ORA-01031: insufficient privileges
Table of Contents
1 错误信息
例1 css
SQL*Plus: Release 11.2.0.3.0 Production on Thu Oct 29 15:46:33 2015 Copyright (c) 1982, 2011, Oracle. All rights reserved. ERROR: ORA-01031: insufficient privileges Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied
例2 html
SQL> create view a.v_a as select a.* from a.emp a ,b.dept b where a.deptno=b.deptno; create view a.v_a as select a.* from a.emp a ,b.dept b where a.deptno=b.deptno * 第 1 行出现错误: ORA-01031: 权限不足例3 java
存储过程当中提示无权限 python
SQL> exec boss.proc_test; begin boss.proc_test; end; ORA-01031: 权限不足 ORA-06512: 在 "BOSS.PROC_TEST", line 4 ORA-06512: 在 line 1
2 官方解析
$ oerr ora 1031 01031, 00000, "insufficient privileges" // *Cause: An attempt was made to change the current username or password // without the appropriate privilege. This error also occurs if // attempting to install a database without the necessary operating // system privileges. // When Trusted Oracle is configure in DBMS MAC, this error may occur // if the user was granted the necessary privilege at a higher label // than the current login. // *Action: Ask the database administrator to perform the operation or grant // the required privileges. // For Trusted Oracle users getting this error although granted the // the appropriate privilege at a higher label, ask the database // administrator to regrant the privilege at the appropriate label.
从官方提供的解析来看,有两种可能: sql
- 在没有权限的状况下对用户或者用户密码进行修改
- 安装数据库的时候,没有足够的权限。
- 没有足够权限去受权
3 情景分析
3.1 登陆
3.1.1 用户属组缺失或不正确
用户以操做系统认证方式登陆数据库时,会把当前用户的组信息与$ORACLE_HOME/rdbms/lib/config.c 文件中的配置进行比对。若是不匹配,有可能出现ORA-01017 或者ORA-01031错误。 shell
下面是config.c 文件内容 数据库
/* SS_DBA_GRP defines the UNIX group ID for sqldba adminstrative access. */
/* Refer to the Installation and User's Guide for further information. */
/* IMPORTANT: this file needs to be in sync with
rdbms/src/server/osds/config.c, specifically regarding the
number of elements in the ss_dba_grp array.
*/
#define SS_DBA_GRP "dba"
#define SS_OPER_GRP "oinstall"
#define SS_ASM_GRP ""
char *ss_dba_grp[] = {SS_DBA_GRP, SS_OPER_GRP, SS_ASM_GRP};
从注释中,能够看出,ss_dba_grp 是以sqldba 身份登陆数据库的必要条件之一。也就是说,只要以dba 身份 登陆,该操做系统用户就须要隶属于该用户组。 sass
错误示例: ruby
# id oracle ## ==> 查看oracle 用户当前属组 uid=501(oracle) gid=501(oinstall) 01(oinstall),502(dba) # usermod -G oinstall oracle ## ==> 修改Oracle 用户附属组信息 # id oracle ## ==> 查看oracle 用户当前属组,与第一次查看,发现少了dba 组 uid=501(oracle) gid=501(oinstall) 01(oinstall) # su - oracle # sqlplus / as sysdba ## ==> 尝试以sysdba身份登陆数据库 SQL*Plus: Release 11.2.0.3.0 Production on Mon Jul 16 16:13:10 2018 Copyright (c) 1982, 2011, Oracle. All rights reserved. ERROR: ORA-01031: insufficient privileges ## ==> 重现错误信息 Enter user-name: ^C # usermod -G oinstall,dba oracle ## ==> 还原Oracle 用户组信息 # su - oracle # sqlplus / as sysdba ## ==> 尝试以sysdba 身份登陆oracle 数据库 SQL*Plus: Release 11.2.0.3.0 Production on Mon Jul 16 16:13:51 2018 Copyright (c) 1982, 2011, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> exit ## ==> 登陆成功,退出SQL环境。
3.1.2 用户认证方式不对
oracle 用户登陆经过sqlnet.ora 中的SQLNET.AUTHENTICATION_SERVICES bash
3.1.3 ORACLE_SID
变量ORACLE_SID 未设置或者设置错误,也会引发此错误。
3.2 对象权限不足
错误信息:
ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at "schema.procedure_name", line 3 ORA-06512: at line 1
- 说明
- 不少时候,咱们明明有授与很高的权限,好比select any table,select any view 等,应该不会在查询表或者视图时出现权限问题,可是,事实上咱们就是会遇到。 缘由是这种受权方式,针对某个单独对象来讲,是隐式受权。 若是咱们在存储过程或者物化视图中想要访问、修改某个对象的时候,须要对该对象进行 显示受权:grant select on object_name to schema;
3.3 存储过程当中报错
有些时候,咱们会遇到这样的状况:DML/DDL 不在存储过程当中执行是没有问题的,但是放到 存储过程当中之后执行会报错,提示无权限。这个时候,咱们须要对相应的操做进行单独受权。 好比ddl 操做:
create or replace procedure proc_test as begin execute immediate 'create table test(id number)'; end; /
这个操做是是建表,须要create table 权限, 咱们须要授予系统权限:create any table.
grant create any table to xxx;
若是是DML和查询操做无权限,则针对相关对象单独受权:
grant select on <user>.<object> to <the_other_user>; grant update on <user>.<object> to <the_other_user>; grant delete on <user>.<object> to <the_other_user>; grant insert on <user>.<object> to <the_other_user>;