Oracle 19c 新特性:Schema Only Account详解
点击▲关注 “数据和云” 给公众号标星置顶数据库
更多精彩 第一时间直达安全
老张拉呱:thomas zhang,甲骨文云平台事业部资深技术顾问,2008年加入甲骨文公司数据库咨询部门,10+年甲骨文解决方案咨询支持经验,资深系统工程师、Oracle OCM认证专家,具备丰富的Cloud /IT项目经验。目前主要负责甲骨文中国北方区(医院/卫生、交通、制造、教育、政府、证券、媒体、金融、零售等行业)客户的数据库、中间件、IaaS/PaaS、集成系统等相关技术解决方案咨询工做。session
签名:我为人人,人人为我,三人行,必有我师。ide
新浪微博: http://weibo.com/tomszrp测试
从 Database 18c 开始,能够建立 Schema Only Account(能够拥有对象、权限/角色,但不容许直接链接的 Schema),不过能够经过 single session proxy 的方式链接访问。this
这种类型的 account 设计既是为了知足 Oracle-provided schemas 同时也适用于客户应用设计的须要,建立用户的时候不须要指定密码或受权方式。除非使用 ALTER USER 语句分配身份验证方法,不然没法对 Schema Only Account 进行身份验证。DBA_USERS_WITH_DEFPWD数据字典视图中再也不包含Schema Only Account 信息。spa
从19c开始,大部分Oracle-providedschemas,除了SYS,SYSTEM以及Sample Schema User Accounts(好比HR)都是Schema Only Account。也就是说,这些账户都是在没有密码的状况下建立的,好处是管理员无需周期性的维护这些密码,同时也下降了攻击者使用默认密码侵入这些账户的安全风险。咱们能够经过dba_users数据字典的authentication_type字段来判断,若是是NONE,表示该account是Schema Only的。固然了,当咱们确实有须要的时候,能够为这些账户分配密码,可是为了更好的安全性,Oracle 建议您使用完毕后将它们再设置为Schema Only。设计
•关于Schema Only Account的一些说明:代理
1)能够是 administrator 和 non-administratoraccountsorm
2)这种account只能在data base instance中建立,不支持 ASM instance
3)能够授予 system privileges (好比CREATE ANY TABLE)和管理员角色(好比DBA)
4)能够建立对象好比tables 、procedures等(根据所受权限决定)
5)能够配置经过 single session proxy的方式链接访问
6)不能经过 data base link 使用
tips:18c中Schema Only Account不能拥有SYSDBA,SYSOPER, SYSBACKUP, SYSKM, SYSASM, SYSRAC, SYSDG这些管理权限,19c中取消了这一限制。
下面是在18.3和19.2综合体验的一个笔记,但愿能给你们一点启发,后面大部分都是脚本,介绍性的话语不多,我想你们应该能看明白。
1)建立一个Schema-Only Account
CDB$ROOT@SYS>conn sys/Alpha2019#@pdb1 as sysdba;
Connected.
PDB1@SYS>CREATE USER study NO AUTHENTICATION;
User created.
PDB1@SYS>CREATE USER toms IDENTIFIED BY toms default tablespace users;
User created.
PDB1@SYS>SELECT username, password, password_versions, account_status, authentication_type
FROM dba_users
WHERE username in ('STUDY','TOMS');
CREATE USER "STUDY" NO AUTHENTICATION
DEFAULT TABLESPACE "USERS"
TEMPORARY TABLESPACE "TEMP"
PDB1@SYS>
2)AUTHENTICATION 和 NO AUTHENTICATION之间的转换
经过以下命令能够很容易的在Schema Only Account和Normal Account之间转换:
ALTER USER ... IDENTIFIED BY ...;
ALTER USER ... NO AUTHENTICATION;
说明:18c的时候Schema only accounts能够被授予全部的normal database roles和privileges,但不能是administrative privileges(好比SYSDBA, SYSOPER, SYSRAC等),不然会遇到相似以下的错误:
CDB$ROOT@cdb1>grant sysdba to study;
grant sysdba to study
*
ERROR at line 1:
ORA-40366: Administrative privilege cannot be granted to this user.
但19.2中是能够的,好比
CDB$ROOT@demo>grant sysdba to study;
Grant succeeded.
CDB$ROOT@demo>
PDB1@SYS>ALTER USER study IDENTIFIED BY study quota unlimited on users;
User altered.
PDB1@SYS>grant create session, create table to study;
Grant succeeded.
PDB1@SYS>conn study/study@pdb1
Connected.
PDB1@STUDY>
PDB1@STUDY>create table a (no int);
Table created.
PDB1@STUDY>create table b (str varchar2(32));
Table created.
PDB1@STUDY>conn sys/Alpha2019#@pdb1 as sysdba
Connected.
PDB1@SYS>grant sysdba to study;
Grant succeeded.
注意:在18c测试的时候,会遇到相似以下错误,因此必须先经过V$PWFILE_USERS 视图找到那些administrative privileges并收回。
PDB1@pdb1>ALTER USER study no authentication;
ALTER USER study no authentication
*
ERROR at line 1:
ORA-40367: An Administrative user cannot be altered to have no authentication type.
CDB$ROOT@cdb1>revoke sysdba from study;
Revoke succeeded.
CDB$ROOT@cdb1>ALTER USER study no authentication;
User altered.
CDB$ROOT@cdb1>
说明:19c(19.2)测试中,是支持administrative privileges的,因此能够直接ALTER USER study no authentication;
这个时候,study用户就不能直接链接访问了,由于已经切换为Schema Only Account了 ,示例以下:
PDB1@pdb1>conn study/study@pdb1
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
PDB1@>
3)经过single session proxy方式访问
我这里用以前建立的toms用户来作proxy user,下面先在toms用户下建立个测试表
PDB1@SYS>conn sys/Alpha2019#@pdb1 as sysdba
Connected.
PDB1@SYS>grant connect, resource to toms;
Grant succeeded.
PDB1@SYS>conn toms/toms@pdb1
Connected.
PDB1@TOMS>create table test (no int );
Table created.
PDB1@TOMS>
设置study(Scheam Only Account)经过toms代理链接(简单示例,详细语法参见相关手册)
PDB1@TOMS>conn sys/Alpha2019#@pdb1 as sysdba
Connected.
PDB1@SYS>ALTER USER study GRANT CONNECT through toms;
User altered.
链接测试
PDB1@SYS>CONNECT toms[study]/toms@pdb1
Connected.
PDB1@STUDY>show user
USER is "STUDY"
PDB1@STUDY>SELECT sys_context('USERENV','SESSION_USER') AS session_user,
sys_context('USERENV','SESSION_SCHEMA') AS session_schema,
sys_context('USERENV','PROXY_USER') AS proxy_id,
USER
FROM dual;
SESSION_USER SESSION_SCHEMA PROXY_ID USER
--------------- ------------------ ----------- ------------
STUDY STUDY TOMS STUDY
PDB1@STUDY>select table_name from tabs; ##看到的是study用户下的对象
TABLE_NAME
-----------------
B
A
PDB1@STUDY>insert into a values(1);
1 row created.
PDB1@STUDY>commit;
Commit complete.
PDB1@STUDY>select * from a;
NO
----------
1
PDB1@STUDY>
4)回收single session proxy访问设置
PDB1@STUDY>conn sys/Alpha2019#@pdb1 as sysdba
Connected.
PDB1@SYS>select * from proxy_users;
PROXY CLIENT AUT FLAGS
------ ---------- ------- -------------------------------------
TOMS STUDY NO PROXY MAY ACTIVATE ALL CLIENT ROLES
PDB1@SYS>ALTER USER study revoke CONNECT through toms;
User altered.
PDB1@SYS>select * from proxy_users;
no rows selected
PDB1@SYS>CONNECT toms[study]/toms@pdb1
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
PDB1@>
好了,本小节的简单示例就到这里,但愿能给你们起到一点简单的引导示范做用,不当之处,请以实际环境和当前文档说明为准。