zoukankan      html  css  js  c++  java
  • 用户管理

    AAA:

    Authentication: 身份验证

    Authorization: 权限管理

    Audition: 审计

    authentication

    预定义的系统用户:

    SQL> select USERNAME, ACCOUNT_STATUS from dba_users;

    open状态的用户:

    SQL> select USERNAME, ACCOUNT_STATUS from dba_users ACCOUNT_STATUS='OPEN';

    系统管理账号:

    SYS SYSTEM DBSNMP SYSMAN

    3种身份验证方式:

    password验证:

    浏览器中创建用户user01

    或者用命令创建:

    SQL> create user user01 identified by password;

    SQL> grant create session to user01;

     

    测试:

    $ sqlplus user01/password

     

    external(os)验证:

    操作系统中创建用户:

    $ su -

    Password:

    [root@node1 ~]# useradd osuser

    [root@node1 ~]# passwd osuser

    $ sqlplus / as sysdba

     

    外部用户使用固定的前缀:

    SQL> show parameter os_auth

    SQL> create user ops$osuser identified externally;

    SQL> grant create session to ops$osuser;

    不要su - osuser,环境变量保留:

    $ su osuser

    Password:

    [osuser@node1 admin]$ sqlplus /

    SQL> show user

    USER is "OPS$OSUSER"

     

    管理员的身份验证:

    本地连接:

    本地连接,预先设置ORACLE_SID,操作系统用户是dba群组的成员

     

    $ id

    uid=1001(oracle) gid=1000(oinstall) groups=1000(oinstall),1031(dba),1032(oper)

    $ sqlplus / as sysdba

    SQL> show user

    USER is "SYS"

     

    $ su -

    # usermod -G oper oracle   

     或

    # gpasswd -d oracle dba dba群组删除成员

    # exit

    $ sqlplus / as sysdba

    报错,权限不够

     

    只要是dba群组中的成员,就可以不需要知道sys的口令,直接以sqlplus / as sysdba登录

    并且身份为sys。

     

    恢复:

    # gpasswd -a oracle dba

     

    Unset ORALCE_SID 环境变量删除

    Export ORACLE_SID=orcl 恢复

     

    远程客户端连接:

    $ sqlplus sys/password@orcl as sysdba

    $ ls $ORACLE_HOME/dbs/orapworcl

    $ orapwd 创建口令文件 $orapwd file=/home/oracle/orapworcl password=password  force=y

    authorization

    系统权限:

    sys执行授权:

    预先创建测试表

    SQL> create table t1(x int);

    SQL> create user user01 identified by password;

    SQL> grant create session to user01;

    SQL> grant select any table to user01;

    user01测试:

    $ sqlplus user01/password

    SQL> select count(*) from hr.employees(hr.departments scott.emp);

    SQL> delete from scott.emp; 失败!

    SQL> select * from sys.t1; 失败!

    select any table    n-1模式

    sys再次授权:

    SQL> grant select any dictionary to user01;

    user01测试:

    SQL> select * from sys.t1;    成功

    select any table(n-1)+select any dictionary(1)

    sys授权:

    SQL> grant create table to user01;

    user01测试:

    SQL> create table t1(x int);

    sys授权:

    SQL> grant unlimited tablespace to user01;

    user01测试:

    SQL> insert into t1 values (1);

     

    对象权限:

    表的参照权限:

    dept

    deptno(pk) dname

    10 sales

    20 market

     

    my_emp

    empno deptno(fk)

    100 10

    sys授权:

    SQL> grant select on hr.employees to user01;

    user01测试:

    SQL> select count(*) from hr.employees;

    SQL> delete from hr.employees; 失败

    SQL> select count(*) from hr.departments; 失败

    sys授权:

    SQL> grant index on hr.employees to user01;

    SQL> grant unlimited tablespace to user01;

    user01测试:

    SQL> create index emp_sal_idx on hr.employees(salary);

    SQL> select index_name from user_indexes where table_name='EMPLOYEES';

     

    create any table create table

    alter any table alter table

    drop any table drop table

     

    权限的级联删除:

    系统权限:

    sys准备工作:

    SQL> drop user user01 cascade;

    SQL> drop user user02 cascade;

    SQL> create user user01 identified by password;

    SQL> create user user02 identified by password;

    SQL> grant create session to user01;

    SQL> grant create session to user02;

    sys授权:

    SQL> grant select any table to user01 with admin option;

    user01测试成功并授权给user02:

    SQL> select count(*) from hr.employees;

    SQL> grant select any table to user02 with admin option;

    user02测试成功:

    SQL> select count(*) from hr.employees;

    sys收回权限:

    SQL> revoke select any table from user01;

    user01操作失败:

    SQL> select count(*) from hr.employees;

    user02测试成功:

    SQL> select count(*) from hr.employees;

    对象权限:

    SQL> grant select on hr.employees to user01 with grant option;

     

     

    dba+sysdba=sys

     

    role

    角色就是数据库中的群组!

    角色的作用:简化权限的管理,动态更新用户的权限。

    预定义的角色:

    SQL> select role from dba_roles;

    创建角色:

    SQL> create role hr_mgr;

    SQL> create role hr_clerk;

    SQL> grant select any table to hr_mgr;

    SQL> grant select on hr.employees to hr_clerk;

    SQL> grant hr_mgr to user01;

    SQL> grant hr_clerk to user02;

    user01/user02测试:

    角色生效必须重新登录

     

    audit

    开启开关参数:

    SQL> show parameter audit_trail

    设置审计选项:

    每次设置新的审计选项,测试用户需要重新连接

    sys准备工作:

    SQL> drop user user01 cascade;

    SQL> create user user01 identified by password;

    SQL> grant create session, create table, create any table to user01;

    审计系统权限:

    SQL> AUDIT CREATE ANY TABLE, CREATE TABLE BY USER01 BY ACCESS;

    user01测试:

    SQL> create table t1(x int);

    SQL> create table t1(x int); 失败

    SQL> create table hr.t1(x int);

    SQL> create table hr.t1(x int); 失败

    sys查看审计结果:

    SQL> desc aud$

    SQL> desc dba_audit_trail

    浏览器中查看

    sys添加审计条件:

    SQL> AUDIT SELECT ANY TABLE BY user01 BY ACCESS;

    SQL> grant select any table to user01;

    user01测试:

    SQL> select * from t1;

    SQL> select * from hr.t1;

    sys查看审计结果:

    浏览器中或者查看dba_audit_trail表

    删除审计选项:

    SQL> NOAUDIT CREATE ANY TABLE BY USER01;

    SQL> NOAUDIT CREATE TABLE BY USER01;

    SQL> NOAUDIT SELECT ANY TABLE BY user01;

     

    审计对象:

    sys设置审计选项:

    SQL> AUDIT SELECT ON hr.employees BY ACCESS;

    SQL> drop user user01 cascade;

    SQL> create user user01 identified by password;

    SQL> grant create session to user01;

    sys授权,每执行一个语句,user01就测试一次:

    SQL> grant select any table to user01;

    SQL> revoke select any table from user01;

    SQL> grant select on hr.employees to user01;

    user01测试(执行4次):

    SQL> select count(*) from hr.employees;

    默认不记录sys的行为:

    SQL> select count(*) from hr.employees;

    删除审计选项:

    SQL> NOAUDIT SELECT ON hr.employees;

     

    审计语句:

    sys设置审计选项:

    SQL> AUDIT TABLE BY user01 BY ACCESS;

    user01测试:

    SQL> create table t1(x int); 失败

    SQL> create table t1(x int);

    SQL> create table t1(y int); 失败

    SQL> drop table t1;

    sys查看结果:

    浏览器中,或DBA_AUDIT_OBJECT表中

    删除审计选项:

    SQL> NOAUDIT TABLE BY USER01

     

    审计sys的操作:

    SQL> show parameter audit

    修改两个参数

  • 相关阅读:
    宠物商店项目需求
    使用Ajax新闻系统管理需求分析
    java 面向对象面试题,问答题,构造方法,抽象类,继承,多态,接口,异常总结;
    如何在linux服务器部署Rstudio server,配置ODBC远程访问win 服务器上的SQL server
    R语言网络爬虫学习 基于rvest包
    用蒙特卡洛方法计算派-python和R语言
    R 语言学习日志 1
    kmeans聚类中的坑 基于R shiny 可交互的展示
    分类算法简介 基于R
    R 多线程和多节点并行计算
  • 原文地址:https://www.cnblogs.com/shan2017/p/7367419.html
Copyright © 2011-2022 走看看