zoukankan      html  css  js  c++  java

  • Oracle 使用sqlnet.ora/trigger限制/允许某IP或IP段访问指定用户

    Oracle 使用sqlnet.ora/trigger限制/允许某IP或IP段访问指定用户 

    学习了:http://blog.itpub.net/28602568/viewspace-2092858/

    注释:
 接触MySQL的朋友想必都知道mysql可针对指定IP/IP段来限制用户的访问,在Oracle数据库中默认有账号密码访问主机的权限的IP都可登陆该DB用户;
  那么,Oracle 如何实现针对DB、单个用户来限制/允许IP访问呢?
  1、整个DB层:可设置$ORACLE_HOME/network/admin/sqlnet.ora文件,限制/允许IP访问;  -->不可针对IP段..
  2、单个用户:可通过trigger触发器限制/允许某IP或IP段访问;                 -->实验不可对整个DB层 (AFTER LOGON ON database)登陆提示告警..


一、sqlnet.ora  
[oracle@10.240.1.7 admin]$ cat sqlnet.ora
tcp.validnode_checking = yes                       #需要设置成yes,方可激活生效                
tcp.invited_nodes=(10.240.1.8,10.240.1.7)      #允许访问的IP
#tcp.excluded_nodes=(10.240.1.8,10.240.1.7) #不允许访问的IP 
注释:
在9i提供了几个参数:-->9i以前版本更改protocol.ora文件...
TCP.EXCLUDED_NODES    :设置禁止访问数据库的IP地址列表。
TCP.INVITED_NODES     :设置允许访问数据库的IP地址列表,当这个参数和TCP.EXCLUDED_NODES设置的地址相同的时候将覆盖TCP.EXCLUDED_NODES设置。
TCP.VALIDNODE_CHECKING:检测上述参数的设置。 

简单演示:
[oracle@10.240.1.8 ~]$ sqlplus lottery/lottery@10.240.1.7/test 
SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 18:44:15 2016 
Copyright (c) 1982, 2013, Oracle.  All rights reserved. 
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> 
[oracle@10.240.1.9 ~]$  sqlplus lottery/lottery@10.240.1.7/test
SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 18:44:40 2016
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
ERROR:
ORA-12547: TNS:lost contact
ORA-01017: invalid username/password; logon denied
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
[oracle@10.240.1.9 ~]$ 

二、触发器
-->TRIGGER限制10.240.1.%网段访问lottery用户
CREATE OR REPLACE TRIGGER DISABLELOGIN  
    AFTER LOGON ON LOTTERY.SCHEMA  -->使用方式为USERNAME.SCHEMA,若直接写database,RAISE_APPLICATION_ERROR部分不起作用..
BEGIN                                                                      
   IF ORA_CLIENT_IP_ADDRESS LIKE ('10.240.1.%') THEN    
   RAISE_APPLICATION_ERROR(-20001,'USER '||ORA_LOGIN_USER||' IS NOT ALLOWED TO CONNECT FROM '||ORA_CLIENT_IP_ADDRESS);
   END IF;
END;
--不能指定sys.schema,会报《ORA-30510: 系统触发器不能在 SYS 用户方案中定义》
--限制某IP  ORA_CLIENT_IP_ADDRESS IN ('10.240.1.7','10.240.1.8')

简单演示:
[oracle@10.240.1.7 ~]$ sqlplus lottery/lottery@10.240.1.7/test
SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 16:05:55 2016
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
ERROR:
ORA-00604: error occurred at recursive SQL level 1
ORA-20001: USER LOTTERY IS NOT ALLOWED TO CONNECT FROM 10.240.1.7
ORA-06512: at line 3
[oracle@10.240.1.7 admin]$

[oracle@10.240.1.8 ~]$ sqlplus lottery/lottery@10.240.1.7/test
SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 16:05:55 2016
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
ERROR:
ORA-00604: error occurred at recursive SQL level 1
ORA-20001: USER LOTTERY IS NOT ALLOWED TO CONNECT FROM 10.240.1.8
ORA-06512: at line 3
[oracle@10.240.1.8 ~]$

[oracle@10.240.2.8 ~]$  sqlplus lottery/lottery@10.240.1.7/test 
SQL*Plus: Release 11.2.0.4.0 Production on Wed Apr 27 16:23:33 2016 
Copyright (c) 1982, 2013, Oracle.  All rights reserved. 
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> 
SQL> SELECT * FROM DBA_TRIGGERS WHERE trigger_name='DISABLELOGIN' ;
  • 相关阅读:
    Java 重写(Override)与重载(Overload)
    【MyBatis】-----【MyBatis】---表级联系【一对一】--增删改查
    【MyBatis】----【MyBatis】--封装---别名---properties
    【MyBatis】-----初识【MyBatis】
    【Html5】表单全选、全不选
    【SSH】---【Struts2、Hibernate5、Spring4】【SSH框架整合笔记 】
    rabbitmq 消息持久化之receive and send
    git
    Tyrion中文文档(含示例源码)
    计算器源码
  • 原文地址:https://www.cnblogs.com/stono/p/6676348.html
Copyright © 2011-2022 走看看