转 Oracle 12C 之 CDB/PDB用户的创建与对象管理

在Oracle 12C中，账号分为两种，一种是公用账号，一种是本地账号（亦可理解为私有账号）。共有账号是指在CDB下创建，并在全部PDB中生效的账号，另一种是在PDB中创建的账号。

针对这两种账号的测试如下：

1.1 在PDB中创建测试账号

SQL> alter session set container=pdb01;

 

Session altered.

 

SQL> select username from dba_users where username like 'GUI%';

 

no rows selected

 

SQL> CREATE USER TEST IDENTIFIED BY test;

 

User created.

 

SQL> grant dba to test;

 

Grant succeeded.

 

SQL> show con_name

 

CON_NAME

------------------------------

PDB01

SQL> conn /as sysdba

Connected.

SQL> create user test identified by test;

create user test identified by test

            *

ERROR at line 1:

ORA-65096: invalid common user or role name

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

结论：

如果在PDB中已经存在一个用户或者角色，则在CDB中不能创建相同的账号或者角色名。

1.2 在CDB中创建测试账号

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> create user C##GUIJIAN IDENTIFIED BY guijian;   ------注意CDB中创建用户一定要带上c##

User created.

SQL> create user c#gui identified by gui;

create user c#gui identified by gui

            *

ERROR at line 1:

ORA-65096: invalid common user or role name

 

SQL> select username from dba_users where username like '%GUI%';

 

USERNAME

--------------------------------------------------------------------------------

C##GUIJIAN

 

SQL> ALTER SESSION SET CONTAINER=PDB01;

 

Session altered.

 

SQL> select username from dba_users where username like '%GUI%';

 

USERNAME

--------------------------------------------------------------------------------

C##GUIJIAN

 

SQL> create user guijian identified by guijian;

 

User created.

同样在CDB中创建账号后不能在PDB中出现同名的账号，因CDB中的账号对所有的PDB都是有效的。

SQL> create user c##guijian identified by guijian;

create user c##guijian identified by guijian

            *

ERROR at line 1:

ORA-65094: invalid local user or role name

SQL> alter session set container=pdba;

 

Session altered.

 

SQL> show user

USER is "SYS"

SQL> alter user sys identified by sys;

alter user sys identified by sys

*

ERROR at line 1:

ORA-65066: The specified changes must apply to all containers

 

SQL> show con_name

 

CON_NAME

------------------------------

PDBA

 

SQL> conn /as sysdba

Connected.

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> alter user sys identified by sys;

 

User altered.

 

SQL>

 

1.3 CDB下创建账号的权限问题

SQL> conn / as sysdba

Connected.

SQL> grant connect,create session to c##cdb;

 

Grant succeeded.

 

SQL> conn c##cdb/cdb@pdba

ERROR:

ORA-01045: user C##CDB lacks CREATE SESSION privilege; logon denied

 

 

Warning: You are no longer connected to ORACLE.

SQL> a

SP2-0004: Nothing to append.

SQL> conn / as sysdba

Connected.

SQL> alter session set container=pdba;

 

Session altered.

 

SQL> grant resource,connect to c##cdb;

 

Grant succeeded.

 

SQL> conn  /as sysdba

Connected.

SQL> conn c##cdb/cdb@pdba

Connected.

SQL>

SQL> conn / as sysdba

Connected.

SQL> create user guijian identified by guijian container=current;

create user guijian identified by guijian container=current

                                  *

ERROR at line 1:

ORA-65049: creation of local user or role is not allowed in CDB$ROOT

 

 

SQL> create user c##guijian identified by guijian container=current;

create user c##guijian identified by guijian container=current

            *

ERROR at line 1:

ORA-65094: invalid local user or role name

 

 

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> create user c##guijian identified by guijian container=all;

 

User created.

 

SQL> create user c##guijian01 identified by guijian;

 

User created.

 

SQL> conn  /as sysdba

Connected.

SQL> show con_name            

 

CON_NAME

------------------------------

CDB$ROOT

SQL> grant dba to c##guijian01;

 

Grant succeeded.

 

SQL> conn c##guijian01/guijian@pdba

ERROR:

ORA-01045: user C##GUIJIAN01 lacks CREATE SESSION privilege; logon denied

 

 

Warning: You are no longer connected to ORACLE.

SQL> conn  /as sysdba

Connected.

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> grant dba to c##guijian01 container=all;

 

Grant succeeded.

 

SQL> conn c##guijian01/guijian@pdba

Connected.

1.4 对象管理测试

对象管理测试中，我们简单测试在共有账号的数据对象的CDB和PDB下的不同。

1、在CDB下创建对象，在PDB下查看：

SQL> conn c##cdb/cdb

Connected.

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> create table cdb as select * from dba_users;

 

Table created.

 

SQL> commit;

 

Commit complete.

 

SQL>

可以看到，在CDB下的共有账号创建的对象在PDB下是看不到的。

2、在PDB下的共有账号创建对象,在CDB下查看：

SQL> show con_name

 

CON_NAME

------------------------------

PDBA

SQL> show user

USER is "C##CDB"

SQL> select object_name from user_objects;

 

no rows selected

 

SQL> create table cdb as select * from dba_users;

 

Table created.

可以看出，针对同一个共有账号在PDB下创建的账号在CDB是看不到的，此外我们还注意到一个细节，针对同一个共有账号，在PDB和CDB下创建的共有账号因在CDB和PDB下被赋予了不同的含义，故在CDB下创建的对象和在PDB下创建的对象是可以同名的，反之也成立。

结论：

1、 如果在PDB中已经存在一个用户或者角色，则在CDB中不能创建相同的账号或者角色名。

2、 同样在CDB中创建账号后不能在PDB中出现同名的账号，因CDB中的账号对所有的PDB都是有效的。

3、 在CDB中创建的账号将会在全部的PDB中出现，但是在CDB中的授权，如非特别指定的话，并不能传递到PDB中。

4、 针对同一个共有账号在PDB下创建的账号在CDB是看不到的。针对同一个共有账号，在PDB和CDB下创建的共有账号因在CDB和PDB下被赋予了不同的含义，故在CDB下创建的对象和在PDB下创建的对象是可以同名的，反之也成立。