1. 程式人生 > >《oracle管理5》

《oracle管理5》

acc sys 登錄 file 失敗 ket mil 管理 是否

用戶管理

AAA:

Authentication: 身份驗證

Authorization: 權限管理

Audition: 審計

authentication

預定義的系統用戶:

SQL> select USERNAME, ACCOUNT_STATUS from dba_users;

open狀態的用戶:

SQL> select USERNAME, ACCOUNT_STATUS from dba_users ACCOUNT_STATUS=‘OPEN‘;

系統管理賬號:

SYS SYSTEM DBSNMP SYSMAN

3種身份驗證方式:

password驗證:驗證A:口令(數據庫內部)

/外部/全局

瀏覽器中創建用戶user01

或者用命令創建:

SQL> create user user01 identified by password;

SQL> grant create session to user01; //授權

測試:

$ sqlplus user01/password

外部驗證:

external(os)驗證:

操作系統中創建用戶:

$ su -

Password:

[[email protected] ~]# useradd osuser

[[email protected] ~]# passwd osuser

$ sqlplus / as sysdba

外部用戶使用固定的前綴:os_

SQL> show parameter os_auth

SQL> create user ops$osuser identified externally;

SQL> grant create session to ops$osuser; //授權

不要su - osuser,環境變量保留:

$ su osuser

Password:

[[email protected] admin]$ sqlplus /

SQL> show user

USER is "OPS$OSUSER"

管理員的身份驗證:(重點)

本地連接:

本地連接,預先設置ORACLE_SID,操作系統用戶是dba群組的成員

環境變量

$ id

uid=1001(oracle) gid=1000(oinstall) groups=1000(oinstall),1031(dba),1032(oper)

$ sqlplus / as sysdba

SQL> show user

USER is "SYS"

$ su -

# usermod -G oper oracle 或

[[email protected] ~]# unset

報錯,權限不夠 ORACLE_SID

[[email protected] ~]# echo $ORACLE_SID // 檢查是否操作成功

# gpasswd -d oracle dba

# exit

$ sqlplus / as sysdba

只要是dba群組中的成員,就可以不需要知道sys的口令,直接以sqlplus / as sysdba登錄

並且身份為sys。

恢復:

[[email protected] ~]# export ORACLE_SID=orcl

[[email protected] ~]# echo $ORACLE_SID //檢查是否恢復成功

# gpasswd -a oracle dba

遠程客戶端連接:

$ sqlplus [email protected] as sysdba

$ ls $ORACLE_HOME/dbs/orapworcl

$ orapwd

Authorization

Grant:授予權限

Revoke:收回權限

系統權限:

sys執行授權:

預先創建測試表

SQL> create table t1(x int);

SQL> create user user01 identified by password;

SQL> grant create session to user01;

SQL> grant select any table to user01;

user01測試:

$ sqlplus user01/password

SQL> select count(*) from hr.employees(hr.departments scott.emp);

SQL> delete from scott.emp; 失敗!

SQL> select * from sys.t1; 失敗!

select any table n-1模式

sys再次授權:

SQL> grant select any dictionary to user01;

user01測試:

SQL> select * from sys.t1; 成功

select any table(n-1)+select any dictionary(1) //(n-1):sys以外

sys授權:

SQL> grant create table to user01;

user01測試:

SQL> create table t1(x int);

sys授權:

SQL> grant unlimited tablespace to user01;

user01測試:

SQL> insert into t1 values (1);

對象權限:

表的參照權限:

dept

deptno(pk) dname

10 sales

20 market

my_emp

empno deptno(fk)

100 10

sys授權:

SQL> grant select on hr.employees to user01;

user01測試:

SQL> select count(*) from hr.employees;

SQL> delete from hr.employees; 失敗

SQL> select count(*) from hr.departments; 失敗

sys授權:

SQL> grant index on hr.employees to user01;

SQL> grant unlimited tablespace to user01;

user01測試:

SQL> create index emp_sal_idx on hr.employees(salary);

SQL> select index_name from user_indexes where table_name=‘EMPLOYEES‘;

create any table create table

alter any table alter table

drop any table drop table

權限的級聯刪除:

系統權限:

sys準備工作:

SQL> drop user user01 cascade;

SQL> drop user user02 cascade;

SQL> create user user01 identified by password;

SQL> create user user02 identified by password;

SQL> grant create session to user01;

SQL> grant create session to user02;

sys授權:

SQL> grant select any table to user01 with admin option;

user01測試成功並授權給user02:

SQL> select count(*) from hr.employees;

SQL> grant select any table to user02 with admin option;

user02測試成功:

SQL> select count(*) from hr.employees;

sys收回權限:

SQL> revoke select any table from user01;

user01操作失敗:

SQL> select count(*) from hr.employees;

user02測試成功:

SQL> select count(*) from hr.employees;

對象權限:

SQL> grant select on hr.employees to user01 with grant option;

dba+sysdba=sys

role

角色就是數據庫中的群組!

角色的作用:簡化權限的管理,動態更新用戶的權限。

預定義的角色:

SQL> select role from dba_roles;

創建角色:

SQL> create role hr_mgr;

SQL> create role hr_clerk;

SQL> grant select any table to hr_mgr;

SQL> grant select on hr.employees to hr_clerk;

SQL> grant hr_mgr to user01;

SQL> grant hr_clerk to user02;

user01/user02測試:

角色生效必須重新登錄

Profile:概要文件

profile主要控制兩個方面:

1 用戶的資源消耗

2 用戶的口令安全

SQL> select * from dba_profiles where profile=‘DEFAULT‘;

SQL> select username, profile from dba_users;

SQL> show parameter resource_limit 資源管理的開關參數

查看復雜性函數的腳本:

$ cd $ORACLE_HOME/rdbms/admin

$ vi utlpwdmg.sql

$ cp utlpwdmg.sql /home/oracle/utlpwdmg.sql

$ vi /home/oracle/utlpwdmg.sql 只保留校驗函數部分

$ sqlplus / as sysdba

SQL> @/home/oracle/utlpwdmg.sql

sys創建概要文件:

SQL> CREATE PROFILE HR_PROFILE LIMIT

PASSWORD_LIFE_TIME 30

PASSWORD_GRACE_TIME 7

PASSWORD_REUSE_MAX 3

PASSWORD_REUSE_TIME unlimited

PASSWORD_LOCK_TIME 5/1440

FAILED_LOGIN_ATTEMPTS 3

PASSWORD_VERIFY_FUNCTION verify_function_11G;

和用戶關聯:

SQL> ALTER USER HR PROFILE HR_PROFILE;

測試:

$ sqlplus hr/hr

SQL> alter user hr identified by password123 replace hr;

《oracle管理5》