如何控制common user在cdb里对于pdb信息的访问-Mysql Tutorial-php.cn

Home

Database

Mysql Tutorial

如何控制common user在cdb里对于pdb信息的访问

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 07, 2016 pm 04:33 PM

研究common user要在不同的pdb间切换所需具有的权限；研究common user在cdb上查询container_data_objects时如何限制其只能访问到

本文目的：
研究common user要在不同的pdb间切换所需具有的权限；
研究common user在cdb上查询container_data_objects时如何限制其只能访问到某几个pdb对应的信息或者在某个特定的container_data_object对象上限制其只能访问到某几个pdb对应的信息，common user一般都有比较大的权限，但有的时候我们不想让common user通过cdb里的视图去访问到某些pdb的信息

先解释一下container_data_object的概念：Dba_table、dba_views中container_data=’Y’对应的表或视图，因为这些视图中包含了来自不同pdb的信息，所以被称作container_data_object

1、只有common user才能使用alter session set container=PDBX在各个pdb间进行切换，前提是这个common user必须在这些pdb里至少具有create session 和 set container权限：

---在cdb里创建一个common user，赋予create session权限

SQL> show con_name

CON_NAME

------------------------------

CDB$ROOT

SQL> create user c##guser2 identified by 773946 container=all;

User created.

SQL> grant create session to c##guser2;

Grant succeeded.

---以刚创建的c##guser2用户登陆cdb，，set container到orapdba提示权限不足

oracle@ora12c1:/home/oracle>sqlplus c##guser2/773946

SQL*Plus: Release 12.1.0.1.0 Production on Thu Dec 12 21:22:44 2013

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production

With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,

Advanced Analytics and Real Application Testing options

SQL> alter session set container=orapdba;

ERROR:

ORA-01031: insufficient privileges

--[C1] -在orapdba里，grant set container权限给c##guser2

SQL> show con_name

CON_NAME

------------------------------

ORAPDBA

SQL> grant set container,create session to c##guser2;

Grant succeeded.

--- set container到orapdba成功

SQL> show con_name

CON_NAME

------------------------------

CDB$ROOT

SQL> alter session set container=orapdba;

Session altered.

结论：common user用户要在不同的pdb间实现切换，必须在这些pdb上拥有create session和set container的权限，最简单的方法是在cdb上执行grant create session,set container to c##guser2 container=all进行全局的赋权

2、通过alter user中的container_data_clause 进行container_data_objects访问权限控制：

---全局授权c##guser2查询系统视图的权限

SQL> grant select_catalog_role to c##guser2 container=all;

Grant succeeded.

---[C2] 以c##guser2登陆cdb$root查询cdb_data_files、v$session两个视图的内容

SQL> show user

USER is "C##GUSER2"

SQL> show con_name

CON_NAME

------------------------------

CDB$ROOT

SQL> select distinct con_id from v$session;

CON_ID

----------

SQL> select distinct con_id from cdb_data_files;

CON_ID

----------

---开放给c##guser2用户查询特定pdb上信息的权限

SQL> show user

USER is "SYS"

SQL> show con_name

CON_NAME

------------------------------

CDB$ROOT

SQL> alter user c##guser2 set container_data=(CDB$root[C3] ,orapdba,orapdbb) container=current;

User altered.

---查询cdb_container_data可以看到c##guser2用户具有在部分pdb上查询container_data_object的权限

select * from CDB_container_data where username='C##GUSER2';

Grant succeeded.

---再次以c##guser2登陆cdb$root查询cdb_data_files、v$session两个视图的内容，能查到除了0、1之外的其它pdb的信息了

SQL> select distinct con_id from v$session;

CON_ID

----------

SQL> select distinct con_id from cdb_data_files;

CON_ID

----------

---对于v$session视图限制c##guser2只能访问orapdba相关的信息

SQL> alter user c##guser2 set container_data=(CDB$root,orapdba) for v$session container=current;

---cdb_container_data中又增加了两行基于特定对象的控制信息

select * from CDB_container_data where username='C##GUSER2'

---以c##guser2登陆Root查询cdb_data_files、v$session两个视图的内容，发现还是能查到con_id=4，即orapdbb的记录

SQL> select distinct con_id from v$session;

CON_ID

----------

SQL> select distinct con_id from cdb_data_files;

CON_ID

----------

---原因在于红色的部分还是生效的

---去除对于orapdbb的访问权限

SQL> alter user c##guser2 remove container_data=(orapdbb) container=current;

User altered.

---以c##guser2登陆Root查询cdb_data_files、v$session两个视图的内容，就不见了

con_id=4的记录

SQL> select distinct con_id from v$session;

CON_ID

----------

SQL> select distinct con_id from cdb_data_files;

CON_ID

----------

---对于v$session视图限制放宽让c##guser2也能访问orapdbb相关的信息

SQL> alter user c##guser2 add container_data=(orapdbb) for v$session

container=current;

User altered.

---以c##guser2登陆Root查询v$session视图又能看见con_id=4的记录，但

cdb_data_files里依然没有con_id=4的记录

User altered.

[C1]此处未授权create session也可以set container成功，实际操作时还是同时附上create session比较好

[C2]由于c##guser2未进行任何的container_data设置，也即相当于设置了set container_data=default，所以只能看到con_id=0、con_id=1的记录，0代表整个CDB，1代表CDB$ROOT

[C3]必须包含Root，否则会报ORA-65057错误

在CentOS 6.4下安装Oracle 11gR2(x64)

Oracle 11gR2 在VMWare虚拟机中安装步骤

Debian 下安装 Oracle 11g XE R2

本文永久更新链接地址：

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

MySQL: BLOB and other no-sql storage, what are the differences?May 13, 2025 am 12:14 AM

MySQL'sBLOBissuitableforstoringbinarydatawithinarelationaldatabase,whileNoSQLoptionslikeMongoDB,Redis,andCassandraofferflexible,scalablesolutionsforunstructureddata.BLOBissimplerbutcanslowdownperformancewithlargedata;NoSQLprovidesbetterscalabilityand

MySQL Add User: Syntax, Options, and Security Best PracticesMay 13, 2025 am 12:12 AM

ToaddauserinMySQL,use:CREATEUSER'username'@'host'IDENTIFIEDBY'password';Here'showtodoitsecurely:1)Choosethehostcarefullytocontrolaccess.2)SetresourcelimitswithoptionslikeMAX_QUERIES_PER_HOUR.3)Usestrong,uniquepasswords.4)EnforceSSL/TLSconnectionswith

MySQL: How to avoid String Data Types common mistakes?May 13, 2025 am 12:09 AM

ToavoidcommonmistakeswithstringdatatypesinMySQL,understandstringtypenuances,choosetherighttype,andmanageencodingandcollationsettingseffectively.1)UseCHARforfixed-lengthstrings,VARCHARforvariable-length,andTEXT/BLOBforlargerdata.2)Setcorrectcharacters

MySQL: String Data Types and ENUMs?May 13, 2025 am 12:05 AM

MySQloffersechar, Varchar, text, Anddenumforstringdata.usecharforfixed-Lengthstrings, VarcharerForvariable-Length, text forlarger text, AndenumforenforcingdataAntegritywithaetofvalues.

MySQL BLOB: how to optimize BLOBs requestsMay 13, 2025 am 12:03 AM

Optimizing MySQLBLOB requests can be done through the following strategies: 1. Reduce the frequency of BLOB query, use independent requests or delay loading; 2. Select the appropriate BLOB type (such as TINYBLOB); 3. Separate the BLOB data into separate tables; 4. Compress the BLOB data at the application layer; 5. Index the BLOB metadata. These methods can effectively improve performance by combining monitoring, caching and data sharding in actual applications.

Adding Users to MySQL: The Complete TutorialMay 12, 2025 am 12:14 AM

Mastering the method of adding MySQL users is crucial for database administrators and developers because it ensures the security and access control of the database. 1) Create a new user using the CREATEUSER command, 2) Assign permissions through the GRANT command, 3) Use FLUSHPRIVILEGES to ensure permissions take effect, 4) Regularly audit and clean user accounts to maintain performance and security.

Mastering MySQL String Data Types: VARCHAR vs. TEXT vs. CHARMay 12, 2025 am 12:12 AM

ChooseCHARforfixed-lengthdata,VARCHARforvariable-lengthdata,andTEXTforlargetextfields.1)CHARisefficientforconsistent-lengthdatalikecodes.2)VARCHARsuitsvariable-lengthdatalikenames,balancingflexibilityandperformance.3)TEXTisidealforlargetextslikeartic

MySQL: String Data Types and Indexing: Best PracticesMay 12, 2025 am 12:11 AM

Best practices for handling string data types and indexes in MySQL include: 1) Selecting the appropriate string type, such as CHAR for fixed length, VARCHAR for variable length, and TEXT for large text; 2) Be cautious in indexing, avoid over-indexing, and create indexes for common queries; 3) Use prefix indexes and full-text indexes to optimize long string searches; 4) Regularly monitor and optimize indexes to keep indexes small and efficient. Through these methods, we can balance read and write performance and improve database efficiency.

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

How to fix KB5055612 fails to install in Windows 10?

3 weeks agoByDDD

Roblox: Grow A Garden - Complete Mutation Guide

3 weeks agoByDDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Nordhold: Fusion System, Explained

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Mandragora: Whispers Of The Witch Tree - How To Unlock The Grappling Hook

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Zend Studio 13.0.1

Powerful PHP integrated development environment

SublimeText3 Linux new version

SublimeText3 Linux latest version

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software