12、管理用户安全

1、创建和管理用户

用户包括如下内容：

唯一的用户名、验证方法、默认表空间、临时表空间、用户概要文件、初始使用组、用户状态。

schema：用户对象的集合

模板(HR zhnagsan)

create user zhnagsan profile "DEFAULT" identified by zhnagsan default tablespace "USERS" temporary tablespace "TEMP" account unlock;

grant alter session to zhnagsan;

grant create database link to zhnagsan;

grant create sequence to zhnagsan;

grant create session to zhnagsan;

grant create synonym to zhnagsan;

grant create view to zhnagsan;

grant unlimited tablespace to zhnagsan;

grant execute on "SYS"."DBMS_STATS" to zhnagsan;

grant execute on "SYS"."DBMS_METADATA" to zhnagsan;

grant "RESOURCE" to zhnagsan;

sqlplus  zhnagsan/zhnagsan

常见命令：

drop user scott;

drop user scott cascade;//删除用户及其对象

create user oaec identified by oaec default tablespace oaec temporary tablespace oaec account unlock;

alter user scott account unlock;

查看创建语句

set long 1000;

select SYS.DBMS_METADATA.get_ddl(‘USER‘,‘SCOTT‘) from dual;

SQL> select SYS.DBMS_METADATA.get_ddl(‘USER‘,‘SCOTT‘) from dual;

SYS.DBMS_METADATA.GET_DDL(‘USER‘,‘SCOTT‘)

--------------------------------------------------------------------------------

CREATE USER "SCOTT" IDENTIFIED BY VALUES ‘S:07921277EB685F9816BA4776231FA31B0

C0A84DD4DF70E5DEC761A6F6B53;F894844C34402B67‘

DEFAULT TABLESPACE "USERS"

TEMPORARY TABLESPACE "TEMP"

PASSWORD EXPIRE

ACCOUNT LOCK

dba_users;

col USERNAME for a30;

col ACCOUNT_STATUS for a30;

col LOCK_DATE for a30;

col EXPIRY_DATE for a30;

col DEFAULT_TABLESPACE for a30;

select USERNAME,ACCOUNT_STATUS,LOCK_DATE,EXPIRY_DATE,DEFAULT_TABLESPACE from dba_users where USERNAME=‘SCOTT‘;

create user test2 identified by test2;

select USERNAME,ACCOUNT_STATUS,LOCK_DATE,EXPIRY_DATE,DEFAULT_TABLESPACE from dba_users where USERNAME=‘TEST2‘;

desc  database_properties;

desc v$pwfile_users;

2、授予及撤销权限

系统：允许用户在数据库中执行特定的操作

对象：允许用户访问和操作特定对象

系统权限：system privilege

alter session

create database link

create session

create synonym

create  view

unlimited tablespace

对象权限

execute dbms_stats

撤销 admin option 的系统权限 不是级联

撤销 grant option 的对象权限  级联撤销权限

desc system_privilege_map; //系统权限

select * from system_privilege_map order by NAME;

grant alter tablespace to oaec;

conn oaec/oaec;

alter tablespace oaec add datafile ‘/u02/oracle/oradata/orcl/oaec02.dbf‘ size 10m;

conn / as sysdba;

revoke alter tablespace form oaec; //收回权限

例子：

系统权限的级联授权及级联撤销：

alter user oaec identified by oaec;

grant create session to oaec;

grant select any dictionary to oaec;

select count(*) from dba_objects;

conn oaec/oaec;

SQL> conn oaec/oaec

Connected.

SQL> select count(*) from dba_objects;

COUNT(*)

----------

86274

SQL> grant select any dictionary to test;

grant select any dictionary to test

*

ERROR at line 1:

ORA-01031: insufficient privileges

级联授权

conn / as sysdba;

revoke select any dictionary from oaec;

grant select any dictionary to oaec with admin option;

SQL> conn oaec/oaec;

Connected.

SQL> grant select any dictionary to test;

Grant succeeded.

####################################################################

grant option例子;

create user a identified by a account unlock;

create user b identified by b account unlock;

grant create session to a;

grant create session to b;

grant select on scott.emp to a;

conn a/a

select * from scott.emp;

grant select on scott.emp to b; //报错 权限不足

conn / as sysdba;

revoke select on scott.emp from a;

grant select on scott.emp to a with grant option;

conn a/a

select * from scott.emp;

grant select on scott.emp to b;//可以授权

conn b/b;

select * from scott.emp;  //可以查询

下面sys用户对a用户撤销select on scott.emp权限，看看b用户可以查询scott.emp不？结果不能查询。

conn / as sysdba;

revoke select on scott.emp from a

conn b/b ;

select * from scott.emp; 报错

SQL> select * from scott.emp;

select * from scott.emp

*

ERROR at line 1:

ORA-00942: table or view does not exist

#############################################################################

对象权限

desc table_privilege_map;

create user mike identified by mike account unlock;

grant create session to mike;

grant alter on scott.emp to mike;

grant delete on scott.emp to mike;

grant index on scott.emp to mike;

grant insert on scott.emp to mike;

grant references on scott.emp to mike;

grant select on scott.emp to mike;

grant update on scott.emp to mike;

查看当前用户TEST02下面这张表A1都被那些用户有了那些权限。

desc user_sys_privs;

select grantee,owner,table_name,grantor,privilege from user_tab_privs where owner=‘TEST02‘ and table_name=‘A1‘;

select grantee,owner,table_name,grantor,privilege from user_tab_privs where owner=‘SCOTT‘ and table_name=‘EMP‘;

3、创建和管理角色

角色：权限的集合

connect 角色包括create session

resource 包括create cluster,create indextype,create operator,create procedure,create sequence,create table,create trigger,create type

scheduler_admin包括create any job,create external job,create job,excute any class,excute any  program,manage scheduler

DBA角色包括

select_catalog_role ：没有系统权限；

例子：

create role test_role;

grant create session to test_role;

grant select on scott.emp to test_role;

grant create table to test_role;

create user test3 identified by test3;

grant  test_role to test3;

如何查询一个角色拥有那些权限呢？

desc role_sys_privs;

desc  role_tab_privs;

结合一起看：

select * from role_sys_privs where role=‘TEST_ROLE‘;

select * from role_tab_privs where role=‘TEST_ROLE‘;

查看所有的角色；

select * from dba_roles;

select * from role_sys_privs where role=‘RESOURCE‘;//查看role RESOURCE 有哪些权限

SQL> select * from role_sys_privs where role=‘RESOURCE‘;

ROLE       PRIVILEGE ADM

------------------------------ ---------------------------------------- ---

RESOURCE       CREATE TRIGGER NO

RESOURCE       CREATE SEQUENCE NO

RESOURCE       CREATE TYPE    NO

RESOURCE       CREATE PROCEDURE NO

RESOURCE       CREATE CLUSTER NO

RESOURCE       CREATE OPERATOR NO

RESOURCE       CREATE INDEXTYPE NO

RESOURCE       CREATE TABLE    NO

查看当前用户有哪些角色role

desc user_role_privs;

SQL> conn test3/test3;

Connected.

SQL> select * from user_role_privs;

USERNAME       GRANTED_ROLE      ADM DEF OS_

------------------------------ ------------------------------ --- --- ---

TEST3       TEST_ROLE      NO  YES NO

备注：角色可以级联授权，不可以级联撤销

create user hr identified by hr account unlock;

grant test_role to hr with admin option;

conn hr/hr;

grant test_role to b;

如果对用户hr撤销角色 test_role，则对用户b没有影响，仍然有这个角色 test_role 的权限。

desc  role_role_privs;

对角色加密码

create role r1 identified by r1;

4、创建和管理概要文件

和账号密码过期有关

作用：

控制资源消耗，管理用户状态和口令失效

desc dba_profiles;

select RESOURCE_NAME,LIMIT from dba_profiles where PROFILE=‘DEFAULT‘;

create profile p1 limit

COMPOSITE_LIMIT 3

SESSIONS_PER_USER UNLIMITED

CPU_PER_SESSION UNLIMITED

CPU_PER_CALL UNLIMITED

LOGICAL_READS_PER_SESSION UNLIMITED

LOGICAL_READS_PER_CALL UNLIMITED

IDLE_TIME UNLIMITED

CONNECT_TIME UNLIMITED

PRIVATE_SGA UNLIMITED

PASSWORD_REUSE_TIME UNLIMITED

PASSWORD_REUSE_MAX UNLIMITED

PASSWORD_VERIFY_FUNCTION NULL

PASSWORD_LOCK_TIME 1

PASSWORD_GRACE_TIME 7

查看用户的默认概要文件

select username,profile from dba_users where username=‘SCOTT‘;

修改用户的概要文件

alter user scott profile p1;

alter profile p1 limit

COMPOSITE_LIMIT 3;

show parameter resource_limit;

值为true才能让 SESSIONS_PER_USER 用户并发生效

FAILED_LOGIN_ATTEMPTS 10 表示密码输入10次错误被锁定

cd $ORACLE_HOME/rdbms/admin 下面的脚本都有不一样的功能。

ls -l | grep utlpwdmg.sql  密码复杂认证

5、最小权限原则及管理限额

管理限额

将限额分配给用户，让用户可以在表空间中创建对象。

drop user oaec cascade;

create user oaec identified by oaec account unlock;

grant session to oaec;

grant create table to oaec;

说明oaec用户可以使用users表空间1M的空间

alter user oaec quota 1m on users;

alter user oaec  quota unlimited on users; // 表空间有多大，就用多大。

select BLOCK_ID,BLOCKS from dba_extents where OWNER=‘OAEC‘ and SEGMENT_NAME=‘T1‘;

最小权限原则：

在计算机上面只安装需要的软件

只激活需要的服务

只允许需要访问的用户访问操作系统

限制root或者管理员账号

限制sysdba的访问

只允许用户访问需要的数据库对象。