sqlplus user01/password
SQL> select count(*) from hr.employees(hr.departments scott.emp);
SQL> delete from scott.emp; 失敗!
SQL> select * from sys.t1; 失敗!
select any table n-1模式 註:(any不包括sys)★★
sys再次授權:
SQL> grant select any dictionary to user01;
user01測試:
SQL> select * from sys.t1; 成功
select any table(n-1)+select any dictionary(1)
sys授權:
SQL> grant create table to user01;
user01測試:
SQL> create table t1(x int);
sys授權:
SQL> grant unlimited tablespace to user01;
user01測試:
SQL> insert into t1 values (1);
對象權限:關鍵字為“on”
sys授權:
SQL> grant select on hr.employees to user01;
user01測試:
SQL> select count(*) from hr.employees;
SQL> delete from hr.employees; 失敗
SQL> select count(*) from hr.departments; 失敗
sys授權:
SQL> grant index on hr.employees to user01;
SQL> grant unlimited tablespace to user01;
user01測試:
SQL> create index emp_sal_idx on hr.employees(salary);
SQL> select index_name from user_indexes where table_name=‘EMPLOYEES‘;
create any table 系統級別的選項,能在任何一個模式下創建表 create table 系統級別的選項,權限也為系統的
alter any table 系統級別的權限,能修改任何一張表(any不包括sys) alter table 對象權限
drop any table 系統級別的權限 ,能刪除任何一張表 drop table 沒有權限
權限的級聯刪除:
系統權限:
sys準備工作:
SQL> drop user user01 cascade;
SQL> drop user user02 cascade;
SQL> create user user01 identified by password;
SQL> create user user02 identified by password;
SQL> grant create session to user01;
SQL> grant create session to user02;
sys授權:
SQL> grant select any table to user01 with admin option;
user01測試成功並授權給user02:
SQL> select count(*) from hr.employees;
SQL> grant select any table to user02 with admin option;
user02測試成功:
SQL> select count(*) from hr.employees;
sys收回權限:
SQL> revoke select any table from user01;
user01操作失敗:
SQL> select count(*) from hr.employees;
user02測試成功:
SQL> select count(*) from hr.employees;
對象權限:
SQL> grant select on hr.employees to user01 with grant option;
dba+sysdba=sys
revoke:收回(收回權限)
預定義的角色:
SQL> select role from dba_roles;
創建角色:
SQL> create role hr_mgr;
SQL> create role hr_clerk;
SQL> grant select any table to hr_mgr;
SQL> grant select on hr.employees to hr_clerk;
SQL> grant hr_mgr to user01;
SQL> grant hr_clerk to user02;
user01/user02測試:
角色生效必須重新登錄
audit(審計)
開啟開關參數:
SQL> show parameter audit_trail
設置審計選項:
每次設置新的審計選項,測試用戶需要重新連接
sys準備工作:
SQL> drop user user01 cascade;
SQL> create user user01 identified by password;
SQL> grant create session, create table, create any table to user01;
Oracle課程檔案,第十天