用户管理

Posted 夜月色下

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了用户管理相关的知识,希望对你有一定的参考价值。

AAA:

Authentication: 身份验证

Authorization: 权限管理

Audition: 审计

authentication

预定义的系统用户:

SQL> select USERNAME, ACCOUNT_STATUS from dba_users;

open状态的用户:

SQL> select USERNAME, ACCOUNT_STATUS from dba_users ACCOUNT_STATUS=‘OPEN‘;

系统管理账号:

SYS SYSTEM DBSNMP SYSMAN

3种身份验证方式:

password验证:

浏览器中创建用户user01

或者用命令创建:

SQL> create user user01 identified by password;

SQL> grant create session to user01;

 

测试:

$ sqlplus user01/password

 

external(os)验证:

操作系统中创建用户:

$ su -

Password:

[[email protected] ~]# useradd osuser

[[email protected] ~]# passwd osuser

$ sqlplus / as sysdba

 

外部用户使用固定的前缀:

SQL> show parameter os_auth

SQL> create user ops$osuser identified externally;

SQL> grant create session to ops$osuser;

不要su - osuser,环境变量保留:

$ su osuser

Password:

[[email protected] admin]$ sqlplus /

SQL> show user

USER is "OPS$OSUSER"

 

管理员的身份验证:

本地连接:

本地连接,预先设置ORACLE_SID,操作系统用户是dba群组的成员

 

$ id

uid=1001(oracle) gid=1000(oinstall) groups=1000(oinstall),1031(dba),1032(oper)

$ sqlplus / as sysdba

SQL> show user

USER is "SYS"

 

$ su -

# usermod -G oper oracle   

 或

# gpasswd -d oracle dba dba群组删除成员

# exit

$ sqlplus / as sysdba

报错,权限不够

 

只要是dba群组中的成员,就可以不需要知道sys的口令,直接以sqlplus / as sysdba登录

并且身份为sys。

 

恢复:

# gpasswd -a oracle dba

 

Unset ORALCE_SID 环境变量删除

Export ORACLE_SID=orcl 恢复

 

远程客户端连接:

$ sqlplus sys/[email protected] as sysdba

$ ls $ORACLE_HOME/dbs/orapworcl

$ orapwd 创建口令文件 $orapwd file=/home/oracle/orapworcl password=password  force=y

authorization

系统权限:

sys执行授权:

预先创建测试表

SQL> create table t1(x int);

SQL> create user user01 identified by password;

SQL> grant create session to user01;

SQL> grant select any table to user01;

user01测试:

$ sqlplus user01/password

SQL> select count(*) from hr.employees(hr.departments scott.emp);

SQL> delete from scott.emp; 失败!

SQL> select * from sys.t1; 失败!

select any table    n-1模式

sys再次授权:

SQL> grant select any dictionary to user01;

user01测试:

SQL> select * from sys.t1;    成功

select any table(n-1)+select any dictionary(1)

sys授权:

SQL> grant create table to user01;

user01测试:

SQL> create table t1(x int);

sys授权:

SQL> grant unlimited tablespace to user01;

user01测试:

SQL> insert into t1 values (1);

 

对象权限:

表的参照权限:

dept

deptno(pk) dname

10 sales

20 market

 

my_emp

empno deptno(fk)

100 10

sys授权:

SQL> grant select on hr.employees to user01;

user01测试:

SQL> select count(*) from hr.employees;

SQL> delete from hr.employees; 失败

SQL> select count(*) from hr.departments; 失败

sys授权:

SQL> grant index on hr.employees to user01;

SQL> grant unlimited tablespace to user01;

user01测试:

SQL> create index emp_sal_idx on hr.employees(salary);

SQL> select index_name from user_indexes where table_name=‘EMPLOYEES‘;

 

create any table create table

alter any table alter table

drop any table drop table

 

权限的级联删除:

系统权限:

sys准备工作:

SQL> drop user user01 cascade;

SQL> drop user user02 cascade;

SQL> create user user01 identified by password;

SQL> create user user02 identified by password;

SQL> grant create session to user01;

SQL> grant create session to user02;

sys授权:

SQL> grant select any table to user01 with admin option;

user01测试成功并授权给user02:

SQL> select count(*) from hr.employees;

SQL> grant select any table to user02 with admin option;

user02测试成功:

SQL> select count(*) from hr.employees;

sys收回权限:

SQL> revoke select any table from user01;

user01操作失败:

SQL> select count(*) from hr.employees;

user02测试成功:

SQL> select count(*) from hr.employees;

对象权限:

SQL> grant select on hr.employees to user01 with grant option;

 

 

dba+sysdba=sys

 

role

角色就是数据库中的群组!

角色的作用:简化权限的管理,动态更新用户的权限。

预定义的角色:

SQL> select role from dba_roles;

创建角色:

SQL> create role hr_mgr;

SQL> create role hr_clerk;

SQL> grant select any table to hr_mgr;

SQL> grant select on hr.employees to hr_clerk;

SQL> grant hr_mgr to user01;

SQL> grant hr_clerk to user02;

user01/user02测试:

角色生效必须重新登录

 

audit

开启开关参数:

SQL> show parameter audit_trail

设置审计选项:

每次设置新的审计选项,测试用户需要重新连接

sys准备工作:

SQL> drop user user01 cascade;

SQL> create user user01 identified by password;

SQL> grant create session, create table, create any table to user01;

审计系统权限:

SQL> AUDIT CREATE ANY TABLE, CREATE TABLE BY USER01 BY ACCESS;

user01测试:

SQL> create table t1(x int);

SQL> create table t1(x int); 失败

SQL> create table hr.t1(x int);

SQL> create table hr.t1(x int); 失败

sys查看审计结果:

SQL> desc aud$

SQL> desc dba_audit_trail

浏览器中查看

sys添加审计条件:

SQL> AUDIT SELECT ANY TABLE BY user01 BY ACCESS;

SQL> grant select any table to user01;

user01测试:

SQL> select * from t1;

SQL> select * from hr.t1;

sys查看审计结果:

浏览器中或者查看dba_audit_trail表

删除审计选项:

SQL> NOAUDIT CREATE ANY TABLE BY USER01;

SQL> NOAUDIT CREATE TABLE BY USER01;

SQL> NOAUDIT SELECT ANY TABLE BY user01;

 

审计对象:

sys设置审计选项:

SQL> AUDIT SELECT ON hr.employees BY ACCESS;

SQL> drop user user01 cascade;

SQL> create user user01 identified by password;

SQL> grant create session to user01;

sys授权,每执行一个语句,user01就测试一次:

SQL> grant select any table to user01;

SQL> revoke select any table from user01;

SQL> grant select on hr.employees to user01;

user01测试(执行4次):

SQL> select count(*) from hr.employees;

默认不记录sys的行为:

SQL> select count(*) from hr.employees;

删除审计选项:

SQL> NOAUDIT SELECT ON hr.employees;

 

审计语句:

sys设置审计选项:

SQL> AUDIT TABLE BY user01 BY ACCESS;

user01测试:

SQL> create table t1(x int); 失败

SQL> create table t1(x int);

SQL> create table t1(y int); 失败

SQL> drop table t1;

sys查看结果:

浏览器中,或DBA_AUDIT_OBJECT表中

删除审计选项:

SQL> NOAUDIT TABLE BY USER01

 

审计sys的操作:

SQL> show parameter audit

修改两个参数

以上是关于用户管理的主要内容,如果未能解决你的问题,请参考以下文章

MySQL的用户管理与权限管理

MySQL的用户管理与权限管理

Linux学习之用户管理命令与用户组管理命令(十五)

怎么在我的电脑里添加管理员用户

18. 用户与权限管理

金蝶KIS软件用户管理及权限授权