Oracle赋权的回收权限是使用grant和revoke语句,但是赋权和回收权限语句执行完成后就会立即生效么?另外Oracle的权限又分为系统权限、角色权限和对象权限,这三种权限的grant和revoke生效时间又是怎样的呢。我们来看官方文档是如何说的:
Depending on what is granted or revoked,a grant or revoke takes effect at different times:
All grants and revokes of system and object privileges to anything (users,roles,and
PUBLIC) take immediate effect.All grants and revokes of roles to anything (users,other roles,
PUBLIC) take effect only when a current user session issues aSET ROLEstatement to reenable the role after the grant and revoke,or when a new user session is created after the grant or revoke.
You can see which roles are currently enabled by examining theSESSION_ROLESdata dictionary view.
从上面的描述中我们可以知道,grant和revoke系统权限和对象权限时会立即生效,而grant或revoke角色时对当前会话不会立即生效,除非使用set role语句启用角色或重新连接会话后设置才会生效。
下面以11.2.0.4为例做一个测试,是否与官方文档描述的一致。
sys@ORCL>createuserzhaoxuidentifiedbyzhaoxu; Usercreated. sys@ORCL>grantconnecttozhaoxu; Grantsucceeded. sys@ORCL>select*fromdba_role_privswheregrantee='ZHAOXU'; GRANTEE GRANTED_ROLE ADMIN_OPTDEFAULT_R ------------------------------------------------------------------------------ ZHAOXU CONNECT NO YES sys@ORCL>select*fromdba_sys_privswheregrantee='ZHAOXU'; norowsselected sys@ORCL>select*fromdba_tab_privswheregrantee='ZHAOXU'; norowsselected sys@ORCL>connzhaoxu/zhaoxu Connected. zhaoxu@ORCL>select*fromsession_roles; ROLE ------------------------------------------------------------ CONNECT zhaoxu@ORCL>select*fromsession_privs; PRIVILEGE ------------------------------------------------------------ CREATESESSION zhaoxu@ORCL>createtablet(idnumber)segmentcreationimmediate; createtablet(idnumber) * ERRORatline1: ORA-01031:insufficientprivileges
现在的zhaoxu用户只有CONNECT角色,只能连接到数据库,其他基本什么都做不了。
二、测试系统权限和对象权限的grant和revoke
现在打开另一个会话赋予system privilege给zhaoxu用户
--session2 sys@ORCL>grantcreatetable,unlimitedtablespacetozhaoxu; Grantsucceeded. --session1 zhaoxu@ORCL>select*fromsession_privs; PRIVILEGE ------------------------------------------------------------------------------------------------------------------------ CREATESESSION UNLIMITEDTABLESPACE CREATETABLE zhaoxu@ORCL>select*fromsession_roles; ROLE ------------------------------------------------------------------------------------------ CONNECT zhaoxu@ORCL>createtablet(idnumber)segmentcreationimmediate; Tablecreated. --使用segmentcreationimmediate是因为要避免11g的新特性段延迟创建造成影响
在赋予zhaoxu用户create table和unlimited tablespace系统权限全会话1没有做任何操作,权限就会立即生效。
再测试revoke权限的情况
--session2 sys@ORCL>revokeunlimitedtablespacefromzhaoxu; Revokesucceeded. --session1 zhaoxu@ORCL>createtablet1(idnumber)segmentcreationimmediate; createtablet1(idnumber)segmentcreationimmediate * ERRORatline1: ORA-01950:noprivilegesontablespace'USERS' zhaoxu@ORCL>select*fromsession_privs; PRIVILEGE ------------------------------------------------------------------------------------------------------------------------ CREATESESSION CREATETABLE
同样可以看到回收操作可以立即生效,现有session无需做任何操作。
测试对象权限的grant和revoke
--grant测试 --session1 zhaoxu@ORCL>selectcount(*)fromzx.t; selectcount(*)fromzx.t * ERRORatline1: ORA-00942:tableorviewdoesnotexist --session2 sys@ORCL>grantselectonzx.ttozhaoxu; Grantsucceeded. sys@ORCL>select*fromdba_tab_privswheregrantee='ZHAOXU'; GRANTEE OWNER TABLE_NAMEGRANTORPRIVILEGEGRANTABLEHIERARCHY ------------------------------------------------------------------------------------------------------------ ZHAOXU ZX T ZX SELECTNO NO --session1 zhaoxu@ORCL>selectcount(*)fromzx.t; COUNT(*) ---------- 99999 zhaoxu@ORCL>select*fromsession_privs; PRIVILEGE ------------------------------------------------------------------------------------------------------------------------ CREATESESSION CREATETABLE --revoke测试 --session2 sys@ORCL>revokeselectonzx.tfromzhaoxu; Revokesucceeded. sys@ORCL>select*fromdba_tab_privswheregrantee='ZHAOXU'; norowsselected --session1 zhaoxu@ORCL>selectcount(*)fromzx.t; selectcount(*)fromzx.t * ERRORatline1: ORA-00942:tableorviewdoesnotexist
对对象权限的grant和revoke操作与系统权限的一致,所有的命令都是立即生效,包括对已经连接的会话。
三、测试角色的grant和revoke
现在的zhaoxu用户仍然只有connect角色,并且已经打开一个会话
--session2 sys@ORCL>select*fromdba_role_privswheregrantee='ZHAOXU'; GRANTEE GRANTED_ROLE ADMIN_OPTDEFAULT_R ------------------------------------------------------------------------------ ZHAOXU CONNECT NO YES --session1 zhaoxu@ORCL>select*fromsession_roles; ROLE ------------------------------------------ CONNECT
测试grant DBA权限
--session1查看会话中的角色 zhaoxu@ORCL>select*fromsession_roles; ROLE ------------------------------------------------------------------------------------------ CONNECT --session2赋予zhaoxu用户dba角色 sys@ORCL>grantdbatozhaoxu; Grantsucceeded. sys@ORCL>select*fromdba_role_privswheregrantee='ZHAOXU'; GRANTEE GRANTED_ROLE ADMIN_OPTDEFAULT_R ------------------------------------------------------------------------------ ZHAOXU DBA NO YES ZHAOXU CONNECT NO YES --session1再次查看会话中的角色,没有dba角色,也没有查看v$session的权限 zhaoxu@ORCL>select*fromsession_roles; ROLE ------------------------------------------------------------------------------------------ CONNECT zhaoxu@ORCL>selectcount(*)fromv$session; selectcount(*)fromv$session * ERRORatline1: ORA-00942:tableorviewdoesnotexist --session1执行setrole命令,可以看到DBA及相关的角色已经加载到session1中了,也可以查询v$session zhaoxu@ORCL>setroledba; Roleset. zhaoxu@ORCL>select*fromsession_roles; ROLE ------------------------------------------------------------------------------------------ DBA SELECT_CATALOG_ROLE HS_ADMIN_SELECT_ROLE ...... 19rowsselected. zhaoxu@ORCL>selectcount(*)fromv$session; COUNT(*) ---------- 29 --使用zhaoxu用户打开session3,可以看到新会话中默认会加载DBA及相关角色 [oracle@rhel6~]$sqlpluszhaoxu/zhaoxu sql*Plus:Release11.2.0.4.0ProductiononSatJan2116:22:012017 copyright(c)1982,2013,Oracle.Allrightsreserved. Connectedto: OracleDatabase11gEnterpriseEditionRelease11.2.0.4.0-64bitProduction WiththePartitioning,OLAP,DataMiningandRealApplicationTestingoptions zhaoxu@ORCL>select*fromsession_roles; ROLE ------------------------------------------------------------------------------------------ CONNECT DBA SELECT_CATALOG_ROLE ...... 20rowsselected.
测试revoke DBA角色
--session2回收DBA角色 sys@ORCL>revokedbafromzhaoxu; Revokesucceeded. sys@ORCL>select*fromdba_role_privswheregrantee='ZHAOXU'; GRANTEE GRANTED_ROLE ADMIN_OPTDEFAULT_R ------------------------------------------------------------------------------ ZHAOXU CONNECT NO YES --session3查看会话的角色,仍然有DBA及相关角色 zhaoxu@ORCL>select*fromsession_roles; ROLE ------------------------------------------------------------------------------------------ CONNECT DBA SELECT_CATALOG_ROLE ...... 20rowsselected. --使用zhaoxu用户打开session4,查看只有CONNECT角色 [oracle@rhel6~]$sqlpluszhaoxu/zhaoxu sql*Plus:Release11.2.0.4.0ProductiononSatJan2116:30:192017 copyright(c)1982,DataMiningandRealApplicationTestingoptions zhaoxu@ORCL>select*fromsession_roles; ROLE ------------------------------------------------------------------------------------------ CONNECT --session3执行setrole命令 zhaoxu@ORCL>setroledba; setroledba * ERRORatline1: ORA-01924:role'DBA'notgrantedordoesnotexist zhaoxu@ORCL>setroleall; Roleset. zhaoxu@ORCL>select*fromsession_roles; ROLE ------------------------------------------------------------------------------------------ CONNECT
从上面的测试中可以总结出,grant和revoke系统权限和对象权限时会立即生效,而grant或revoke角色时对当前会话不会立即生效,除非使用set role语句启用角色或重新连接会话后设置才会生效。与官方文档的描述一致。
但是有一个问题是如果查看已经连接的其他会话所拥有的role呢?
官方文档:http://docs.oracle.com/cd/E11882_01/network.112/e36292/authorization.htm#DBSEG99974
system privilege:http://docs.oracle.com/cd/E11882_01/server.112/e41084/statements_9013.htm#BABEFFEE
object privilege:http://docs.oracle.com/cd/E11882_01/server.112/e41084/statements_9013.htm#BGBCIIEG
set role:http://docs.oracle.com/cd/E11882_01/server.112/e41084/statements_10004.htm#SQLRF01704
原文地址:https://www.jb51.cc/oracle/210743.html
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
