今天一客戶朋友咨詢一個Oracle數據庫用戶EXP權限控制的問題,問我有沒有辦法可以解決。
問題是這樣的: 目前他們那邊有外面的開發公司人員在核心系統做開發,考慮到系統數據的敏感性,給他們建了一個數據庫用戶test,該用戶test可以做exp導出操作,但是只能導出指定的幾張表,而不是所有的表test都有權限導出。
測試情況如下:
假設 MEMA為業務用戶,下面有( t1,t2,t3,t4,這4張表), TEST是給外面開發人員使用的用戶,
要求:test可以做exp導表操作,但是test用戶只能導出t1表,t3表test用戶是沒有權限導出的
測試內容如下:
1:創建test用戶
SYS@EMREP> create user test identified by oracle;
2:賦予test用戶create session的權限(最基本權限)
SYS@EMREP> grant create session to test;
3:嘗試用test用戶去導出mema用戶的t1表
[oracle@even ~]$ exp test/oracle file=/u01/b.dmp tables=mema.t1,mema.t3
Export: Release 10.2.0.2.0 - Production on Mon Aug 25 07:58:18 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options
Export done in US7ASCII character set and AL16UTF16 NCHAR character set
About to export specified tables via Conventional Path ...
EXP-00009: no privilege to export MEMA's table T1
EXP-00009: no privilege to export MEMA's table T3
Export terminated successfully with warnings.
沒有權限執行EXP操作。這是因為test用戶需要被賦予 exp_full_database的權限才能夠導mema用戶的表,
SYS@EMREP> grant exp_full_database to test;
此時mema用戶下面的表能成功導出:
[oracle@even ~]$ exp test/oracle file=w.dmp tables=mema.t1,mema.t3
Export: Release 10.2.0.2.0 - Production on Tue Aug 26 00:57:02 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options
Export done in US7ASCII character set and AL16UTF16 NCHAR character set
About to export specified tables via Conventional Path ...
Current user changed to MEMA
. . exporting table T1 5 rows exported
. . exporting table T3 7 rows exported
Export terminated successfully without warnings.
賦予 exp_full_database的權限后,test用戶能夠導出mema用戶下面的所有表,但是我們想限制test用戶只導特地的表,也就是說, exp_full_database這個權限有點大了。
查看 exp_full_database具有哪些權限:
SYS@EMREP>select * from dba_sys_privs where grantee='EXP_FULL_DATABASE';
GRANTEE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
EXP_FULL_DATABASE READ ANY FILE GROUP NO
EXP_FULL_DATABASE RESUMABLE NO
EXP_FULL_DATABASE EXECUTE ANY PROCEDURE NO
EXP_FULL_DATABASE EXECUTE ANY TYPE NO
EXP_FULL_DATABASE SELECT ANY TABLE NO
EXP_FULL_DATABASE ADMINISTER RESOURCE MANAGER NO
EXP_FULL_DATABASE BACKUP ANY TABLE NO
EXP_FULL_DATABASE SELECT ANY SEQUENCE NO
8 rows selected.
EXP_FULL_DATABASE 這個role角色包含上面8種權限,注意 SELECT ANY TABLE這個權限,正因為包含這個權限,導致test用戶可以exp mema用戶任何表。於是我先嘗試將該 SELECT ANY TABLE這個權限從 EXP_FULL_DATABASE里面回收掉
SYS@EMREP>revoke SELECT ANY TABLE from exp_full_database;
Revoke succeeded.
接下來我們再來看test用戶exp導出情況:
[oracle@even ~]$ exp test/oracle file=1.dmp tables=mema.t1,mema.t3
Export: Release 10.2.0.2.0 - Production on Tue Aug 26 01:28:41 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options
Export done in US7ASCII character set and AL16UTF16 NCHAR character set
About to export specified tables via Conventional Path ...
Current user changed to MEMA
. . exporting table T1
EXP-00056: ORACLE error 942 encountered
ORA-00942: table or view does not exist
. . exporting table T3
EXP-00056: ORACLE error 942 encountered
ORA-00942: table or view does not exist
Export terminated successfully with warnings.
SELECT ANY TABLE 從 exp_full_database回收掉之后,test用戶無法導出mema下面的表。這也進一步驗證了我的猜想。
根據要求,test用戶能導出mema.t1表,不能導出mema.t3表,於是我再賦予mema.t1對應的select權限。
SYS@EMREP>grant select on mema.t1 to test;
Grant succeeded.
繼續測試exp操作結果:
[oracle@even ~]$ exp test/oracle file=1.dmp tables=mema.t1,mema.t3
Export: Release 10.2.0.2.0 - Production on Tue Aug 26 01:29:08 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options
Export done in US7ASCII character set and AL16UTF16 NCHAR character set
About to export specified tables via Conventional Path ...
Current user changed to MEMA
. . exporting table T1 5 rows exported
. . exporting table T3
EXP-00056: ORACLE error 942 encountered
ORA-00942: table or view does not exist
Export terminated successfully with warnings.
我們看到,mema.t1被單獨賦予select權限后,能夠成功導出。而mema.t3因為沒有賦予select權限,所以它不能被導出。
總結: 經過上面一系列的測試,使用上述方法可以實現客戶的最終需求。
不過需要說明的是: EXP_FULL_DATABASE作為系統自帶的role, 考慮到是測試,我是直接在上面revoke select any table,在實際的生產系統中我們不建議直接在該role上面做revoke回收操作 。實際的數據庫系統中,我們可以新建一個role ,然后把exp_full_database包含的權限(排除select any table)賦予給新建的role.
題外話: 現在很多客戶都有一些外面的開發公司在給他們做系統開發,需要頻繁的將生產數據導入到測試環境供開發人員訪問或者做測試,系統內有些敏感數據客戶又不想把這些真實數據提供給他們做測試,Oracle有一款產品叫data masking , 部署該產品,配置相關規則,能夠實現真實數據根據規則轉換為非真實的數據,這樣一方面即沒有泄露真實的數據,又能夠保證開發人員的測試。有興趣的同學可以了解下。
問題是這樣的: 目前他們那邊有外面的開發公司人員在核心系統做開發,考慮到系統數據的敏感性,給他們建了一個數據庫用戶test,該用戶test可以做exp導出操作,但是只能導出指定的幾張表,而不是所有的表test都有權限導出。
測試情況如下:
假設 MEMA為業務用戶,下面有( t1,t2,t3,t4,這4張表), TEST是給外面開發人員使用的用戶,
要求:test可以做exp導表操作,但是test用戶只能導出t1表,t3表test用戶是沒有權限導出的
測試內容如下:
1:創建test用戶
SYS@EMREP> create user test identified by oracle;
2:賦予test用戶create session的權限(最基本權限)
SYS@EMREP> grant create session to test;
3:嘗試用test用戶去導出mema用戶的t1表
[oracle@even ~]$ exp test/oracle file=/u01/b.dmp tables=mema.t1,mema.t3
Export: Release 10.2.0.2.0 - Production on Mon Aug 25 07:58:18 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options
Export done in US7ASCII character set and AL16UTF16 NCHAR character set
About to export specified tables via Conventional Path ...
EXP-00009: no privilege to export MEMA's table T1
EXP-00009: no privilege to export MEMA's table T3
Export terminated successfully with warnings.
沒有權限執行EXP操作。這是因為test用戶需要被賦予 exp_full_database的權限才能夠導mema用戶的表,
SYS@EMREP> grant exp_full_database to test;
此時mema用戶下面的表能成功導出:
[oracle@even ~]$ exp test/oracle file=w.dmp tables=mema.t1,mema.t3
Export: Release 10.2.0.2.0 - Production on Tue Aug 26 00:57:02 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options
Export done in US7ASCII character set and AL16UTF16 NCHAR character set
About to export specified tables via Conventional Path ...
Current user changed to MEMA
. . exporting table T1 5 rows exported
. . exporting table T3 7 rows exported
Export terminated successfully without warnings.
賦予 exp_full_database的權限后,test用戶能夠導出mema用戶下面的所有表,但是我們想限制test用戶只導特地的表,也就是說, exp_full_database這個權限有點大了。
查看 exp_full_database具有哪些權限:
SYS@EMREP>select * from dba_sys_privs where grantee='EXP_FULL_DATABASE';
GRANTEE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
EXP_FULL_DATABASE READ ANY FILE GROUP NO
EXP_FULL_DATABASE RESUMABLE NO
EXP_FULL_DATABASE EXECUTE ANY PROCEDURE NO
EXP_FULL_DATABASE EXECUTE ANY TYPE NO
EXP_FULL_DATABASE SELECT ANY TABLE NO
EXP_FULL_DATABASE ADMINISTER RESOURCE MANAGER NO
EXP_FULL_DATABASE BACKUP ANY TABLE NO
EXP_FULL_DATABASE SELECT ANY SEQUENCE NO
8 rows selected.
EXP_FULL_DATABASE 這個role角色包含上面8種權限,注意 SELECT ANY TABLE這個權限,正因為包含這個權限,導致test用戶可以exp mema用戶任何表。於是我先嘗試將該 SELECT ANY TABLE這個權限從 EXP_FULL_DATABASE里面回收掉
SYS@EMREP>revoke SELECT ANY TABLE from exp_full_database;
Revoke succeeded.
接下來我們再來看test用戶exp導出情況:
[oracle@even ~]$ exp test/oracle file=1.dmp tables=mema.t1,mema.t3
Export: Release 10.2.0.2.0 - Production on Tue Aug 26 01:28:41 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options
Export done in US7ASCII character set and AL16UTF16 NCHAR character set
About to export specified tables via Conventional Path ...
Current user changed to MEMA
. . exporting table T1
EXP-00056: ORACLE error 942 encountered
ORA-00942: table or view does not exist
. . exporting table T3
EXP-00056: ORACLE error 942 encountered
ORA-00942: table or view does not exist
Export terminated successfully with warnings.
SELECT ANY TABLE 從 exp_full_database回收掉之后,test用戶無法導出mema下面的表。這也進一步驗證了我的猜想。
根據要求,test用戶能導出mema.t1表,不能導出mema.t3表,於是我再賦予mema.t1對應的select權限。
SYS@EMREP>grant select on mema.t1 to test;
Grant succeeded.
繼續測試exp操作結果:
[oracle@even ~]$ exp test/oracle file=1.dmp tables=mema.t1,mema.t3
Export: Release 10.2.0.2.0 - Production on Tue Aug 26 01:29:08 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options
Export done in US7ASCII character set and AL16UTF16 NCHAR character set
About to export specified tables via Conventional Path ...
Current user changed to MEMA
. . exporting table T1 5 rows exported
. . exporting table T3
EXP-00056: ORACLE error 942 encountered
ORA-00942: table or view does not exist
Export terminated successfully with warnings.
我們看到,mema.t1被單獨賦予select權限后,能夠成功導出。而mema.t3因為沒有賦予select權限,所以它不能被導出。
總結: 經過上面一系列的測試,使用上述方法可以實現客戶的最終需求。
不過需要說明的是: EXP_FULL_DATABASE作為系統自帶的role, 考慮到是測試,我是直接在上面revoke select any table,在實際的生產系統中我們不建議直接在該role上面做revoke回收操作 。實際的數據庫系統中,我們可以新建一個role ,然后把exp_full_database包含的權限(排除select any table)賦予給新建的role.
題外話: 現在很多客戶都有一些外面的開發公司在給他們做系統開發,需要頻繁的將生產數據導入到測試環境供開發人員訪問或者做測試,系統內有些敏感數據客戶又不想把這些真實數據提供給他們做測試,Oracle有一款產品叫data masking , 部署該產品,配置相關規則,能夠實現真實數據根據規則轉換為非真實的數據,這樣一方面即沒有泄露真實的數據,又能夠保證開發人員的測試。有興趣的同學可以了解下。