ORA-01031: insufficient privileges
Table of Contents
1 错误信息
例1
SQL*Plus: Release 11.2.0.3.0 Production on Thu Oct 29 15:46:33 2015 Copyright (c) 1982, 2011, Oracle. All rights reserved. ERROR: ORA-01031: insufficient privileges Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied
例2
SQL> create view a.v_a as select a.* from a.emp a ,b.dept b where a.deptno=b.deptno; create view a.v_a as select a.* from a.emp a ,b.dept b where a.deptno=b.deptno * 第 1 行出现错误: ORA-01031: 权限不足例3
存储过程中提示无权限
SQL> exec boss.proc_test; begin boss.proc_test; end; ORA-01031: 权限不足 ORA-06512: 在 "BOSS.PROC_TEST", line 4 ORA-06512: 在 line 1
2 官方解析
$ oerr ora 1031 01031, 00000, "insufficient privileges" // *Cause: An attempt was made to change the current username or password // without the appropriate privilege. This error also occurs if // attempting to install a database without the necessary operating // system privileges. // When Trusted Oracle is configure in DBMS MAC, this error may occur // if the user was granted the necessary privilege at a higher label // than the current login. // *Action: Ask the database administrator to perform the operation or grant // the required privileges. // For Trusted Oracle users getting this error although granted the // the appropriate privilege at a higher label, ask the database // administrator to regrant the privilege at the appropriate label.
从官方提供的解析来看,有两种可能:
- 在没有权限的情况下对用户或者用户密码进行修改
- 安装数据库的时候,没有足够的权限。
- 没有足够权限去授权
3 情景分析
3.1 登录
3.1.1 用户属组缺失或不正确
用户以操作系统认证方式登录数据库时,会把当前用户的组信息与$ORACLE_HOME/rdbms/lib/config.c 文件中的配置进行比对。如果不匹配,有可能出现ORA-01017 或者ORA-01031错误。
下面是config.c 文件内容
/* SS_DBA_GRP defines the UNIX group ID for sqldba adminstrative access. */
/* Refer to the Installation and User's Guide for further information. */
/* IMPORTANT: this file needs to be in sync with
rdbms/src/server/osds/config.c, specifically regarding the
number of elements in the ss_dba_grp array.
*/
#define SS_DBA_GRP "dba"
#define SS_OPER_GRP "oinstall"
#define SS_ASM_GRP ""
char *ss_dba_grp[] = {SS_DBA_GRP, SS_OPER_GRP, SS_ASM_GRP};
从注释中,可以看出,ss_dba_grp 是以sqldba 身份登录数据库的必要条件之一。也就是说,只要以dba 身份 登录,该操作系统用户就需要隶属于该用户组。
错误示例:
# id oracle ## ==> 查看oracle 用户当前属组 uid=501(oracle) gid=501(oinstall) 01(oinstall),502(dba) # usermod -G oinstall oracle ## ==> 修改Oracle 用户附属组信息 # id oracle ## ==> 查看oracle 用户当前属组,与第一次查看,发现少了dba 组 uid=501(oracle) gid=501(oinstall) 01(oinstall) # su - oracle # sqlplus / as sysdba ## ==> 尝试以sysdba身份登录数据库 SQL*Plus: Release 11.2.0.3.0 Production on Mon Jul 16 16:13:10 2018 Copyright (c) 1982, 2011, Oracle. All rights reserved. ERROR: ORA-01031: insufficient privileges ## ==> 重现错误信息 Enter user-name: ^C # usermod -G oinstall,dba oracle ## ==> 还原Oracle 用户组信息 # su - oracle # sqlplus / as sysdba ## ==> 尝试以sysdba 身份登录oracle 数据库 SQL*Plus: Release 11.2.0.3.0 Production on Mon Jul 16 16:13:51 2018 Copyright (c) 1982, 2011, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> exit ## ==> 登录成功,退出SQL环境。
3.1.2 用户认证方式不对
oracle 用户登录通过sqlnet.ora 中的SQLNET.AUTHENTICATION_SERVICES
3.1.3 ORACLE_SID
变量ORACLE_SID 未设置或者设置错误,也会引起此错误。
3.2 对象权限不足
较容易出现在视图,存储过程中。 错误信息:
ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at "schema.procedure_name", line 3 ORA-06512: at line 1
- 说明
- 很多时候,我们明明有授与很高的权限,比如select any table,select any view 等,应该不会在查询表或者视图时出现权限问题,但是,事实上我们就是会遇到。有些时候, 我们会遇到这样的情况:DML/DDL 不在存储过程中执行是没有问题的,可是放到存储过程中以 后执行会报错,提示无权限。原因是这种授权方式,针对某个单独对象来说,是隐式授权。 如果我们在存储过程或者物化视图中想要访问、修改某个对象的时候,需要对该对象进行 显示授权:grant select on object_name to schema;
比如ddl 操作:
create or replace procedure proc_test as begin execute immediate 'create table test(id number)'; end; /
这个操作是是建表,需要create table 权限, 我们需要授予系统权限:create any table.
grant create any table to xxx;
如果是DML和查询操作无权限,则针对相关对象单独授权:
grant select on <user>.<object> to <the_other_user>; grant update on <user>.<object> to <the_other_user>; grant delete on <user>.<object> to <the_other_user>; grant insert on <user>.<object> to <the_other_user>;
Created: 2020-08-14 Fri 14:13