如何控制common user在cdb里对于pdb信息的访问
研究common user要在不同的pdb间切换所需具有的权限;研究common user在cdb上查询container_data_objects时如何限制其只能访问到
本文目的:
研究common user要在不同的pdb间切换所需具有的权限;
研究common user在cdb上查询container_data_objects时如何限制其只能访问到某几个pdb对应的信息或者在某个特定的container_data_object对象上限制其只能访问到某几个pdb对应的信息,common user一般都有比较大的权限,但有的时候我们不想让common user通过cdb里的视图去访问到某些pdb的信息
先解释一下container_data_object的概念:Dba_table、dba_views中container_data=’Y’对应的表或视图,因为这些视图中包含了来自不同pdb的信息,所以被称作container_data_object
1、 只有common user才能使用alter session set container=PDBX在各个pdb间进行切换,前提是这个common user必须在这些pdb里至少具有create session 和 set container权限:
---在cdb里创建一个common user,赋予create session权限
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> create user c##guser2 identified by 773946 container=all;
User created.
SQL> grant create session to c##guser2;
Grant succeeded.
---以刚创建的c##guser2用户登陆cdb,,set container到orapdba提示权限不足
oracle@ora12c1:/home/oracle>sqlplus c##guser2/773946
SQL*Plus: Release 12.1.0.1.0 Production on Thu Dec 12 21:22:44 2013
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Advanced Analytics and Real Application Testing options
SQL> alter session set container=orapdba;
ERROR:
ORA-01031: insufficient privileges
--[C1] -在orapdba里,grant set container权限给c##guser2
SQL> show con_name
CON_NAME
------------------------------
ORAPDBA
SQL> grant set container,create session to c##guser2;
Grant succeeded.
--- set container到orapdba成功
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> alter session set container=orapdba;
Session altered.
结论:common user用户要在不同的pdb间实现切换,必须在这些pdb上拥有create session和set container的权限,最简单的方法是在cdb上执行grant create session,set container to c##guser2 container=all进行全局的赋权
2、 通过alter user中的container_data_clause 进行container_data_objects访问权限控制:
---全局授权c##guser2查询系统视图的权限
SQL> grant select_catalog_role to c##guser2 container=all;
Grant succeeded.
---[C2] 以c##guser2登陆cdb$root查询cdb_data_files、v$session两个视图的内容
SQL> show user
USER is "C##GUSER2"
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> select distinct con_id from v$session;
CON_ID
----------
1
0
SQL> select distinct con_id from cdb_data_files;
CON_ID
----------
1
---开放给c##guser2用户查询特定pdb上信息的权限
SQL> show user
USER is "SYS"
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> alter user c##guser2 set container_data=(CDB$root[C3] ,orapdba,orapdbb) container=current;
User altered.
---查询cdb_container_data可以看到c##guser2用户具有在部分pdb上查询container_data_object的权限
select * from CDB_container_data where username='C##GUSER2';
Grant succeeded.
---再次以c##guser2登陆cdb$root查询cdb_data_files、v$session两个视图的内容,能查到除了0、1之外的其它pdb的信息了
SQL> select distinct con_id from v$session;
CON_ID
----------
1
4
3
0
SQL> select distinct con_id from cdb_data_files;
CON_ID
----------
4
3
1
---对于v$session视图限制c##guser2只能访问orapdba相关的信息
SQL> alter user c##guser2 set container_data=(CDB$root,orapdba) for v$session container=current;
---cdb_container_data中又增加了两行基于特定对象的控制信息
select * from CDB_container_data where username='C##GUSER2'
---以c##guser2登陆Root查询cdb_data_files、v$session两个视图的内容,发现还是能查到con_id=4,即orapdbb的记录
SQL> select distinct con_id from v$session;
CON_ID
----------
1
4
3
0
SQL> select distinct con_id from cdb_data_files;
CON_ID
----------
4
3
1
---原因在于红色的部分还是生效的
---去除对于orapdbb的访问权限
SQL> alter user c##guser2 remove container_data=(orapdbb) container=current;
User altered.
---以c##guser2登陆Root查询cdb_data_files、v$session两个视图的内容,就不见了
con_id=4的记录
SQL> select distinct con_id from v$session;
CON_ID
----------
1
3
0
SQL> select distinct con_id from cdb_data_files;
CON_ID
----------
3
1
---对于v$session视图限制放宽让c##guser2也能访问orapdbb相关的信息
SQL> alter user c##guser2 add container_data=(orapdbb) for v$session
container=current;
User altered.
---以c##guser2登陆Root查询v$session视图又能看见con_id=4的记录,但
cdb_data_files里依然没有con_id=4的记录
User altered.
[C1]此处未授权create session也可以set container成功,实际操作时还是同时附上create session比较好
[C2]由于c##guser2未进行任何的container_data设置,也即相当于设置了set container_data=default,所以只能看到con_id=0、con_id=1的记录,0代表整个CDB,1代表CDB$ROOT
[C3]必须包含Root,否则会报ORA-65057错误
在CentOS 6.4下安装Oracle 11gR2(x64)
Oracle 11gR2 在VMWare虚拟机中安装步骤
Debian 下 安装 Oracle 11g XE R2
本文永久更新链接地址:
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Reduce the use of MySQL memory in Docker
Mar 04, 2025 pm 03:52 PM
This article explores optimizing MySQL memory usage in Docker. It discusses monitoring techniques (Docker stats, Performance Schema, external tools) and configuration strategies. These include Docker memory limits, swapping, and cgroups, alongside
How to solve the problem of mysql cannot open shared library
Mar 04, 2025 pm 04:01 PM
This article addresses MySQL's "unable to open shared library" error. The issue stems from MySQL's inability to locate necessary shared libraries (.so/.dll files). Solutions involve verifying library installation via the system's package m
How do you alter a table in MySQL using the ALTER TABLE statement?
Mar 19, 2025 pm 03:51 PM
The article discusses using MySQL's ALTER TABLE statement to modify tables, including adding/dropping columns, renaming tables/columns, and changing column data types.
Run MySQl in Linux (with/without podman container with phpmyadmin)
Mar 04, 2025 pm 03:54 PM
This article compares installing MySQL on Linux directly versus using Podman containers, with/without phpMyAdmin. It details installation steps for each method, emphasizing Podman's advantages in isolation, portability, and reproducibility, but also
What is SQLite? Comprehensive overview
Mar 04, 2025 pm 03:55 PM
This article provides a comprehensive overview of SQLite, a self-contained, serverless relational database. It details SQLite's advantages (simplicity, portability, ease of use) and disadvantages (concurrency limitations, scalability challenges). C
Running multiple MySQL versions on MacOS: A step-by-step guide
Mar 04, 2025 pm 03:49 PM
This guide demonstrates installing and managing multiple MySQL versions on macOS using Homebrew. It emphasizes using Homebrew to isolate installations, preventing conflicts. The article details installation, starting/stopping services, and best pra
How do I configure SSL/TLS encryption for MySQL connections?
Mar 18, 2025 pm 12:01 PM
Article discusses configuring SSL/TLS encryption for MySQL, including certificate generation and verification. Main issue is using self-signed certificates' security implications.[Character count: 159]
What are some popular MySQL GUI tools (e.g., MySQL Workbench, phpMyAdmin)?
Mar 21, 2025 pm 06:28 PM
Article discusses popular MySQL GUI tools like MySQL Workbench and phpMyAdmin, comparing their features and suitability for beginners and advanced users.[159 characters]
