共计 8096 个字符,预计需要花费 21 分钟才能阅读完成。
Oracle 赋权的回收权限是使用 grant 和 revoke 语句,但是赋权和回收权限语句执行完成后就会立即生效么?另外 Oracle 的权限又分为系统权限、角色权限和对象权限,这三种权限的 grant 和 revoke 生效时间又是怎样的呢。我们来看官方文档是如何说的:
Depending on what is granted or revoked, a grant or revoke takes effect at different times:
All grants and revokes of system and object privileges to anything (users, roles, and PUBLIC) take immediate effect.
All grants and revokes of roles to anything (users, other roles, PUBLIC) take effect only when a current user session issues a SET ROLE statement to reenable the role after the grant and revoke, or when a new user session is created after the grant or revoke.
You can see which roles are currently enabled by examining the SESSION_ROLES data dictionary view.
从上面的描述中我们可以知道,grant 和 revoke 系统权限和对象权限时会立即生效,而 grant 或 revoke 角色时对当前会话不会立即生效,除非使用 set role 语句启用角色或重新连接会话后设置才会生效。
下面以 11.2.0.4 为例做一个测试,是否与官方文档描述的一致。
一、首先创建一个测试用户,赋予 connect 角色
sys@ORCL>create user linuxidc identified by linuxidc;
User created.
sys@ORCL>grant connect to linuxidc;
Grant succeeded.
sys@ORCL>select * from dba_role_privs where grantee=’linuxidc’;
GRANTEE GRANTED_ROLE ADMIN_OPT DEFAULT_R
—————————— —————————— ——— ———
linuxidc CONNECT NO YES
sys@ORCL>select * from dba_sys_privs where grantee=’linuxidc’;
no rows selected
sys@ORCL>select * from dba_tab_privs where grantee=’linuxidc’;
no rows selected
sys@ORCL>conn linuxidc/zhaoxu
Connected.
linuxidc@ORCL>select * from session_roles;
ROLE
————————————————————
CONNECT
linuxidc@ORCL>select * from session_privs;
PRIVILEGE
————————————————————
CREATE SESSION
linuxidc@ORCL>create table t (id number) segment creation immediate;
create table t (id number)
*
ERROR at line 1:
ORA-01031: insufficient privileges
现在的 linuxidc 用户只有 CONNECT 角色,只能连接到数据库,其他基本什么都做不了。
二、测试系统权限和对象权限的 grant 和 revoke
现在打开另一个会话赋予 system privilege 给 linuxidc 用户
1234567891011121314151617181920212223 –session 2
sys@ORCL>grant create table,unlimited tablespace to linuxidc;
Grant succeeded.
–session 1
linuxidc@ORCL>select * from session_privs;
PRIVILEGE
————————————————————————————————————————
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
linuxidc@ORCL>select * from session_roles;
ROLE
——————————————————————————————
CONNECT
linuxidc@ORCL>create table t (id number) segment creation immediate;
Table created.
– 使用 segment creation immediate 是因为要避免 11g 的新特性段延迟创建造成影响
在赋予 linuxidc 用户 create table 和 unlimited tablespace 系统权限全会话 1 没有做任何操作,权限就会立即生效。
再测试 revoke 权限的情况
1234567891011121314151617 –session 2
sys@ORCL>revoke unlimited tablespace from linuxidc;
Revoke succeeded.
–session 1
linuxidc@ORCL>create table t1 (id number) segment creation immediate;
create table t1 (id number) segment creation immediate
*
ERROR at line 1:
ORA-01950: no privileges on tablespace ‘USERS’
linuxidc@ORCL>select * from session_privs;
PRIVILEGE
————————————————————————————————————————
CREATE SESSION
CREATE TABLE
同样可以看到回收操作可以立即生效,现有 session 无需做任何操作。
测试对象权限的 grant 和 revoke
–grant 测试
–session 1
linuxidc@ORCL>select count(*) from zx.t;
select count(*) from zx.t
*
ERROR at line 1:
ORA-00942: table or view does not exist
–session 2
sys@ORCL>grant select on zx.t to linuxidc;
Grant succeeded.
sys@ORCL>select * from dba_tab_privs where grantee=’linuxidc’;
GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRANTABLE HIERARCHY
—————————— —————————— ———- ———- ———- ——— ———
linuxidc ZX T ZX SELECT NO NO
–session 1
linuxidc@ORCL>select count(*) from zx.t;
COUNT(*)
———-
99999
linuxidc@ORCL>select * from session_privs;
PRIVILEGE
————————————————————————————————————————
CREATE SESSION
CREATE TABLE
–revoke 测试
–session 2
sys@ORCL>revoke select on zx.t from linuxidc;
Revoke succeeded.
sys@ORCL>select * from dba_tab_privs where grantee=’linuxidc’;
no rows selected
–session 1
linuxidc@ORCL>select count(*) from zx.t;
select count(*) from zx.t
*
ERROR at line 1:
ORA-00942: table or view does not exist
对对象权限的 grant 和 revoke 操作与系统权限的一致,所有的命令都是立即生效,包括对已经连接的会话。
三、测试角色的 grant 和 revoke
现在的 linuxidc 用户仍然只有 connect 角色,并且已经打开一个会话
123456789101112 –session 2
sys@ORCL>select * from dba_role_privs where grantee=’linuxidc’;
GRANTEE GRANTED_ROLE ADMIN_OPT DEFAULT_R
—————————— —————————— ——— ———
linuxidc CONNECT NO YES
–session 1
linuxidc@ORCL>select * from session_roles;
ROLE
——————————————
CONNECT
测试 grant DBA 权限
–session 1 查看会话中的角色
linuxidc@ORCL>select * from session_roles;
ROLE
——————————————————————————————
CONNECT
–session 2 赋予 linuxidc 用户 dba 角色
sys@ORCL>grant dba to linuxidc;
Grant succeeded.
sys@ORCL>select * from dba_role_privs where grantee=’linuxidc’;
GRANTEE GRANTED_ROLE ADMIN_OPT DEFAULT_R
—————————— —————————— ——— ———
linuxidc DBA NO YES
linuxidc CONNECT NO YES
–session 1 再次查看会话中的角色,没有 dba 角色,也没有查看 v$session 的权限
linuxidc@ORCL>select * from session_roles;
ROLE
——————————————————————————————
CONNECT
linuxidc@ORCL>select count(*) from v$session;
select count(*) from v$session
*
ERROR at line 1:
ORA-00942: table or view does not exist
–session 1 执行 set role 命令,可以看到 DBA 及相关的角色已经加载到 session1 中了,也可以查询 v$session
linuxidc@ORCL>set role dba;
Role set.
linuxidc@ORCL>select * from session_roles;
ROLE
——————————————————————————————
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_SELECT_ROLE
……
19 rows selected.
linuxidc@ORCL>select count(*) from v$session;
COUNT(*)
———-
29
– 使用 linuxidc 用户打开 session 3,可以看到新会话中默认会加载 DBA 及相关角色
[oracle@rhel6 ~]$ sqlplus linuxidc/zhaoxu
SQL*Plus: Release 11.2.0.4.0 Production on Sat Jan 21 16:22:01 2017
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
linuxidc@ORCL>select * from session_roles;
ROLE
——————————————————————————————
CONNECT
DBA
SELECT_CATALOG_ROLE
……
20 rows selected.
测试 revoke DBA 角色
–session 2 回收 DBA 角色
sys@ORCL>revoke dba from linuxidc;
Revoke succeeded.
sys@ORCL>select * from dba_role_privs where grantee=’linuxidc’;
GRANTEE GRANTED_ROLE ADMIN_OPT DEFAULT_R
—————————— —————————— ——— ———
linuxidc CONNECT NO YES
–session 3 查看会话的角色,仍然有 DBA 及相关角色
linuxidc@ORCL>select * from session_roles;
ROLE
——————————————————————————————
CONNECT
DBA
SELECT_CATALOG_ROLE
……
20 rows selected.
– 使用 linuxidc 用户打开 session 4,查看只有 CONNECT 角色
[oracle@rhel6 ~]$ sqlplus linuxidc/zhaoxu
SQL*Plus: Release 11.2.0.4.0 Production on Sat Jan 21 16:30:19 2017
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 – 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
linuxidc@ORCL>select * from session_roles;
ROLE
——————————————————————————————
CONNECT
–session 3 执行 set role 命令
linuxidc@ORCL>set role dba;
set role dba
*
ERROR at line 1:
ORA-01924: role ‘DBA’ not granted or does not exist
linuxidc@ORCL>set role all;
Role set.
linuxidc@ORCL>select * from session_roles;
ROLE
——————————————————————————————
CONNECT
从上面的测试中可以总结出,grant 和 revoke 系统权限和对象权限时会立即生效,而 grant 或 revoke 角色时对当前会话不会立即生效,除非使用 set role 语句启用角色或重新连接会话后设置才会生效。与官方文档的描述一致。
但是有一个问题是如果查看已经连接的其他会话所拥有的 role 呢?
官方文档:http://docs.oracle.com/cd/E11882_01/network.112/e36292/authorization.htm#DBSEG99974
system privilege:http://docs.oracle.com/cd/E11882_01/server.112/e41084/statements_9013.htm#BABEFFEE
object privilege:http://docs.oracle.com/cd/E11882_01/server.112/e41084/statements_9013.htm#BGBCIIEG
set role:http://docs.oracle.com/cd/E11882_01/server.112/e41084/statements_10004.htm#SQLRF01704
更多 Oracle 相关信息见 Oracle 专题页面 http://www.linuxidc.com/topicnews.aspx?tid=12
本文永久更新链接地址 :http://www.linuxidc.com/Linux/2017-01/139852.htm
![[限时免费正版] 雷曼:起源 (Rayman Origins) – 评价上佳的经典卡通横版动作游戏](https://www.xgss.net/wp-content/themes/puock-v2.8.1/timthumb.php?w=120&h=80&a=c&zc=1&q=90&src=https://s.xgss.net/sky/2024-04-08/76805d3b19f692b08aab0c54f22d23d2.jpg)
