環境:Oracle 11.2.0.4
目的:驗證業務用戶的權限/角色賦予的差異
現在創建兩個用戶jingyu2和jingyu3;
SYS@jyzhao1> create user jingyu2 identified by jingyu2 DEFAULT tablespace tbs_jingyu;
SYS@jyzhao1> create user jingyu3 identified by jingyu3 DEFAULT tablespace tbs_jingyu;
SYS@jyzhao1> grant connect, resource to jingyu2, jingyu3;
模擬jingyu2用戶下有一張表T_jingyu2;jingyu3用戶下有一張表T_jingyu3;
JINGYU2@jyzhao1> create table t_jingyu2 as select * from user_objects;
Table created.
JINGYU3@jyzhao1> create table t_jingyu3 as select * from user_objects;
Table created.
分別在兩個用戶的session下查詢被賦予的角色/權限:
JINGYU2@jyzhao1>select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
CREATE CLUSTER
CREATE SEQUENCE
CREATE PROCEDURE
CREATE TRIGGER
CREATE TYPE
CREATE OPERATOR
CREATE INDEXTYPE
10 rows selected.
JINGYU2@jyzhao1>select * from session_roles;
ROLE
------------------------------
CONNECT
RESOURCE
JINGYU3用戶的會話權限和會話角色查詢結果一致,輸出略。
可以看到賦予connect,resource這兩個最常被用於應用開發的角色之后,該用戶具有上述10個權限,一般基礎開發就夠用了。
需求: jingyu2用戶訪問jingyu3的表jingyu3,並創建同義詞jingyu3;
顯然當前的這個需求,對於目前的角色/權限是不能滿足需求的:
JINGYU2@jyzhao1>select count(1) from jingyu3.t_jingyu3;
select count(1) from jingyu3.t_jingyu3
*
ERROR at line 1:
ORA-00942: table or view does not exist
JINGYU2@jyzhao1>create synonym t_jingyu3 for jingyu3.t_jingyu3;
create synonym t_jingyu3 for jingyu3.t_jingyu3
*
ERROR at line 1:
ORA-01031: insufficient privileges
一是jingyu2用戶不能訪問其他用戶jingyu3的表,二是jingyu2用戶沒有創建同義詞的權限。
那么為了滿足需求,考慮如何解決。
解決方案一:賦予缺少的權限(推薦使用)。
方案宗旨:根據業務需求,缺什么權限賦予什么權限,精確控制。
賦予缺少的權限:
JINGYU3@jyzhao1> grant select on t_jingyu3 to jingyu2;
Grant succeeded.
SYS@jyzhao1>grant create synonym to jingyu2;
Grant succeeded.
此時賦予完權限后再次嘗試,發現已經可以正常滿足需求。
JINGYU2@jyzhao1>select count(1) from jingyu3.t_jingyu3;
COUNT(1)
----------
1
JINGYU2@jyzhao1>create synonym t_jingyu3 for jingyu3.t_jingyu3;
Synonym created.
JINGYU2@jyzhao1>select count(1) from t_jingyu3;
COUNT(1)
----------
1
查看此時的session權限/角色:
JINGYU2@jyzhao1>select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
CREATE CLUSTER
CREATE SYNONYM
CREATE SEQUENCE
CREATE PROCEDURE
CREATE TRIGGER
CREATE TYPE
CREATE OPERATOR
CREATE INDEXTYPE
11 rows selected.
JINGYU2@jyzhao1>select * from session_roles;
ROLE
------------------------------
CONNECT
RESOURCE
發現用戶會話權限只多了一個CREATE SYNONYM權限,沒有增加額外的風險。
解決方案二:賦予dba角色(不推薦)。
方案宗旨:為了操作簡便,直接統一賦予DBA角色,滿足一切應用潛在權限要求。
實際在很多應用場景中,尤其是開發測試環境,DBA或是開發人員往往會為了方便直接賦予高權限的dba角色,避免麻煩。當然這是不推薦的方法。
但也是一種解決方案,下面是演示實驗,且在過程中還發現了一些有意思的細節。
首先回收方案一的權限賦予:
SYS@jyzhao1>revoke create synonym from jingyu2;
Revoke succeeded.
JINGYU3@jyzhao1>revoke select on t_jingyu3 from jingyu2;
Revoke succeeded.
這樣又恢復了初始環境.
然后我們嘗試直接賦予jingyu2用戶高大上的dba角色,理應一切ok了吧。
SYS@jyzhao1>grant dba to jingyu2;
Grant succeeded.
結果讓人大跌眼鏡,不可以!
JINGYU2@jyzhao1>select count(1) from jingyu3.t_jingyu3;
select count(1) from jingyu3.t_jingyu3
*
ERROR at line 1:
ORA-00942: table or view does not exist
JINGYU2@jyzhao1>create synonym t_jingyu3 for jingyu3.t_jingyu3;
create synonym t_jingyu3 for jingyu3.t_jingyu3
*
ERROR at line 1:
ORA-01031: insufficient privileges
至高無上的dba權限居然解決不了跨用戶訪問和創建同義詞?
沒搞錯吧?
看到這里,你是怎么想的呢?
如果這時候你去嘗試重新連接一個會話,會發現是可以成功實現需求的?
那么這樣看來,oracle對於權限的賦予是立即生效的,但是角色卻需要重新連接會話才會生效。
到這里還不甘心?
來看看舊的會話權限:
JINGYU2@jyzhao1>select * from session_roles;
ROLE
------------------------------
CONNECT
RESOURCE
發現的確沒有變化,那么有沒有命令可以讓舊的會話不重新連接就能夠生效呢?
答案是肯定的,來看看 set role all 這條命令吧,可以在歷史會話中執行,從而使得新賦予的角色生效。
JINGYU2@jyzhao1>set role all;
Role set.
JINGYU2@jyzhao1>select * from session_roles;
ROLE
------------------------------
CONNECT
RESOURCE
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_SELECT_ROLE
EXECUTE_CATALOG_ROLE
HS_ADMIN_EXECUTE_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE
IMP_FULL_DATABASE
DATAPUMP_EXP_FULL_DATABASE
DATAPUMP_IMP_FULL_DATABASE
GATHER_SYSTEM_STATISTICS
SCHEDULER_ADMIN
WM_ADMIN_ROLE
JAVA_ADMIN
JAVA_DEPLOY
XDBADMIN
XDB_SET_INVOKER
OLAP_XS_ADMIN
OLAP_DBA
21 rows selected.
另外,可以看到只賦予了DBA的角色,卻額外包含了很多角色,如果此時查下權限會發現:
JINGYU2@jyzhao1>select * from session_privs;
PRIVILEGE
----------------------------------------
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
ALTER SESSION
RESTRICTED SESSION
CREATE TABLESPACE
ALTER TABLESPACE
MANAGE TABLESPACE
DROP TABLESPACE
UNLIMITED TABLESPACE
CREATE USER
BECOME USER
ALTER USER
DROP USER
CREATE ROLLBACK SEGMENT
ALTER ROLLBACK SEGMENT
DROP ROLLBACK SEGMENT
CREATE TABLE
CREATE ANY TABLE
ALTER ANY TABLE
BACKUP ANY TABLE
DROP ANY TABLE
LOCK ANY TABLE
COMMENT ANY TABLE
SELECT ANY TABLE
INSERT ANY TABLE
UPDATE ANY TABLE
DELETE ANY TABLE
CREATE CLUSTER
CREATE ANY CLUSTER
ALTER ANY CLUSTER
DROP ANY CLUSTER
CREATE ANY INDEX
ALTER ANY INDEX
DROP ANY INDEX
CREATE SYNONYM
CREATE ANY SYNONYM
DROP ANY SYNONYM
CREATE PUBLIC SYNONYM
DROP PUBLIC SYNONYM
CREATE VIEW
CREATE ANY VIEW
DROP ANY VIEW
CREATE SEQUENCE
CREATE ANY SEQUENCE
ALTER ANY SEQUENCE
DROP ANY SEQUENCE
PRIVILEGE
----------------------------------------
SELECT ANY SEQUENCE
CREATE DATABASE LINK
CREATE PUBLIC DATABASE LINK
DROP PUBLIC DATABASE LINK
CREATE ROLE
DROP ANY ROLE
GRANT ANY ROLE
ALTER ANY ROLE
AUDIT ANY
ALTER DATABASE
FORCE TRANSACTION
FORCE ANY TRANSACTION
CREATE PROCEDURE
CREATE ANY PROCEDURE
ALTER ANY PROCEDURE
DROP ANY PROCEDURE
EXECUTE ANY PROCEDURE
CREATE TRIGGER
CREATE ANY TRIGGER
ALTER ANY TRIGGER
DROP ANY TRIGGER
CREATE PROFILE
ALTER PROFILE
DROP PROFILE
ALTER RESOURCE COST
ANALYZE ANY
GRANT ANY PRIVILEGE
CREATE MATERIALIZED VIEW
CREATE ANY MATERIALIZED VIEW
ALTER ANY MATERIALIZED VIEW
DROP ANY MATERIALIZED VIEW
CREATE ANY DIRECTORY
DROP ANY DIRECTORY
CREATE TYPE
CREATE ANY TYPE
ALTER ANY TYPE
DROP ANY TYPE
EXECUTE ANY TYPE
UNDER ANY TYPE
CREATE LIBRARY
CREATE ANY LIBRARY
ALTER ANY LIBRARY
DROP ANY LIBRARY
EXECUTE ANY LIBRARY
CREATE OPERATOR
CREATE ANY OPERATOR
ALTER ANY OPERATOR
PRIVILEGE
----------------------------------------
DROP ANY OPERATOR
EXECUTE ANY OPERATOR
CREATE INDEXTYPE
CREATE ANY INDEXTYPE
ALTER ANY INDEXTYPE
DROP ANY INDEXTYPE
UNDER ANY VIEW
QUERY REWRITE
GLOBAL QUERY REWRITE
EXECUTE ANY INDEXTYPE
UNDER ANY TABLE
CREATE DIMENSION
CREATE ANY DIMENSION
ALTER ANY DIMENSION
DROP ANY DIMENSION
MANAGE ANY QUEUE
ENQUEUE ANY QUEUE
DEQUEUE ANY QUEUE
CREATE ANY CONTEXT
DROP ANY CONTEXT
CREATE ANY OUTLINE
ALTER ANY OUTLINE
DROP ANY OUTLINE
ADMINISTER RESOURCE MANAGER
ADMINISTER DATABASE TRIGGER
MERGE ANY VIEW
ON COMMIT REFRESH
RESUMABLE
SELECT ANY DICTIONARY
DEBUG CONNECT SESSION
DEBUG ANY PROCEDURE
FLASHBACK ANY TABLE
GRANT ANY OBJECT PRIVILEGE
CREATE EVALUATION CONTEXT
CREATE ANY EVALUATION CONTEXT
ALTER ANY EVALUATION CONTEXT
DROP ANY EVALUATION CONTEXT
EXECUTE ANY EVALUATION CONTEXT
CREATE RULE SET
CREATE ANY RULE SET
ALTER ANY RULE SET
DROP ANY RULE SET
EXECUTE ANY RULE SET
EXPORT FULL DATABASE
IMPORT FULL DATABASE
CREATE RULE
CREATE ANY RULE
PRIVILEGE
----------------------------------------
ALTER ANY RULE
DROP ANY RULE
EXECUTE ANY RULE
ANALYZE ANY DICTIONARY
ADVISOR
CREATE JOB
CREATE ANY JOB
EXECUTE ANY PROGRAM
EXECUTE ANY CLASS
MANAGE SCHEDULER
SELECT ANY TRANSACTION
DROP ANY SQL PROFILE
ALTER ANY SQL PROFILE
ADMINISTER SQL TUNING SET
ADMINISTER ANY SQL TUNING SET
CREATE ANY SQL PROFILE
MANAGE FILE GROUP
MANAGE ANY FILE GROUP
READ ANY FILE GROUP
CHANGE NOTIFICATION
CREATE EXTERNAL JOB
CREATE ANY EDITION
DROP ANY EDITION
ALTER ANY EDITION
CREATE ASSEMBLY
CREATE ANY ASSEMBLY
ALTER ANY ASSEMBLY
DROP ANY ASSEMBLY
EXECUTE ANY ASSEMBLY
EXECUTE ASSEMBLY
CREATE MINING MODEL
CREATE ANY MINING MODEL
DROP ANY MINING MODEL
SELECT ANY MINING MODEL
ALTER ANY MINING MODEL
COMMENT ANY MINING MODEL
CREATE CUBE DIMENSION
ALTER ANY CUBE DIMENSION
CREATE ANY CUBE DIMENSION
DELETE ANY CUBE DIMENSION
DROP ANY CUBE DIMENSION
INSERT ANY CUBE DIMENSION
SELECT ANY CUBE DIMENSION
CREATE CUBE
ALTER ANY CUBE
CREATE ANY CUBE
DROP ANY CUBE
PRIVILEGE
----------------------------------------
SELECT ANY CUBE
UPDATE ANY CUBE
CREATE MEASURE FOLDER
CREATE ANY MEASURE FOLDER
DELETE ANY MEASURE FOLDER
DROP ANY MEASURE FOLDER
INSERT ANY MEASURE FOLDER
CREATE CUBE BUILD PROCESS
CREATE ANY CUBE BUILD PROCESS
DROP ANY CUBE BUILD PROCESS
UPDATE ANY CUBE BUILD PROCESS
UPDATE ANY CUBE DIMENSION
ADMINISTER SQL MANAGEMENT OBJECT
FLASHBACK ARCHIVE ADMINISTER
202 rows selected.
很可怕吧,賦予DBA角色后居然讓會話的權限從原來的10個變成了202個,這也是為什么不建議賦予DBA角色的原因。因為這對於數據庫來說,普通應用用戶的權限這么高,安全隱患太大了。
總結:
- 1.賦予權限時,無論是是否是之前連接的會話,都立即生效;賦予角色時,新連接會話生效,歷史連接會話如果無法重新連接,就需要使用set role all才可以生效。
- 2.對於數據庫的應用用戶而言,建議最好可以嚴格控制角色/權限。
一般來說,對於應用而言,connect和resource角色已經可以滿足大部分應用開發的需求,若有其他特殊需求,建議單獨授予,強烈不建議直接賦予具有N多權限的DBA角色。