Click here to load reader
Upload
amadeus-franks
View
57
Download
8
Embed Size (px)
DESCRIPTION
第 8 章 安全管理. 内容提要. 本章从数据库用户管理、权限管理及资源限制管理几个方面介绍 Oracle 数据库的安全性策略。. 数据库的 安全性 是 指保护数据库以防止不合法的使用所造成的数据泄露、更改或破坏 。 Oracle 作为一种大型的数据库系统,其安全问题更为突出。为此, Oracle 数据库一面要检查用户的合法性,只有合法的用户才能登录到数据库系统;另一方面数据库系的各个用户有着不同的管理和操作权限,登录后只能在自己所拥有权限范围内执行相应的操作。. 8.1 用户管理. 用户是定义在数据库中的一个名称,它是 Oracle 数据库的基本访问控制机制。当用户 - PowerPoint PPT Presentation
Citation preview
8
Oracle
OracleOracle
8.1 Oracle OracleCONNECT scotttiger Oracle syssystem scott
[.] userluser2tuserltuserluser2tuser2userlttuserltuser2tuser2t
CREATE USERCREATE USER
jwcuser SQL>CREATE USER]WCUSer IDENTIFIED BY welcomel35 DEFAULT TABLESPACE edu TEMPORARY TABLESPACE temp QUOTA 10M ON edu QUOTA 2M ON users PASSWORD EXPIRE jwcuserwelcomel35edutemp QUOTA()edu10MBusers2MBPASSWORD EXPIRE
rscuser SQL>CREATE USER rscuser IDENTFED EXTERNALLY DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users rscuseruserstemp
testuser() SQL>CREATE USER testuser IDENTIFED BY 123456 ACCOUNT LOCK SYSTEM
8.1.2 (SYSDBASYSOPER) Oracle9isysREMOTE-LOGIN_PASSWORDFILEEXCLUSIVESYSDBASYSOPER Oracle9isysAs SYSDBAAS SYSOPERsys81
SYSDBASYSOPERSYSDBASYSOPER
8-1 SYSDBASYSOPER
8.1.3 1 ALTER USERDBAALTER USER SQL>ALTER USER testuser IDENTIFIED BY ertghj DBA
2 INSERTUPDATE(0RA01536 space quota exceeded for tablespaceedu)SELECTDELETE
DBA SQL>ALTER USER jwcuser QUOTA 15M ON edu SQL>ALTER USER jwcuser QUOTA 0 ON users jwcuseruserst
3 SQL>ALTER USER testuser ACCOUNT LOCK testuserSQL>ALTER USER testuser ACCOUNT UNLOCK Oracle
SQL>DROP USER testuser testuserCASCADE ORA01922CASCADE must be specified to dropTESTUSER SQL>DROP USER testuser CASCADE dba_usersdba ts quotasuser_usersuser_ts_quotas
jwcuser SQL>SELECT default_tablespace temporary_tablespace account_status FROM dba users WHERE username=JWCUSER iwcuser SQL
>SELECT tablespacename blocks nn maxblocks-- FROM usertsquotas SYSTEM 224 0 USERS 344 O TT 40 1
maxblocks1v$pwfile_users
82 SQL
8.2.1 Oracle1 (CREATE TABLESPACE) (CREATEANY TABLE)
82
2.83Oracle
Oracle
UPDATEINSERTSELECT
8.2.2 GRANTGRANT
1CREATE SESSl0Njwcuser
SQL>GRAINT CREATE SESSION TO]wcuser CREATE SESSIONCREATE TABLEtestuser SQL>GRANT CREATE SESSIONCREATE TABLE TO testuser CREATE SESSION SQL>GRANT CREATE SESSION TO PUBLIC
PUBLICOraclePUBLICPUBLICPUBLICUSER_ALL
DBAWITHADMIN OPTION83DBACREATE SESSIONCREATE VIEWgly_hebei2glysjzgly_bd" 83
2WITH GRANT OPTION iwcuserstudtestuser SQL>GRANT SELECT ON stud TO testuser jwcuserstudtestuser SQL>GRANT INSERTALTER ON stud TO testusel"
jwcusercourseuserluser2 SQL>GRANT ALL ON course TO userluser2 tempcollc012userl SQL>GRANT UPDATE(C011C012)INSERT(c011C012)0N temp T0 userl
DBMSOUTPUTuserluserlSQL>CONNAS SYSDBASQL>GRANT EXECUTE ON DBMS OUTPUT TO user WITH GRANT OPTION WITH GRANT OPTION
8.2.3 REVOKEGRANT
1 CREATE TABLEtestuserSQL>REVOKE CREATE TABLE FROM testusefCREATEJEwgly_hebei SQL>REVOKE CREATE VIEW FROM gly_hebei 83systemgly_hebeiCREATE VIEWWITH ADMIN OPTIONgly_hebeiCREATE VIEWglysjzglyhebeiCREATE VIEWglysjzCREATE VIEW84
2REVOKEjwcusertestuserstud SQL>REVOKE ALTER ON stud FROM testuser DBAtestUPDATEgly_hebeiWITH GRANT OPTIONglyhebeiglysjz85(a)DBAtestUPDATEgly_hebeiglysjztest UPDATE
8.2.4 1. DBAdba_sys_privs WITH ADMIN OPTION SQL>SELECT * FROM dbasys_privs WHERE grantee=TESTUSER
testuserGRANTEEVILEGEADMINOPTIONYESNO usersysprivs
2dba_tabprivsuser_tab_privsDBAtestuserSQL>SELECT tabie_nameprivilege f owner r grantor|grantable FROM dba_tab_privs WHERE granteeTESTUSER
UPDATESELECT8-6dba_col_privstestuserUPDATEstudSIlOsnameusercolprivs
83 (1)
(2) (3)
1 CREATEROIE fdy SQIj>CREATE ROLE fdy fdystud SQL>GRANT CREATE SESS0NCREATE VEW TO FDY SQL>GRANT SELECT ON stud TO fd3 fdy
sql>REVOKE CREATE VI EW FROM fdy bzr SQL>CREATE ROLE bzr IDENTIFIED BY teachers 2 SQL>GRANT fdy TO testuser SQL>GRANT fdy TO jwcuser REVOKE SQL>REVOKE fdy FROM testuser
3 (1)ALTER USER
fdybzrtestuser SQL>ALTER USER testuser DEFAULT ROLE fdybzr fdytestuser sQL>ALTER USER testuser DEFAULT ROLE ALL EXCEPT fdy testuser SQL>ALTER USER testuser DEFAULT ROLE none
(2)SET ROLE fdy SQL>SET ROLE fdy bzr SQL>SET ROLE bzr IDENTIFIED BY teachers j fdy SQL>SET ROLE ALL EXCEPT fdy SQL>SET ROLE NONE
4DROP ROLEOracle fdyDROPROLE SQL>DROP ROLE fdy
8.3.2Oracle (1)CONNECTRESOURCEDBAOracle (2)EXPULLDATABASEIMP_FULLDATABASE (3)DELETECATALOG_ROLEDELETE (4)EXECUTE_CATALOG_ROLEEXECUTE (5)SELECT-CATALOG_ROLESELECT
dba rolespassword_requiredSQL>SELECT rolepasswordrequired FROM dba_roles
jwcuserSQL>SELECT grante(Lrole FROM dba_role privs WHERE grantee=JWCUSERfdySQL>SELECT FROM role_sys_privs WHERE role=FDY ;SQL>SELECT * FROM role_tab_privs WHERE role=FDYsession_rolesSQL>SELECTFROM Session r01es
84 PROFILE PROFILEPROFILEPROFILE
(1)SQL (2) (3) (4) DEFAULTUNLIMITEDPROFILEOracleDEFAULT DBAPROFILEPROFILE
8.4.2 PROFILEPROFILE 7DEFAULT CPUPROFILE(SQL)
PROFILERESOURCE-LIMITTRUE jwcuser33 7103005jwcuser60min5min
PROFILESQL>CREATE PROFILE profile_jwcuser LIMIT FAILED_LOGIDLATTEMPTS 3 PASSWORD_LOCK_TIME 7 PASSWORD LIFE TIME 1 0 PASSWORD_REUSE_TIME 3 0 0 SESS0NS PER USER 5 CONNECT TIME 60 IDLE TIME 5
SQL>ALTER SYSTEM SET RESOURCE-LIMIT=true profilejwcuserjwcuserPROFILEPROFILEALTER USERSQL>ALTER USER Jwcuser PROFILE profilejwcuser
8.4.3 PROFILE ALTER PROFILEALTER PROFILEPROFILE SQL>ALTER PROFILE profile_jWCUSer LIMIT SESSIONS_PERUSER 3 FAILED_LOGIN_ATTEMPTS 5
PROFILEDROP PROFILEPROFILEPROFILECASCADE profile__]wcuserPROFILEjwcuser SQL>DROP PROFILE profile_jwcuser CASCADE ; PROFILEDEFAULT PROFILE
8.4.4 PROFILE1PROFILEdba_usersPROFILESQL>SELECT profile FROM dba users WHERE username=JWCUSER
2PROFILE PROFILEOraclePROFILEprofilesPROFILE
SQL>SELECT resource_name1lmlt FROM dba_proflles WHERE profile=PROFILE_JWCUSERAND resource_type=KERNELdba_profiles4(1)profilePROFILE(2)resourcename~PROFILE(3)resourcetypePASSWORDKERNAL(4)limitPROFILE
OraclePROFILE
1PROFILE( ) ACPU B C D2PROFILE( ) AOracle B CDEFAULT DOracle3( ) Adba_profiles Bdba_users Cdba_passwords Dv$session
4?( ) ASYSDBA BSYSOPER CDBA DCONNECT5?( ) ASELECT BUPDATE CDELETE DINSERT6QUOTA() A B0 C10MB D100MB