那些遇到过的问题

DBA 登录数据库的最佳实践

Jor*_*rge 3 oracle best-practices

我读过 DBA 永远不应以系统用户身份登录数据库。这让我想知道... DBA 应该如何登录到数据库?他/她是否应该创建一个 DBA 帐户并将其用于登录目的?但我认为这与 login as system 相同。或者他应该以该模式的所有者身份登录到每个模式?

kev*_*kio 5

以 sys 身份登录,为自己创建一个帐户,然后仅授予该帐户所需的权限。给自己一个合理的密码。 “密码”不是一个好的密码。

以下是最常用的十大密码,即使您打算仅以 DBA 身份登录,这些密码仍然不是好密码:

  • 密码
  • 123456
  • 12345678
  • 1234
  • 质量
  • 12345
  • 棒球
  • 足球

这是我在 Oracle 9i 和 11g 上使用的一个脚本,它提供的功能超出了我的需要。进一步修剪生产系统上的权限将是一个很好的安全练习。

编辑@奇迹173问下面的脚本和只授予DBA权限有什么区别?最重要的区别在于,通过授予个人权限,您可以删除不必要的内容。如果您授予 DBA 角色,那么您将无法进行挑选,除非您编辑该角色,这是不可取的。从开发数据库时您可能需要一切到已部署到生产中的数据库,您希望拥有所需的最低权限,需求发生了变化。最佳实践正是 Leigh Riffel 所回答的:用最少的权限做你需要做的事情。

编辑@miracle173 正确指出不建议用户使用 SYSTEM 表空间。我已在脚本和我的主要开发数据库中将其更改为 USERS。

编辑@miracle173 还对维护的 DBA 和开发人员之间的权限区别提出了一些很好的观点。我为我工作的数据库做 DBA 和应用程序开发,所以你可以根据你正在做的事情分解脚本。实践和标准因行业、组织和习惯而异,因此您需要使用的内容可能因实例而异。在我的商店中,对于管理员和开发人员来说,开发数据库比生产数据库拥有更多权限是很常见的。

CREATE USER ADMIN
  IDENTIFIED BY <choose a good password>
  DEFAULT TABLESPACE USERS
  TEMPORARY TABLESPACE TEMP
  PROFILE DEFAULT
  ACCOUNT UNLOCK;
Run Code Online (Sandbox Code Playgroud)

DBA 可能需要这些,具体取决于使用的 Oracle 选项:

  GRANT ADMINISTER DATABASE TRIGGER TO ADMIN;
  ALTER USER ADMIN DEFAULT ROLE ALL;
  GRANT ALTER ANY CLUSTER TO ADMIN;
  GRANT ALTER ANY DIMENSION TO ADMIN;
  GRANT ALTER ANY INDEX TO ADMIN;
  GRANT ALTER ANY INDEXTYPE TO ADMIN;
  GRANT ALTER ANY LIBRARY TO ADMIN;
  GRANT ALTER ANY MATERIALIZED VIEW TO ADMIN;
  GRANT ALTER ANY OUTLINE TO ADMIN;
  GRANT ALTER ANY PROCEDURE TO ADMIN;
  GRANT ALTER ANY ROLE TO ADMIN;
  GRANT ALTER ANY SEQUENCE TO ADMIN;
  GRANT ALTER ANY TABLE TO ADMIN WITH ADMIN OPTION;
  GRANT ALTER ANY TRIGGER TO ADMIN;
  GRANT ALTER ANY TYPE TO ADMIN;
  GRANT ALTER DATABASE TO ADMIN;
  GRANT ALTER PROFILE TO ADMIN;
  GRANT ALTER RESOURCE COST TO ADMIN;
  GRANT ALTER ROLLBACK SEGMENT TO ADMIN;
  GRANT ALTER SESSION TO ADMIN;
  GRANT ALTER SYSTEM TO ADMIN;
  GRANT ALTER TABLESPACE TO ADMIN;
  GRANT ALTER USER TO ADMIN;
  GRANT ANALYZE ANY TO ADMIN;
  GRANT AUDIT ANY TO ADMIN;
  GRANT AUDIT SYSTEM TO ADMIN;
  GRANT AUTHENTICATEDUSER TO ADMIN WITH ADMIN OPTION;
  GRANT BACKUP ANY TABLE TO ADMIN;
  GRANT BECOME USER TO ADMIN;
  GRANT COMMENT ANY TABLE TO ADMIN;
  GRANT CREATE ANY CLUSTER TO ADMIN;
  GRANT CREATE ANY CONTEXT TO ADMIN;
  GRANT CREATE ANY DIMENSION TO ADMIN;
  GRANT CREATE ANY DIRECTORY TO ADMIN;
  GRANT CREATE ANY INDEX TO ADMIN;
  GRANT CREATE ANY INDEXTYPE TO ADMIN;
  GRANT CREATE ANY LIBRARY TO ADMIN;
  GRANT CREATE ANY MATERIALIZED VIEW TO ADMIN;
  GRANT CREATE ANY OPERATOR TO ADMIN;
  GRANT CREATE ANY OUTLINE TO ADMIN;
  GRANT CREATE ANY PROCEDURE TO ADMIN;
  GRANT CREATE ANY SEQUENCE TO ADMIN;
  GRANT CREATE ANY SYNONYM TO ADMIN;
  GRANT CREATE ANY TABLE TO ADMIN;
  GRANT CREATE ANY TRIGGER TO ADMIN;
  GRANT CREATE ANY TYPE TO ADMIN;
  GRANT CREATE ANY VIEW TO ADMIN;
  GRANT CREATE CLUSTER TO ADMIN;
  GRANT CREATE DATABASE LINK TO ADMIN;
  GRANT CREATE DIMENSION TO ADMIN;
  GRANT CREATE INDEXTYPE TO ADMIN;
  GRANT CREATE LIBRARY TO ADMIN;
  GRANT CREATE MATERIALIZED VIEW TO ADMIN;
  GRANT CREATE OPERATOR TO ADMIN;
  GRANT CREATE PROCEDURE TO ADMIN;
  GRANT CREATE PROFILE TO ADMIN;
  GRANT CREATE PUBLIC DATABASE LINK TO ADMIN;
  GRANT CREATE PUBLIC SYNONYM TO ADMIN;
  GRANT CREATE ROLE TO ADMIN;
  GRANT CREATE ROLLBACK SEGMENT TO ADMIN;
  GRANT CREATE SEQUENCE TO ADMIN;
  GRANT CREATE SESSION TO ADMIN;
  GRANT CREATE SYNONYM TO ADMIN;
  GRANT CREATE TABLE TO ADMIN;
  GRANT CREATE TABLESPACE TO ADMIN;
  GRANT CREATE TRIGGER TO ADMIN;
  GRANT CREATE TYPE TO ADMIN;
  GRANT CREATE USER TO ADMIN;
  GRANT CREATE VIEW TO ADMIN;
  GRANT DBA TO ADMIN WITH ADMIN OPTION;
  GRANT DEBUG ANY PROCEDURE TO ADMIN;
  GRANT DEBUG CONNECT SESSION TO ADMIN;
  GRANT DELETE ANY TABLE TO ADMIN;
  GRANT DELETE, SELECT ON SYSTEM.MVIEW_FILTERINSTANCE TO ADMIN WITH GRANT OPTION;
  GRANT DELETE_CATALOG_ROLE TO ADMIN WITH ADMIN OPTION;
  GRANT DROP ANY CLUSTER TO ADMIN;
  GRANT DROP ANY CONTEXT TO ADMIN;
  GRANT DROP ANY DIMENSION TO ADMIN;
  GRANT DROP ANY DIRECTORY TO ADMIN;
  GRANT DROP ANY INDEX TO ADMIN;
  GRANT DROP ANY INDEXTYPE TO ADMIN;
  GRANT DROP ANY LIBRARY TO ADMIN;
  GRANT DROP ANY MATERIALIZED VIEW TO ADMIN;
  GRANT DROP ANY OPERATOR TO ADMIN;
  GRANT DROP ANY OUTLINE TO ADMIN;
  GRANT DROP ANY PROCEDURE TO ADMIN;
  GRANT DROP ANY ROLE TO ADMIN;
  GRANT DROP ANY SEQUENCE TO ADMIN;
  GRANT DROP ANY SYNONYM TO ADMIN;
  GRANT DROP ANY TABLE TO ADMIN;
  GRANT DROP ANY TRIGGER TO ADMIN;
  GRANT DROP ANY TYPE TO ADMIN;
  GRANT DROP ANY VIEW TO ADMIN;
  GRANT DROP PROFILE TO ADMIN;
  GRANT DROP PUBLIC DATABASE LINK TO ADMIN;
  GRANT DROP PUBLIC SYNONYM TO ADMIN;
  GRANT DROP ROLLBACK SEGMENT TO ADMIN;
  GRANT DROP TABLESPACE TO ADMIN;
  GRANT DROP USER TO ADMIN;
  GRANT EXECUTE ANY INDEXTYPE TO ADMIN;
  GRANT EXECUTE ANY LIBRARY TO ADMIN;
  GRANT EXECUTE ANY OPERATOR TO ADMIN;
  GRANT EXECUTE ANY PROCEDURE TO ADMIN;
  GRANT EXECUTE ANY TYPE TO ADMIN;
  GRANT EXECUTE_CATALOG_ROLE TO ADMIN WITH ADMIN OPTION;
  GRANT EXP_FULL_DATABASE TO ADMIN WITH ADMIN OPTION;
  GRANT FLASHBACK ANY TABLE TO ADMIN;
  GRANT FORCE ANY TRANSACTION TO ADMIN;
  GRANT FORCE TRANSACTION TO ADMIN;
  GRANT GATHER_SYSTEM_STATISTICS TO ADMIN WITH ADMIN OPTION;
  GRANT GLOBAL QUERY REWRITE TO ADMIN;
  GRANT GRANT ANY OBJECT PRIVILEGE TO ADMIN;
  GRANT GRANT ANY PRIVILEGE TO ADMIN;
  GRANT GRANT ANY ROLE TO ADMIN;
  GRANT HS_ADMIN_ROLE TO ADMIN WITH ADMIN OPTION;
  GRANT IMP_FULL_DATABASE TO ADMIN WITH ADMIN OPTION;
  GRANT INSERT ANY TABLE TO ADMIN;
  GRANT LOCK ANY TABLE TO ADMIN;
  GRANT LOGSTDBY_ADMINISTRATOR TO ADMIN WITH ADMIN OPTION;
  GRANT MANAGE TABLESPACE TO ADMIN;
  GRANT OEM_MONITOR TO ADMIN WITH ADMIN OPTION;
  GRANT OLAP_USER TO ADMIN WITH ADMIN OPTION;
  GRANT ON COMMIT REFRESH TO ADMIN;
  GRANT QUERY REWRITE TO ADMIN;
  GRANT QUEUE_USER_ROLE TO ADMIN WITH ADMIN OPTION;
  GRANT RECOVERY_CATALOG_OWNER TO ADMIN WITH ADMIN OPTION;
  GRANT RESOURCE TO ADMIN WITH ADMIN OPTION;
  GRANT RESTRICTED SESSION TO ADMIN;
  GRANT RESUMABLE TO ADMIN;
  GRANT SELECT ANY DICTIONARY TO ADMIN;
  GRANT SELECT ANY SEQUENCE TO ADMIN;
  GRANT SELECT ANY TABLE TO ADMIN WITH ADMIN OPTION;
  GRANT SELECT ON SYSTEM.DEF$_AQCALL TO ADMIN WITH GRANT OPTION;
  GRANT SELECT ON SYSTEM.DEF$_CALLDEST TO ADMIN WITH GRANT OPTION;
  GRANT SELECT ON SYSTEM.DEF$_DESTINATION TO ADMIN WITH GRANT OPTION;
  GRANT SELECT ON SYSTEM.DEF$_ERROR TO ADMIN WITH GRANT OPTION;
  GRANT SELECT ON SYSTEM.DEF$_LOB TO ADMIN WITH GRANT OPTION;
  GRANT SELECT ON SYSTEM.REPCAT$_REPPROP TO ADMIN WITH GRANT OPTION;
  GRANT SELECT ON SYSTEM.REPCAT$_REPSCHEMA TO ADMIN WITH GRANT OPTION;
  GRANT SELECT_CATALOG_ROLE TO ADMIN WITH ADMIN OPTION;
  GRANT UNDER ANY TABLE TO ADMIN;
  GRANT UNDER ANY TYPE TO ADMIN;
  GRANT UNDER ANY VIEW TO ADMIN;
  GRANT UNLIMITED TABLESPACE TO ADMIN WITH ADMIN OPTION;
  GRANT UPDATE ANY TABLE TO ADMIN;
 BEGIN
 SYS.DBMS_RESOURCE_MANAGER_PRIVS.GRANT_SYSTEM_PRIVILEGE
  (GRANTEE_NAME   => 'ADMIN', 
   PRIVILEGE_NAME => 'ADMINISTER_RESOURCE_MANAGER',
   ADMIN_OPTION   => FALSE);
END;
/
Run Code Online (Sandbox Code Playgroud)

开发人员可能需要这些权限,具体取决于您使用的内容

 GRANT OLAP_DBA TO ADMIN WITH ADMIN OPTION;
  GRANT AUTHENTICATEDUSER TO ADMIN WITH ADMIN OPTION;
  GRANT RESOURCE TO ADMIN WITH ADMIN OPTION;
  //java privileges
  GRANT EJBCLIENT TO ADMIN WITH ADMIN OPTION;
  GRANT JAVAUSERPRIV TO ADMIN WITH ADMIN OPTION;
  GRANT JAVA_DEPLOY TO ADMIN WITH ADMIN OPTION;
  GRANT JAVADEBUGPRIV TO ADMIN WITH ADMIN OPTION;
  GRANT JAVAIDPRIV TO ADMIN WITH ADMIN OPTION;

      -- 4 Java Privileges for ADMIN 
    DECLARE
     KEYNUM NUMBER;
    BEGIN
      SYS.DBMS_JAVA.GRANT_PERMISSION(
         grantee           => 'ADMIN'
        ,permission_type   => 'SYS:java.lang.RuntimePermission'
        ,permission_name   => 'createClassLoader'
        ,permission_action => ''
        ,key               => KEYNUM
        );
    END;
    /
    DECLARE
     KEYNUM NUMBER;
    BEGIN
      SYS.DBMS_JAVA.GRANT_PERMISSION(
         grantee           => 'ADMIN'
        ,permission_type   => 'SYS:java.io.FilePermission'
        ,permission_name   => '<<ALL FILES>>'
        ,permission_action => 'execute'
        ,key               => KEYNUM
        );
    END;
    /
    DECLARE
     KEYNUM NUMBER;
    BEGIN
      SYS.DBMS_JAVA.GRANT_PERMISSION(
         grantee           => 'ADMIN'
        ,permission_type   => 'SYS:java.lang.RuntimePermission'
        ,permission_name   => 'writeFileDescriptor'
        ,permission_action => '*'
        ,key               => KEYNUM
        );
    END;
    /
    DECLARE
     KEYNUM NUMBER;
    BEGIN
      SYS.DBMS_JAVA.GRANT_PERMISSION(
         grantee           => 'ADMIN'
        ,permission_type   => 'SYS:java.lang.RuntimePermission'
        ,permission_name   => 'readFileDescriptor'
        ,permission_action => '*'
        ,key               => KEYNUM
        );
    END;
    /
  --advanced queue
  GRANT AQ_ADMINISTRATOR_ROLE TO ADMIN WITH ADMIN OPTION;
  GRANT AQ_USER_ROLE TO ADMIN WITH ADMIN OPTION;
      BEGIN
    SYS.DBMS_AQADM.GRANT_SYSTEM_PRIVILEGE (
      PRIVILEGE    => 'MANAGE_ANY',
      GRANTEE      => 'ADMIN',
      ADMIN_OPTION => TRUE);
    END;
    /
      BEGIN
    SYS.DBMS_AQADM.GRANT_SYSTEM_PRIVILEGE (
      PRIVILEGE    => 'ENQUEUE_ANY',
      GRANTEE      => 'ADMIN',
      ADMIN_OPTION => TRUE);
    END;
    /
      BEGIN
    SYS.DBMS_AQADM.GRANT_SYSTEM_PRIVILEGE (
      PRIVILEGE    => 'DEQUEUE_ANY',
      GRANTEE      => 'ADMIN',
      ADMIN_OPTION => TRUE);
    END;
    /
  //moving data in and out
  GRANT EXP_FULL_DATABASE TO ADMIN WITH ADMIN OPTION;
  GRANT IMP_FULL_DATABASE TO ADMIN WITH ADMIN OPTION;
Run Code Online (Sandbox Code Playgroud)

  • 我认为“SYSTEM”不是默认表空间的好选择。“SYSTEM”很难重组。为自然人使用数据库用户可以简化审计和其他与安全相关的任务(ADMIN 似乎不是这样的“命名”用户)。最好将权限授予角色而不是直接授予用户。 (2认同)

Lei*_*fel 5

从理论上讲,您应该以尽可能少的权限以仍然可以完成任务的用户身份登录。在实践中,如果您以自己的身份登录,您可以维护一个更好的密码、节省时间并拥有更多有用的审计/日志信息。这是我遵循的准则:

仅在以下情况下使用您自己以外的帐户登录...

  1. 您自己的帐户没有足够的权限。
  2. 您正在尝试追踪无法使用您自己的帐户重现的问题。

归档时间:

查看次数:

6286 次

最近记录:

13 年,7 月 前
相关归档
为什么操作系统身份验证被认为是 Oracle 数据库的安全性差? 29
Oracle 创建 ER 图和数据字典 19
包相对于独立的过程和函数有什么好处? 13
Oracle Ref 分区:由于子表行迁移导致死锁 8
通过移动原始数据文件来移动 Oracle 数据库 5
Oracle TimesTen 与内存中的 Oracle 数据库 5
外键会影响 Oracle 的性能吗? 5
哪个工具可以将 Oracle 数据库与 Postgresql 数据库进行比较? 4
Oracle 指定用户许可可以重复使用吗? 2
查询以前的记录 (Oracle) 2
难疑归档
如何使用表值函数连接表? 66
我应该什么时候重建索引? 60
将 Postgres 表导出为 json 54
如何在 Ubuntu 中使 MySQL 表名不区分大小写? 51
我可以添加一个忽略现有违规的唯一约束吗? 46
从外壳检查存储引擎 37
每个表都应该有一个单字段代理/人工主键吗? 36
Postgres 是否保留记录的插入顺序? 25
SQL:2008 标准中是否指定了 CTE(带查询)的优化栅栏行为?如果有,在哪里? 24
列与字段:我是否错误地使用了这些术语? 22