【发布时间】:2020-06-26 00:30:03
【问题描述】:
我有两个 Schema Schema-1 和 Schema-2。我想创建一个可以同时访问 Schema(Schema-1 和 Schema-2)的超级用户。
我想在 oracle 11g 中使用命令创建一个用户。有可能吗?
【问题讨论】:
标签: oracle privileges
【发布时间】:2020-06-26 00:30:03
【问题描述】:
这样的用户已经存在;它被称为SYS,拥有数据库。不过,将它用于日常工作并不是一个好主意——您宁愿(如您所愿)创建自己的“超级用户”来做这些事情。例如:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> create user superuser identified by superman;
User created.
SQL> grant dba to superuser;
Grant succeeded.
好的,我们试试吧:
SQL> connect superuser/superman
Connected.
SQL> select count(*) From scott.emp;
COUNT(*)
----------
14
SQL> select table_name from dba_tables where owner = 'MIKE';
TABLE_NAME
------------------------------
EMP
DEPT
BONUS
SALGRADE
DUMMY
ABC
6 rows selected.
SQL> select * from mike.abc;
KEY ID SEQ THINGS DESCR
---------- ---------- ---------- ---------- ----------
1 1 0 Food Chicken
2 1 1 Cars BMW
3 1 2 Sport Soccer
4 2 0 Food Mutton
5 2 1 Cars Ford
6 2 2 Sport Tennis
6 rows selected.
SQL>
现在,DBA 是该用户的正确角色,我不知道。也许不是,所以也许您宁愿只授予所需的一组权限。是哪一套,我也分不清。
也许授予例如对于schema1 和schema2 用户的表,select 对superuser 的特权。但是,您不能在单个命令中执行此操作 - 您必须为每个用户和他们的每个表分别执行此操作(这意味着 很多 grant select 语句)。让我们试试吧:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> revoke dba from superuser;
Revoke succeeded.
SQL>
逐句编写是一项无聊的工作,所以我会编写代码来为我编写代码:
SQL> select 'grant select on ' || owner ||'.' ||table_name || ' to superuser;' str
2 from dba_tables
3 where owner in ('SCOTT', 'MIKE')
4 order by owner, table_name;
STR
--------------------------------------------------------------------------------
grant select on MIKE.ABC to superuser;
grant select on MIKE.BONUS to superuser;
grant select on MIKE.DEPT to superuser;
<snip>
grant select on SCOTT.TEST_B to superuser;
grant select on SCOTT.TEST_D to superuser;
26 rows selected.
SQL>
好的;现在复制/粘贴上面的grant 语句并运行它们。
SQL> grant select on MIKE.ABC to superuser;
Grant succeeded.
SQL> grant select on MIKE.BONUS to superuser;
Grant succeeded.
SQL> grant select on MIKE.DEPT to superuser;
Grant succeeded.
<snip>
SQL> grant select on SCOTT.TEST_B to superuser;
Grant succeeded.
SQL> grant select on SCOTT.TEST_D to superuser;
Grant succeeded.
SQL>
有效吗?
SQL> connect superuser/superman
ERROR:
ORA-01045: user SUPERUSER lacks CREATE SESSION privilege; logon denied
Warning: You are no longer connected to ORACLE.
SQL>
啊哈!还不只是!撤销DBA 撤销了大量权限,所以superuser 现在作为用户存在,但不能做任何事情。所以,让我们让它连接到数据库:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> grant create session to superuser;
Grant succeeded.
SQL> connect superuser/superman
Connected.
SQL> select * From scott.dept;
DEPTNO DNAME LOC
---------- -------------- -------------
10 ACCOUNTING NEW YORK
20 RESEARCH DALLAS
30 SALES CHICAGO
40 OPERATIONS BOSTON
SQL> select * From mike.abc;
KEY ID SEQ THINGS DESCR
---------- ---------- ---------- ---------- ----------
1 1 0 Food Chicken
2 1 1 Cars BMW
3 1 2 Sport Soccer
4 2 0 Food Mutton
5 2 1 Cars Ford
6 2 2 Sport Tennis
6 rows selected.
SQL>
对;好多了。这就是我所说的“仅授予所需的一组权限”的意思;不要授予超出某人真正需要的权限。
【讨论】: