2007年12月27日星期四

Oracle学习笔记20071226

管理用户
首先需要了解data schemaSchema的对象:tables,triggers,constraints,indexes,views,sequences,stored program units,synonyms,user-defined data types,database links

Schema是多个对象的集,一个用户建立了那么对应的schema也建立了,用户只能操作一个schema,用户名和schema经常被用于交换

一份creating users的确认表建立新的User通过数据库认证(Database Authentication)




SQL>CREATE USER aaron IDENTIFIED BY soccer(PASSWORD)DEFAULT TABLESPACE data TEMPORARY TABLESPACE temp QUOTA 15m ON dataPASSWORD EXPIRE;

建立新的USER通过操作系统认证(Operating System Authentication)




SQL>CREATE USER aaron IDENTIFIED EXTERNALLY(和数据库严重的不同点) DEFAULT TABLESPACE USERS TEMPORARY TABLESPACE temp QUOTA 15m ON data PASSWORD EXPIRE;

修改User的Quota(限额)




SQL>ALTER USER aaron QUOTA 0 ON USERS;

删除USER




SQL>DROP USER aaron;

使用CASCADE删除所有的




SQL>DROP USER aaron CASCADE;


和USERS有关的表DBA_USERS和DBA_TS_QUOTAS

管理权限用户权限分为两种,一种是SYSTEM一种是OBJECT的SYSTEM对特殊DATABASE做一些特殊的动作。
OBJECT对特殊的OBJECT权利
系统特权(system privileges)有超过100个不同的权限,用any可以让权限签名到任何的schema上,grant是用来赋予权限的,revoke是收回权限的
SYSTEM的权限INDEX,TABLE,SESSION,TABLESPACE

GRANT的权限




SQL>GRANT CREATE SESSION TO emi;
SQL>GRANT CREATE SESSION TO emi WITH ADMIN OPTION;

SYSDBA和SYSOPER之间的权利对比
SYSTEM权利的约束O7_DICTIONARY_ACCESSIBILITY 这个参数管理着,如果选项为TRUE则SYS schema可操作,默认是FALSE确保system的权限可操作任何schema除了sys schema

回收权限




SQL>REVOKE CREATE TABLE FROM emi;
赋予对象权利




SQL>GRANT EXECUTE ON dbms_output TO jeff;
SQL>GRANT UPDATE ON emi.customers TO jeff WITH GRANT OPTION;

赋予别人这个权限的同时也能让这个人赋予别人同样的权限
回收对象权利




SQL>REVOKE SELECT ON emi.orders FROM jeff;

和privilege有关系的表DBA_SYS_PRIVS,SESSION_PRIVS,DBA_TAB_PRIVS,DBA_COL_PRIVS

审查(auditing)P330
开始Auditing是一个监视所选用户的动作Statement auditing




SQL>AUDIT TABLE;Privilege auditing;
SQL>AUDIT create any trigger;

Schema object auditing




SQL>AUDIT SELECT ON emi.orders;

和auditing有关的视图
ALL_DEF_AUDIT_OPTS,DBA_STMT_AUDIT_OPTS,DBA_PRIV_AUDIT_OPTS,DBA_OBJ_AUDIT_OPTS
和auditing有关的表
DBA_AUDIT_TRAIL,DBA_AUDIT_EXISTS,DBA_AUDIT_OBJECT,DBA_AUDIT_SESSIONDBA_AUDIT_STATEMENT

缺点在于系统说花费的时间和成本比较大,可对非常重要的表进行监控。

今天在做一个例子
--练习目标建立一个role然后添加用户,让用户使用这个ROLE权限
SQL>CREATE USER aatu IDENTIFIED BY atu DEFAULT TABLESPACE atu;
SQL>SELECT default_tablespace FROM dba_users WHERE username = 'AATU';
SQL>GRANT create session to aatu;
SQL>GRANT create table to aatu;
SQL>CREATE table employee1 as select * from hyf.employeesSELECT * FROM employee1;
SQL>GRANT select,update,delete on employee1 to aatu;
SQL>grant connect to aatu;
SQL>grant resource to aatu;
--在做这个的时候发现是role权限dba_tab_privs中查不到,但是在dba_role_privs确能找到
SQL>SELECT * FROM DBA_TAB_PRIVS WHERE grantee = 'AATU';
SQL>SELECT * FROM DBA_TAB_PRIVS WHERE grantee in ('ATU','AATU');
SQL>SELECT default_tablespace FROM dba_users WHERE username = 'AATU'
SQL>SELECT * FROM user_tables;

--AATU用户登录后所作的
SQL>SELECT * FROM employee1;--当我使用这个查询语句的时候提示该表不存在,不知道为什么,尝试建立新用户,做查询后提示该用户在system表空间下,放弃。后请教后发现如果把语句改成SQL>SELECT * FROM atu.employee1后,那么就能查询到,虽然在同一表空间下,但是还需要加这个语句才能查询的到,除非建立别名。。(-_______-!!迷茫)
SQL>CREATE SYNONYM employee1 FOR atu.employee1
SQL>SELECT * FROM employee1

--建立role
SQL>CREATE ROLE testrole IDENTIFIED BY test;
SQL>SELECT * FROM dba_roles WHERE role='TESTROLE';
SQL>GRANT testrole to aatu;
SQL>SELECT * FROM dba_role_privs WHERE grantee='AATU';
--做了以后发现defualt role testrole是YES
GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
AATU CONNECT NO YES
AATU RESOURCE NO YES
AATU TESTROLE NO YES
SQL>ALTER USER aatu DEFAULT ROLE ALL EXCEPT testrole;
SELECT * FROM dba_role_privs WHERE grantee='AATU'
--做了以后发现defualt role testrole是no
GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
AATU CONNECT NO YES
AATU RESOURCE NO YES
AATU TESTROLE NO NO

没有评论: