oracle 11g 角色口令

zhouxianwang發表於2014-10-23
原文網址 : http://blog.itpub.net/27036311/viewspace-1307902/
Oracle
oracle 11g 角色口令

oracle 11g 中測試 擁有口令的角色


SYS@ sms> select * from v$version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE    11.2.0.4.0      Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production


1. 建立角色 role_01無密碼 role_02 有密碼


     SYS@ sms> create role role_01;
     
     Role created.
     
     
     SYS@ sms> create role role_02 identified by oracle;
     
     Role created.
     
     
     SYS@ sms> grant connect,create table to role_01;
     
     Grant succeeded.
     
     SYS@ sms> grant connect ,create view to role_02;
     
     SYS@ sms>  create user zhou identified by zhou1234   quota unlimited on users;
     
     User created.
     
     SYS@ sms> grant role_01,role_02 to zhou;
     
     Grant succeeded.
     
     
     SYS@ sms> grant role_01,role_02 to zhou;
     
     Grant succeeded.
     
     SYS@ sms> conn zhou/zhou1234
     Connected.
     ZHOU@ sms> create table t(id number);
     
     Table created.
     
     ZHOU@ sms> insert into t values(1);
     
     1 row created.
     
     ZHOU@ sms> commit;
     
     Commit complete.
     

2. 此時就出現問題了,role_02 明明有 create view 而且賦予給了 zhou 這裡就沒有呢?
   
   ZHOU@ sms> create view view_1 as select * from t;
   create view view_1 as select * from t
               *
   ERROR at line 1:
   ORA-01031: insufficient privileges
   

3. 檢視 tyger_ro2 的default_role 為NO 難道 role_02 角色失效???
   ZHOU@ sms> col USERNAME for a20
   ZHOU@ sms> col GRANTED_ROLE for a20
   
   ZHOU@ sms> select USERNAME,GRANTED_ROLE,DEFAULT_ROLE from user_role_privs;
   
   USERNAME             GRANTED_ROLE         DEF
   -------------------- -------------------- ---
   ZHOU                 ROLE_01              YES
   ZHOU                 ROLE_02              NO
   
   
4. 再檢視當前會話的許可權,果然沒有 create view 許可權
    
    ZHOU@ sms> select * from session_privs;
    
    PRIVILEGE
    ----------------------------------------
    CREATE SESSION
    CREATE TABLE

5. 設定 tyger_ro2 許可權生效

    
    ZHOU@ sms> set role role_02 identified by oracle;
    
    Role set.

6. 當前使用者具有的許可權不變

      ZHOU@ sms> select USERNAME,GRANTED_ROLE,DEFAULT_ROLE from user_role_privs;
      
      USERNAME             GRANTED_ROLE         DEF
      -------------------- -------------------- ---
      ZHOU                 ROLE_01              YES
      ZHOU                 ROLE_02              NO
      

7.當前會話用了 create view 許可權 卻沒有了create table 許可權
     
     ZHOU@ sms> select * from session_privs;
     
     PRIVILEGE
     ----------------------------------------
     CREATE SESSION
     CREATE VIEW
     
     ZHOU@ sms> create view view_1 as select * from t;
     
     View created.
     
     
     ZHOU@ sms> select * from tab;
     
     TNAME                          TABTYPE  CLUSTERID
     ------------------------------ ------- ----------
     T                              TABLE
     VIEW_1                         VIEW
     
     
8. 重新登入會話,許可權恢復原樣

       ZHOU@ sms> conn zhou/zhou1234
       Connected.
       ZHOU@ sms>  select * from session_privs;
       
       PRIVILEGE
       ----------------------------------------
       CREATE SESSION
       CREATE TABLE
       

總結:

在oracle 11g 中,帶有口令的角色賦予使用者,預設情況下是失效的,當 set role 生效後,其他角色所具有的許可權失效, 只在當前會話有效


reference :

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/27036311/viewspace-1307902/,如需轉載,請註明出處,否則將追究法律責任。

相關文章