创建用户:
create user +用户 default tablespace + 表空间名 identified + 验证方式

SQL> create user easthome profile default identified by oracle password expire default tablespace users temporary tablespace temp account unlock;

SQL> grant connect to easthome;
SQL> grant create session to easthome;

default tablespace:默认的表空间,用户默认使用的表空间

创建test表空间:

查找数据文件的路径:
SQL> select name from v$datafile

SQL> create tablespace test datafile '/u01/app/oracle/oradata/orcl/test01.dbf' size 100M;

创建一个用户test,默认的表空间为test

SQL> create user test default tablespace test identified by oracle;

如果不指定default tablespace,会使用数据库的默认表空间:

数据库的默认表空间:
select property_name, property_value from database_properties where property_name='DEFAULT_PERMANENT_TABLESPACE';

更改数据库的默认表空间:

select name from v$tablespace;
alter database default tablespace users;

如何更改口令

alter user scott identified by oracle;
alter user sys identified by oracle;

删除用户:

如果用户中没有数据,可以直接删除

SQL> drop user test;

如果有数据,使用cascade
SQL> grant create session,create table to test identified by oracle;

SQL> alter user test quota 10m on users;

SQL> conn test/oracle
SQL> create table t(id number);

SQL> insert into t values(1);
SQL> commit;

提交完成。

SQL> conn /as sysdba
SQL> drop user test;
SQL> drop user test cascade;

用户验证
sqlplus / as sysdba;
conn scott/tiger as sysdba;
show user;
操作系统验证

只有属于dba组的用户才能进行操作系统验证

新建用户easthome,让其属于dba组:
在root下执行:
useradd -g dba easthome
passwd easthome

cp /home/oracle/.bash_profile /home/easthome/.bash_profile

su - easthome
sqlplus / as sysdba

SQL> show user

关闭操作系统验证:

到此目录:/u01/app/oracle/product/11.2.0/db/network/admin

打开sqlnet.ora文件,更改如下内容:

SQLNET.AUTHENTICATION_SERVICES= (none)--把NTS改为none,关闭操作系统验证

sqlplus sys/oracle as sysdba;

口令验证
cd $ORACLE_HOME/dbs
rm -rf orapworcl

orapwd file=$ORACLE_HOME/dbs/orapworcl password=oracle
orapwd file=$ORACLE_HOME/dbs/orapworcl password=b force=y

select * from v$pwfile_users;
grant sysdba to scott;
sqlplus scott/tiger as sysdba;

普通用户的账号密码保存在数据字典中,因此只能当数据库打开时才能使用。
select username, password from dba_users;

alter user scott identified by tiger;
conn scott/tiger;

Linux账号的外部验证
打开操作系统验证
cd $ORACLE_HOME/network/admin/sqlnet.ora
删除SQLNET.AUTHENTICATION_SERVER=(none)

SQL> show parameter os_authent_prefix
SQL> create user ops$oracle default tablespace users identified externally;
ops$开头
存在oracle账号
su - oracle
sqlplus /
show user;

window账号外部验证:

1. 用户名有两部分组成:os_authent_prefix+操作系统用户
2. 验证方式必须是外部验证

SQL> create user ops$oracle identified externally
SQL> grant connect to ops$oracle;
SQL> exit

SQL> drop user ops$oracle cascade;
SQL> create user ops$zhaoming default tablespace users identified externally;
SQL> grant connect to ops$zhaoming;

[oracle@hndx ~]$ sqlplus /--不用用户名和密码
SQL> show user
USER is "OPS$ORACLE"

远程操作系统验证:
SQL> show parameter remote_os
SQL> alter system set remote_os_authent=true scope=spfile;
SQL> startup force

create user ops$admini identified externally;

SQL> alter system set remote_os_authent=false scope=spfile;

在客户端:
sqlplus /@orcl

授予和回收权限

系统权限
grant select any table to scott;
select grantee, privilege from dba_sys_privs where grantee = 'SCOTT' ;

desc user_tab_privs;
select grantee, owner, table_name, grantor, privilege from user_tab_privs where grantee = 'SYS';

对象权限
conn scott/tiger;
grant all on emp to hr;

conn hr/hr;
desc user_tab_privs;
select grantee,owner,table_name, grantor,privilege from user_tab_privs where table_name='EMP';

conn / as sysdba;
权限的级联回收
conn scott/tiger;
revoke all on emp from hr;

conn / as sysdba;
grant select any table to scott with admin option;

conn scott/tiger;
grant select any table to hr;

select count(*) from hr.employees;

conn hr/hr;
select count(*) from scott.emp;

conn / as sysdba;
revoke select any table from scott;

conn scott/tiger;
select count(*) from hr.employees;

conn hr/hr;
select count(*) from scott.emp;
系统权限不能被级联回收

conn / as sysdba;
revoke select any table from hr;

conn scott/tiger;
grant update on emp to hr with grant option;

conn hr/hr;
grant update on scott.emp to sh;

update scott.emp set sal=sal+100;

conn / as sysdba;
alter user sh account unlock identified by sh;

conn sh/sh;
update scott.emp set sal=sal+100;

conn scott/tiger;
revoke update on emp fro hr;

conn hr/hr;
grant update on scott.emp to sh;
conn sh/sh;
update scott.emp set sal=sal+100;
对象权限会被级联回收。

select table_name from dict where table_name like '%PRIVS%'

创建和管理角色

角色:是一组权限的集合,方便对权限的管理,可以实现权限的动态管理

查询数据库中的角色:

select role from dba_roles

创建角色

普通用户必须有create role的权限才能创建角色

conn /as sysdba

create role r1;

select role from dba_roles where role='R1';

查询角色中的系统权限:

SQL> select role,privilege,admin_option from role_sys_privs where role='R1';

查询角色中的对象权限:

SQL> select * from role_tab_privs where role='R1';

把系统权限授予角色r1:

SQL> grant select any dictionary to r1;

SQL> select role,privilege,admin_option from role_sys_privs where role='R1';

把对象权限授予角色r1:

SQL> grant delete on scott.emp to r1;

授权成功。

SQL> select * from role_tab_privs where role='R1';

将角色授予用户:

SQL> grant r1 to hr;--hr拥有r1角色中的所有的权限
SQL> conn hr/hr
SQL> delete scott.emp;

SQL> roll

SQL> select count(*) from dba_objects;

如何查询当前用户下有哪些角色?

SQL> select username,granted_role,admin_option,default_role from user_role_privs;

查看resource中的系统权限:

SQL> select privilege from role_sys_privs where role='RESOURCE';

查看resource中的对象权限:

SQL> select role,owner,table_name,privilege from role_tab_privs where role='RESOURCE';

角色的转授:

SQL> conn /as sysdba
SQL> grant r1 to hr with admin option;

SQL> conn hr/hr
SQL> select username,granted_role,admin_option,default_role from user_role_privs;

SQL> grant r1 to oe;

SQL> conn oe/oe
SQL> select username,granted_role,admin_option,default_role from user_role_privs;

SQL> delete scott.emp;

SQL> roll

SQL> select count(*) from dba_objects;

角色级联回收:

SQL> select username,granted_role,admin_option,default_role from user_role_privs;

SQL> conn oe/oe
SQL> select username,granted_role,admin_option,default_role from user_role_privs

SQL> delete scott.emp;

SQL> roll

SQL> select count(*) from dba_objects ;

从以上的实验可以看出角色不能被级联回收

默认角色:当连接用户时,默认启动的角色

SQL> conn /as sysdba

SQL> create user test default tablespace users identified by a;
SQL> create role r2;
SQL> grant select any dictionary to r2;

SQL> create role r3;
SQL> grant update on scott.emp to r3;

SQL> grant connect,r2,r3 to test;

SQL> conn test/a
SQL> select * from role_sys_privs where role='CONNECT';

SQL> select count(*) from dba_objects;

SQL> update scott.emp set sal=sal+100;

SQL> roll

SQL> select username,granted_role,admin_option,default_role from user_role_privs;

SQL> conn /as sysdba
SQL> alter user test default role connect;

SQL> conn test/a

SQL> select username,granted_role,admin_option,default_role from user_role_privs;

SQL> select count(*) from dba_objects; --error
SQL> update scott.emp set sal=sal+100; --error

SQL> conn /as sysdba

SQL> alter user test default role connect,r2;

SQL> conn test/a
SQL> select username,granted_role,admin_option,default_role from user_role_privs;

SQL> select count(*) from dba_objects;

SQL> update scott.emp set sal=sal+100; --error

SQL> conn /as sysdba
SQL> alter user test default role connect,r2,r3;

SQL> conn test/a
SQL> select count(*) from dba_objects;

SQL> update scott.emp set sal=sal+100;

SQL> roll
回退已完成。

控制角色:

SQL> col role for a30

SQL> select * from session_roles;
SQL> set role connect,r2;

角色集

SQL> select * from session_roles;
SQL> select count(*) from dba_objects;

SQL> update scott.emp set sal=sal+100; --error
SQL> set role connect,r3;

SQL> roll

SQL> set role all;

SQL> select count(*) from dba_objects;

给角色指定密码:

SQL> drop role r2;
SQL> create role r2 identified by a;
SQL> grant select any dictionary to r2;
SQL> grant r2 to test;

SQL> conn test/a
SQL> set role r2; --error
SQL> set role r2 identified by a;

动态管理:

SQL> conn /as sysdba
SQL> grant r3 to oe;

SQL> conn oe/oe
SQL> update scott.emp set sal=sal+100;
SQL> roll

SQL> conn test/a
SQL> update scott.emp set sal=sal+100;
SQL> roll

SQL> conn /as sysdba
SQL> revoke update on scott.emp from r3;

SQL> conn test/a
SQL> update scott.emp set sal=sal+100; --error

SQL> conn oe/oe
SQL> update scott.emp set sal=sal+100; --error

SQL> conn /as sysdba
SQL> grant update on scott.emp to r3;

SQL> conn test/a
SQL> update scott.emp set sal=sal+100;
SQL> roll

SQL> conn oe/oe
SQL> update scott.emp set sal=sal+100;
SQL> roll

角色授予角色:
SQL> create role r1;
SQL> create role r2;
SQL> create role r3;

SQL> grant select any dictionary to r1;
SQL> grant update on scott.emp to r2;

SQL> grant r1 to r2;
SQL> grant r2 to hr;

SQL> conn hr/hr
SQL> select count(*) from dba_objects;
SQL> update scott.emp set sal=sal+100;
SQL> roll

SQL> conn /as sysdba
SQL> select role,granted_role from role_role_privs;
SQL> select role,granted_role from role_role_privs where role='R2';

SQL> grant r2 to r3;
SQL> select role,granted_role from role_role_privs where role='R2';
SQL> select role,granted_role from role_role_privs where role='R3';

SQL> grant r3 to r1; --error

r1->r2->r3->r1:不允许出现循环

一组权限的集合,可以使系统权限,对象权限或者两者混合。
conn / as sysdba;
desc dba_roles;
select role from dba_roles;

查看某角色有哪些权限
desc role_sys_privs
select privilege from role_sys_privs where role='CONNECT';
select privilege from role_tab_privs where role='CONNECT';

创建角色:
create role r1;
grant select any table to r1;
grant update on scott.emp to r1;
select privilege from role_sys_privs where role='R1';
select privilege from role_tab_privs where role='R1';

desc role_tab_privs;
select owner, table_name, privilege from role_tab_privs where role='R1';

将角色赋予用户
grant r1 to hr;
conn hr/hr;
select count(*) from scott.emp;
update scott.emp set sal=sal+100;

desc dict;
select table_name from dict where table like'%ROLE%';

当前用户有哪些角色
desc user_role_privs;
select granted_role,default_role from user_role_privs;

set role resource;
select * from session_roles;

set role all;
select * from session_roles;

预定义角色
CONNECT
CREATE SESSION

RESOURCE
CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER, CREATE TYPE

SCHEDULER_ADMIN
CREATE ANY JOB, CREATE EXTERNAL JOB, CREATE JOB, EXECUTE ANY CLASS, EXECUTE ANY PROGRAM, MANAGE SCHEDULER

DBA
Most system privileges; several other roles. Do not grant to nonadministrators.

SELECT_CATALOG_ROLE
No system privileges; HS_ADMIN_ROLE and over 1,700 object privileges on the data dictionary

SQL> CREATE ROLE secure_application_role IDENTIFIED USING <security_procedure_name>;

VERIFY_FUNCTION_11G
路径为<oracle_home>/rdbms/admin/utlpwdmg.sql,可以确保密码
1.至少8个字符
2.不能与用户名,用户名+数字和用户名反转相同
3.不能与数据库名,数据库名+数字相同
4.必须包含字母和数字
5.必须有三个字符跟之前的密码不同
可以使用该脚本为模板创建个性化的密码验证

sysdba与sysoper的区别

使用sysdba登录数据库,用户是sys

[oracle@hndx ~]$ sqlplus / as sysdba
SQL> show user

使用sysoper登录数据库,用户是public

[root@hndx ~]# usermod -g oinstall -G dba,oper oracle
[root@hndx ~]# su - oracle
[oracle@hndx ~]$ sqlplus / as sysoper

SQL> show user
USER is "PUBLIC"

权利不同,都可以启动数据库,sysdba的权利比sysoper要大

SQL> show user
USER is "SYS"
SQL> shutdown immediate
SQL> startup

SQL> conn /as sysoper
Connected.
SQL> show user
USER is "PUBLIC"
SQL> shutdown immediate
SQL> startup

权限对比:

SYSDBA:

Perform STARTUP and SHUTDOWN operations
ALTER DATABASE: open, mount, back up, or change character set
CREATE DATABASE
DROP DATABASE
CREATE SPFILE
ALTER DATABASE ARCHIVELOG
ALTER DATABASE RECOVER
Includes the RESTRICTED SESSION privilege
Effectively, this system privilege allows a user to connect as user SYS.

SYSOPER
Perform STARTUP and SHUTDOWN operations
CREATE SPFILE
ALTER DATABASE OPEN/MOUNT/BACKUP
ALTER DATABASE ARCHIVELOG
ALTER DATABASE RECOVER (Complete recovery only. Any form of incomplete recovery, such as UNTIL TIME|CHANGE|CANCEL|CONTROLFILE requires connecting as SYSDBA.)
Includes the RESTRICTED SESSION privilege
This privilege allows a user to perform basic operational tasks, but without the ability to look at user data.

创建和管理概要文件(profiles)

概要文件:有两个作用:控制资源占用 和管理帐户状态和口令失效

查看数据中有哪些概要文件:

SQL> select distinct profile from dba_profiles;

对资源的限制:

conn / as sysdba;
SQL> desc dba_profiles
SQL> select resource_name, resource_type,limit from dba_profiles where profile='DEFAULT';

SQL> create profile p1 limit sessions_per_user 3;
SQL> alter user scott profile p1;

SQL> show parameter resource_limit;
SQL> alter system set resource_limit=true;

SQL> startup force

打开4个会话,第四个报错:

[oracle@hndx ~]$ sqlplus scott/tiger -- error

SQL> drop profile p1 cascade;

对口令的限制:

SQL> create profile p1 limit FAILED_LOGIN_ATTEMPTS 3;
SQL> alter user scott profile p1;

SQL> conn scott/a
SQL> conn scott/b
SQL> conn scott/c
SQL> conn scott/d

SQL> conn scott/tiger--输入正确的口令也不能进入,必须让dba解锁

SQL> conn /as sysdba
SQL> alter user scott account unlock;

SQL> drop profile p1 cascade;

口令验证函数:

VERIFY_FUNCTION_11G

通过脚本:$ORACLE_HOME/rdbms/admin/utlpwdmg.sql

SQL> @?/rdbms/admin/utlpwdmg.sql

SQL> drop user hndx cascade;

SQL> create user hndx identified by a;
SQL> create user hndx identified by welcome;
SQL> create user hndx identified by database;

删除以上函数的限制:

ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 60
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_TIME 1800
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1/1440
PASSWORD_VERIFY_FUNCTION null;

SQL> drop function verify_function;

Function dropped.

SQL> create user hndx identified by a;

User created.

password_verify_function null;
可以去掉验证

应用最少的权限
O7_DICTIONARY_ACCESSIBILITY=FALSE;
alter system set O7_DICTIONARY_ACCESSIBILITY=true;
startup force;

设置为true之后的影响
赋予select any给scott之后,scott可以访问数据字典。
conn sys/oracle; 不用sysdba也可以登录。

PUBLIC角色中不要给予不必要的权限
revoke select any table from scott;
grant update on scott.emp to public;

conn sh/sh;
update scott.emp set sal=sal+100;

create directory dir as '/u01/app/oracle/dir';
数据泵倒入导出时可以使用该目录。可以限制对目录的使用。

限制远程认证
REMOTE_OS_AUTHENT=FALSE

数据库用户账号
每一个数据库用户账号拥有
1.独立的用户名
2.特定的认证方法
3.默认的表空间
4.临时表空间
5.用户参数文件(profile)
6.初始消费者组
7.用户状态

Schema
是数据库用户拥有的一系列数据库对象的集合,与用户账号具有相同的名字

预定义管理账号
SYS账号
被授予DBA角色以及其他一些角色
拥有所有带ADMIN OPTION的权限
对于start,shutdown以及其他一些维护命令是必须的
拥有数据字典以及自动工作存储(AWR)
[oracle@stu1 ~]$ sqlplus / as sysdba
[grid@stu1 ~]$ sqlplus / as sysasm

SYSTEM
被授予DBA,MGMT_USER和AQ_ADMINISTRATOR_ROLE等角色

DBSNMP
被授予OEM_MONITOR角色

SYSMAN
被授予MGMT_USER, RESOURCE和SELECT_CATALOG_ROLE角色

这些账号不用于日常操作,后两者用于EM,均不具备SYSDBA权限。

创建用户
SQL> create user "mydba" profile "default" identified by ********
default tablespaces "users"
temporary tablespace "temp"
account unlock
SQL> grant "connect" to "mydba"

权限:分为系统权限和对象权限
系统权限
RESTRICTED SESSION:即使数据库处于RESTRICTED模式,也允许登录

SYSDBA和SYSOPER
SYSOPER可以执行基本操作,但是不能查看用户数据,两权限均具有如下权利
1.启动和关闭数据库
2.创建spfile
3.更改数据库为OPEN,MOUNT和BACKUP
4.更改数据库为归档模式(ARCHIVELOG)
5.更改数据库为恢复(RECOVER),仅为完全恢复,非完全恢复要求连接为SYSDBA
6.RESTRICTED SESSTION

SYSASM:允许启动,关闭和管理ASM实例

DROP ANY:允许删除其他用户拥有的对象

CREATE,MANAGE,DROP和ALTER TABLESPACE:允许管理管理表空间

CREATE LIBRARY:允许用户创建在PL/SQL中执行的外部代码,这些代码必须被命名为LIBRARY对象

CREATE ANY DIRECTORY:
处于安全考虑,代码所在的操作系统目录必须被链接到虚拟ORACLE目录对象。拥有该权限的用户可以潜在调用非安全的代码对象。

GRANT ANY OBJECT PRIVILEGE: 允许赋予非自己拥有的对象权限给其他用户

ALTER SYSTEM和ALTER DATABASE

SQL> GRANT <object_privilege> ON <object> TO <grantee clause> [WITH GRANT OPTION]
SQL> REVOKE <system_privilege> FROM <grantee clause>

备注:
使用最小权限原则并不足以保证数据库足够安全

OCA读书笔记(8) - 管理用户安全的更多相关文章

  1. OCA读书笔记(7) - 管理数据库存储结构

    7.Managing Database Storage Structures 逻辑结构 数据库的存储结构有物理结构和逻辑结构组成的 物理结构:物理上,oracle是由一些操作系统文件组成的 SQL&g ...

  2. OCA读书笔记(5) - 管理ASM实例

    Objectives:Describe the benefits of using ASMManage the ASM instanceCreate and drop ASM disk groupsE ...

  3. OCA读书笔记(4) - 管理数据库实例

    Objectives: •Start and stop the Oracle database and components •Use Oracle Enterprise Manager •Acces ...

  4. OCA读书笔记(9) - 管理数据同步

    9.Managing Data Concurrency 描述锁机制以及oracle如何管理数据一致性监控和解决锁冲突 管理数据的并发--管理锁数据的不一致:脏读更改丢失幻影读 脏读:数据是指事务T2修 ...

  5. OCA读书笔记(10) - 管理UNDO数据

    Undo自动管理与手动管理 undo段自动管理SQL> show parameter undo_management 将undo段改为手工管理SQL> alter system set u ...

  6. OCA读书笔记(1) - 浏览Oracle数据库架构

    Objectives: List the major architectural components of Oracle DatabaseExplain the memory structuresD ...

  7. OCA读书笔记(12) - 数据库维护

    查询优化器统计信息 搜集统计信息: 不是实时的: SQL> conn /as sysdbaConnected.SQL> grant select on dba_objects to sco ...

  8. OCP读书笔记(13) - 管理内存

    SGA 1. 什么是LRULRU表示Least Recently Used,也就是指最近最少使用的buffer header链表LRU链表串联起来的buffer header都指向可用数据块 2. 什 ...

  9. 《Troubleshooting SQL Server》读书笔记-内存管理

    自调整的数据库引擎(Self-tuning Database Engine) 长期以来,微软都致力于自调整(Self-Tuning)的SQL Server数据库引擎,用以降低产品的总拥有成本.从SQL ...

随机推荐

  1. hdu 2276 Kiki & Little Kiki 2

    点击打开hdu 2276 思路: 矩阵快速幂 分析: 1 题目给定一个01字符串然后进行m次的变换,变换的规则是:如果当前位置i的左边是1(题目说了是个圆,下标为0的左边是n-1),那么i就要改变状态 ...

  2. 【原创】Android 系统稳定性 - ANR(二)

    文章都为原创,转载请注明出处,未经允许而盗用者追究法律责任. 很久之前写的了,留着有点浪费,共享之.编写者:李文栋P.S. OpenOffice粘贴过来后格式有些混乱. 1.2 如何分析ANR问题 引 ...

  3. SDCard助手类

    package com.zyh.sdcardHelper; import java.io.BufferedInputStream; import java.io.BufferedOutputStrea ...

  4. Linux fstab 参数详解

    [root@qs-wg-db1 /]# cat /etc/fstab LABEL=/          /                       ext3    defaults         ...

  5. java--从控制台读入一些数据

    学一些东西应该,学以致用: 现在我开始使用流的办法从控制台读取数据 import java.io.*; public class Demo2{ public static void main(Stri ...

  6. 彻底明白Java的IO系统

    java学习:彻底明白Java的IO系统 文章来源:互联网 一. Input和Output1. stream代表的是任何有能力产出数据的数据源,或是任何有能力接收数据的接收源.在Java的IO中,所有 ...

  7. Android屏幕大小适配问题解决

    转载: 一.一些基本概念 1.长度(真实长度):英寸.inch 2.分辨率:density 每英寸像素数  dpi(密度) 3.像素:px 4.dip的公式:px /dip=dpi/160  所以 d ...

  8. static在C和C++中的用法和区别

    static主要有三个作用: (1)局部静态变量 (2)外部静态变量/函数 (3)静态数据成员/成员函数 前两种C和C++都有,第三种仅在C++中有,下面分别作以下介绍: 一.局部静态变量 在C/C+ ...

  9. 基于visual Studio2013解决面试题之1402选择排序

     题目

  10. Android网络:开发浏览器(二)——功能完善之长按网页图片菜单

    上述的历史和书签的功能已经实现.不过如果我们长时间按住图片,并不会出现如同UC中的一系列选项,我们可以来看看UC中的长按图片出现的菜单. 图10.2.9    UC中的长按图片菜单 我们可以看到UC中 ...