角色是一组相关权限的命名集合,使用角色最主要的目的是简化权限管理
而一旦这个集合的权限超过了用户的最低需求,就可能带来数据库的安全风险
角色口令测试
oracle 10g中,无论角色是否有口令,只要你将角色grant给某个用户,那么,默认的情况下,这些角色中的权限,用户都拥有。
oracle 11g中,角色的口令略有修正,当某个角色是拥有口令的话,当你将带有口令的角色 grant 给某个用户的话,那么默认的情况
下,这个带口令的角色下的所有权限,用户是无法拥有的,只有当 set 那个拥有口令的角色后,那么 ,带口令的
角色下的权限才在当前会话下才可以使用,不过,其他的角色都暂时失效,修改只在当前会话有效。
语法: ------只在当前会话有效
SET ROLE
{ role [ IDENTIFIED BY password ]
[, role [ IDENTIFIED BY password ] ]...
| ALL [ EXCEPT role [, role ]... ]
| NONE
} ;
oracle 10g 中测试带口令的角色
SYS@ORCL>select * from v$version;
BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
PL/SQL Release 10.2.0.1.0 - Production
CORE 10.2.0.1.0 Production
TNS for Linux: Version 10.2.0.1.0 - Production
NLSRTL Version 10.2.0.1.0 - Production
1. 创建两个角色 role_01 没有密码 role_02 有密码
SYS@ORCL>create role role_01;
Role created.
SYS@ORCL>create role role_02 identified by oracle;
Role created.
2. 赋予角色 role_01 连接、建表权限
SYS@ORCL>grant connect,create table to role_01;
Grant succeeded.
3. 赋予角色 role_02 连接、创建视图权限
SYS@ORCL>grant connect,create view to role_02;
Grant succeeded.
4. 创建测试用户 tyger
SYS@ORCL>create user tyger identified by tyger quota unlimited on users;
User created.
5. 将两个角色赋予tyger
SYS@ORCL>grant role_01,role_02 to tyger;
Grant succeeded.
6. 连接到用户测试
SYS@ORCL>conn tyger/tyger
Connected.
TYGER@ORCL>create table t(x int);
Table created.
TYGER@ORCL>insert into t values(1);
1 row created.
TYGER@ORCL>commit;
Commit complete.
TYGER@ORCL>select * from t;
X
----------
1
TYGER@ORCL>create view view_t as select * from t;
View created.
TYGER@ORCL>select * from tab;
TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
VIEW_T VIEW
T TABLE
7. 查看当前用户的角色,两个角色的 DEFAULT_ROLE 都为 YES 说明,这两个角色都生效
TYGER@ORCL>desc user_role_privs;
Name Null Type
----------------------------------------- -------- ----------------------------
USERNAME VARCHAR2(30)
GRANTED_ROLE VARCHAR2(30)
ADMIN_OPTION VARCHAR2(3)
DEFAULT_ROLE VARCHAR2(3)
OS_GRANTED VARCHAR2(3)
TYGER@ORCL>col username for a10
TYGER@ORCL>col granted_role for a20
TYGER@ORCL>col default_role for a20
TYGER@ORCL>select username,granted_role,default_role from user_role_privs;
USERNAME GRANTED_ROLE DEFAULT_ROLE
---------- -------------------- --------------------
TYGER ROLE_01 YES
TYGER ROLE_02 YES
8. 查看当前会话具有的权限
TYGER@ORCL>select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
CREATE TABLE
CREATE VIEW
9. set 的应用 ----set 在当前会话中设置角色状态
TYGER@ORCL>set role ROLE_01;
Role set.
10. 查看当前用户的角色,没变化
TYGER@ORCL>select username,granted_role,default_role from user_role_privs;
USERNAME GRANTED_ROLE DEFAULT_ROLE
---------- -------------------- --------------------
TYGER ROLE_01 YES
TYGER ROLE_02 YES
11. 查看当前会话权限,已经没有 create view 权限, 原因:set role role_01 只有role_01 在当前会话生效
TYGER@ORCL>select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
CREATE TABLE
TYGER@ORCL>create view view_2 as select * from t;
create view view_2 as select * from t
*
ERROR at line 1:
ORA-01031: insufficient privileges
12. 同样使 role_02 生效,同时 role_01 失效,不过设置的时候需要我们提供密码,因为我们创建角色时使用了密码
TYGER@ORCL>set role role_02;
set role role_02
*
ERROR at line 1:
ORA-01979: missing or invalid password for role 'ROLE_02'
TYGER@ORCL>set role role_02 identified by oracle;
Role set.
13. 查看当前