AAA:
Authentication: 身份验证
Authorization: 权限管理
Audition: 审计
authentication
预定义的系统用户:
SQL> select USERNAME, ACCOUNT_STATUS from dba_users;
open状态的用户:
SQL> select USERNAME, ACCOUNT_STATUS from dba_users ACCOUNT_STATUS='OPEN';
系统管理账号:
SYS SYSTEM DBSNMP SYSMAN
3种身份验证方式:
password验证:
浏览器中创建用户user01
或者用命令创建:
SQL> create user user01 identified by password;
SQL> grant create session to user01;
测试:
$ sqlplus user01/password
external(os)验证:
操作系统中创建用户:
$ su -
Password:
[root@node1 ~]# useradd osuser
[root@node1 ~]# passwd osuser
$ sqlplus / as sysdba
外部用户使用固定的前缀:
SQL> show parameter os_auth
SQL> create user ops$osuser identified externally;
SQL> grant create session to ops$osuser;
不要su - osuser,环境变量保留:
$ su osuser
Password:
[osuser@node1 admin]$ sqlplus /
SQL> show user
USER is "OPS$OSUSER"
管理员的身份验证:
本地连接:
本地连接,预先设置ORACLE_SID,操作系统用户是dba群组的成员
$ id
uid=1001(oracle) gid=1000(oinstall) groups=1000(oinstall),1031(dba),1032(oper)
$ sqlplus / as sysdba
SQL> show user
USER is "SYS"
$ su -
# usermod -G oper oracle
或
# gpasswd -d oracle dba 从dba群组删除成员
# exit
$ sqlplus / as sysdba
报错,权限不够
只要是dba群组中的成员,就可以不需要知道sys的口令,直接以sqlplus / as sysdba登录
并且身份为sys。
恢复:
# gpasswd -a oracle dba
Unset ORALCE_SID 环境变量删除
Export ORACLE_SID=orcl 恢复
远程客户端连接:
$ sqlplus sys/password@orcl as sysdba
$ ls $ORACLE_HOME/dbs/orapworcl
$ orapwd 创建口令文件 $orapwd file=/home/oracle/orapworcl password=password force=y
authorization
系统权限:
sys执行授权:
预先创建测试表
SQL> create table t1(x int);
SQL> create user user01 identified by password;
SQL> grant create session to user01;
SQL> grant select any table to user01;
user01测试:
$ sqlplus user01/password
SQL> select count(*) from hr.employees(hr.departments scott.emp);
SQL> delete from scott.emp; 失败!
SQL> select * from sys.t1; 失败!
select any table n-1模式
sys再次授权:
SQL> grant select any dictionary to user01;
user01测试:
SQL> select * from sys.t1; 成功
select any table(n-1)+select any dictionary(1)
sys授权:
SQL> grant create table to user01;
user01测试:
SQL> create table t1(x int);
sys授权:
SQL> grant unlimited tablespace to user01;
user01测试:
SQL> insert into t1 values (1);
对象权限:
表的参照权限:
dept
deptno(pk) dname
10 sales
20 market
my_emp
empno deptno(fk)
100 10
sys授权:
SQL> grant select on hr.employees to user01;
user01测试:
SQL> select count(*) from hr.employees;
SQL> delete from hr.employees; 失败
SQL> select count(*) from hr.departments; 失败
sys授权:
SQL> grant index on hr.employees to user01;
SQL> grant unlimited tablespace to user01;
user01测试:
SQL> create index emp_sal_idx on hr.employees(salary);
SQL> select index_name from user_indexes where table_name='EMPLOYEES';
create any table create table
alter any table alter table
drop any table drop table
权限的级联删除:
系统权限:
sys准备工作:
SQL> drop user user01 cascade;
SQL> drop user user02 cascade;
SQL> create user user01 identified by password;
SQL> create user user02 identified by password;
SQL> grant create session to user01;
SQL> grant create session to user02;
sys授权:
SQL> grant select any table to user01 with admin option;
user01测试成功并授权给user02:
SQL> select count(*) from hr.employees;
SQL> grant select any table to user02 with admin option;
user02测试成功:
SQL> select count(*) from hr.employees;
sys收回权限:
SQL> revoke select any table from user01;
user01操作失败:
SQL> select count(*) from hr.employees;
user02测试成功:
SQL> select count(*) from hr.employees;
对象权限:
SQL> grant select on hr.employees to user01 with grant option;
dba+sysdba=sys
role
角色就是数据库中的群组!
角色的作用:简化权限的管理,动态更新用户的权限。
预定义的角色:
SQL> select role from dba_roles;
创建角色:
SQL> create role hr_mgr;
SQL> create role hr_clerk;
SQL> grant select any table to hr_mgr;
SQL> grant select on hr.employees to hr_clerk;
SQL> grant hr_mgr to user01;
SQL> grant hr_clerk to user02;
user01/user02测试:
角色生效必须重新登录
audit
开启开关参数:
SQL> show parameter audit_trail
设置审计选项:
每次设置新的审计选项,测试用户需要重新连接
sys准备工作:
SQL> drop user user01 cascade;
SQL> create user user01 identified by password;
SQL> grant create session, create table, create any table to user01;
审计系统权限:
SQL> AUDIT CREATE ANY TABLE, CREATE TABLE BY USER01 BY ACCESS;
user01测试:
SQL> create table t1(x int);
SQL> create table t1(x int); 失败
SQL> create table hr.t1(x int);
SQL> create table hr.t1(x int); 失败
sys查看审计结果:
SQL> desc aud$
SQL> desc dba_audit_trail
浏览器中查看
sys添加审计条件:
SQL> AUDIT SELECT ANY TABLE BY user01 BY ACCESS;
SQL> grant select any table to user01;
user01测试:
SQL> select * from t1;
SQL> select * from hr.t1;
sys查看审计结果:
浏览器中或者查看dba_audit_trail表
删除审计选项:
SQL> NOAUDIT CREATE ANY TABLE BY USER01;
SQL> NOAUDIT CREATE TABLE BY USER01;
SQL> NOAUDIT SELECT ANY TABLE BY user01;
审计对象:
sys设置审计选项:
SQL> AUDIT SELECT ON hr.employees BY ACCESS;
SQL> drop user user01 cascade;
SQL> create user user01 identified by password;
SQL> grant create session to user01;
sys授权,每执行一个语句,user01就测试一次:
SQL> grant select any table to user01;
SQL> revoke select any table from user01;
SQL> grant select on hr.employees to user01;
user01测试(执行4次):
SQL> select count(*) from hr.employees;
默认不记录sys的行为:
SQL> select count(*) from hr.employees;
删除审计选项:
SQL> NOAUDIT SELECT ON hr.employees;
审计语句:
sys设置审计选项:
SQL> AUDIT TABLE BY user01 BY ACCESS;
user01测试:
SQL> create table t1(x int); 失败
SQL> create table t1(x int);
SQL> create table t1(y int); 失败
SQL> drop table t1;
sys查看结果:
浏览器中,或DBA_AUDIT_OBJECT表中
删除审计选项:
SQL> NOAUDIT TABLE BY USER01
审计sys的操作:
SQL> show parameter audit
修改两个参数