在工作中难免碰到需要提取用户权限或是不同数据库用户权限的同步问题。我们知道,Oracle数据库的任意一个用户,必须有相应的权限才可以登录以及操纵数据库对象。同时这些用户存在对象权限、系统权限以及所属用户组的情形,或这三种情况同时存在。本文首先通过脚本获取任意指定用户的所有权限,然后产生特定用户所有权限相关的DDL,最后演示了一个权限同步的例子。
有关用户角色的相关概念可参考:
Oracle 用户、对象权限、系统权限
Oracle 角色、配置文件
1、获取指定用户所有权限
--首先获取源数据库BOTST上GX_ADMIN的所有权限,我们需要将其同步到数据BO2SZ,GX_ADMIN用户下 --注,BOTST与BO2SZ具有相同的数据库结构及其对象,是两个不同的DB,就好比一个是Prod,一个是Dev环境 --环境 sys@BOTST> select * from v$version where rownum<2; BANNER ---------------------------------------------------------------- Oracle Database 10g Release 10.2.0.3.0 - 64bit Production sys@BOTST> @all_perm_specified_user Enter value for input_username: GX_ADMIN USERNAME TYPE WHAT_GRANTED --------------------------- -------------------- -------------------------------------------------------------- GX_ADMIN ObjPrivs SYS.COL$ - SELECT (With Grant Option) GX_ADMIN ObjPrivs SYS.DBA_DATA_FILES - SELECT (With Grant Option) GX_ADMIN ObjPrivs SYS.DBA_EXTENTS - SELECT (With Grant Option) GX_ADMIN ObjPrivs SYS.DBA_FREE_SPACE - SELECT (With Grant Option) GX_ADMIN ObjPrivs SYS.DBA_HIST_ACTIVE_SESS_HISTORY - SELECT (With Grant Option) GX_ADMIN ObjPrivs SYS.DBA_INDEXES - SELECT (With Grant Option) GX_ADMIN ObjPrivs SYS.DBA_IND_COLUMNS - SELECT (With Grant Option) GX_ADMIN ROLE DBA GX_ADMIN ROLE EXP_FULL_DATABASE GX_ADMIN ROLE IMP_FULL_DATABASE GX_ADMIN ROLE JAVAUSERPRIV GX_ADMIN SysPrivs ALTER ANY OUTLINE GX_ADMIN SysPrivs ALTER SESSION (With Admin Option) GX_ADMIN SysPrivs CREATE ANY DIRECTORY GX_ADMIN SysPrivs CREATE ANY OUTLINE GX_ADMIN SysPrivs CREATE ANY TABLE GX_ADMIN SysPrivs CREATE DATABASE LINK ....................... 480 rows selected. --获取BO2SZ数据库GX_ADMIN用户所拥有的权限 --如下所示,仅仅返回了18行记录 sys@BO2SZ> @all_perm_specified_user Enter value for input_username: GX_ADMIN USERNAME TYPE WHAT_GRANTED ---------------------------- -------------------- --------------------------------------------------------- GX_ADMIN ObjPrivs SYS.DBA_OBJECTS - SELECT GX_ADMIN ObjPrivs SYS.DBMS_DATAPUMP - EXECUTE GX_ADMIN ObjPrivs SYS.DBMS_LOCK - EXECUTE GX_ADMIN ObjPrivs SYS.DBMS_LOCK_ALLOCATED - SELECT GX_ADMIN ObjPrivs SYS.DB_DUMP_DIR - READ (With Grant Option) GX_ADMIN ObjPrivs SYS.DB_DUMP_DIR - WRITE (With Grant Option) GX_ADMIN ObjPrivs SYS.V_$LOCK - SELECT GX_ADMIN ObjPrivs SYS.V_$LOCKED_OBJECT - SELECT GX_ADMIN ObjPrivs SYS.V_$PARAMETER - SELECT GX_ADMIN ObjPrivs SYS.V_$PROCESS - SELECT GX_ADMIN ObjPrivs SYS.V_$SESSION - SELECT 11 rows selected.
2、提取用户系统权限DDL示例
--下面直接通过脚本generate_user_ddl来提取指定用户GX_ADMIN下的所有权限 sys@BO2SZ> @generate_user_ddl Enter User Name : GX_ADMIN Output filename : $LOG/sync_GX_ADMIN_BO2SZ CREATE USER "GX_ADMIN" IDENTIFIED BY VALUES '69BAB63C70A4AA28' DEFAULT TABLESPACE "GOEX_USERS_TBL" TEMPORARY TABLESPACE "GOEX_TEMP" GRANT SELECT ANY DICTIONARY TO "GX_ADMIN" WITH ADMIN OPTION GRANT DROP ANY OUTLINE TO "GX_ADMIN" GRANT ALTER ANY OUTLINE TO "GX_ADMIN" GRANT CREATE ANY OUTLINE TO "GX_ADMIN" ............... --下面是脚本输出的ddl文件 sys@BOTST> ho ls -hltr $LOG/sync_GX_ADMIN_BO2SZ* -rw-r--r-- 1 robin oinstall 37K 2013-11-04 11:49 /users/robin/dba_scripts/custom/log/sync_GX_ADMIN_BO2SZ.gen sys@BOTST> exit --下面我们将其同步到数据库BO2SZ下gx_admin robin@SZDB:~/dba_scripts/custom/sql> sqlplus sys/xxx@BO2SZ as sysdba sys@BO2SZ> @/users/robin/dba_scripts/custom/log/sync_GX_ADMIN_BO2SZ.gen CREATE USER "GX_ADMIN" IDENTIFIED BY VALUES '69BAB63C70A4AA28' -->注,生成的脚本文件执行前需要添加分号,不能直接执行 * ERROR at line 1: -->执行时由于用户存在,所有收到了冲突提示 ORA-01920: user name 'GX_ADMIN' conflicts with another user or role name Grant succeeded. Grant succeeded. Grant succeeded. --校验同步后的结果,返回480行记录 --注,如果你的DB结构或数据库对象不一致,可以存在两边结果不一样的情形 --如,原库有表tb1,gx_admin对其有DML权限,而目标库没有,则目标库执行ddl语句时会报错,提示对象不存在 --也可能目标库权限总是比原库多的情形,可以先移出目标库上指定用户的所有权限后,再同步 --Author : Leshami --Blog : http://blog.csdn.net/leshami sys@BO2SZ> @all_perm_specified_user Enter value for input_username: GX_ADMIN GX_ADMIN ObjPrivs SYS.COL$ - SELECT (With Grant Option) GX_ADMIN ObjPrivs SYS.DBA_DATA_FILES - SELECT (With Grant Option) GX_ADMIN ObjPrivs SYS.DBA_EXTENTS - SELECT (With Grant Option) GX_ADMIN ObjPrivs SYS.DBA_FREE_SPACE - SELECT (With Grant Option) GX_ADMIN ObjPrivs SYS.V_$_LOCK - SELECT (With Grant Option) GX_ADMIN ROLE DBA GX_ADMIN ROLE EXP_FULL_DATABASE GX_ADMIN ROLE IMP_FULL_DATABASE GX_ADMIN ROLE JAVAUSERPRIV GX_ADMIN SysPrivs ALTER ANY OUTLINE GX_ADMIN SysPrivs ALTER SESSION (With Admin Option) GX_ADMIN SysPrivs CREATE ANY DIRECTORY .............. 480 rows selected.
3、查看、提取用户系统权限DDL脚本
--查看指定用户所有权限的脚本 robin@SZDB:~/dba_scripts/custom/sql> more all_perm_specified_user.sql # get all permission of specified user # file_name: all_perm_specified_user.sql # Author : Leshami set echo off set verify off set pagesize 999 set linesize 200 col type format a20 SELECT * FROM (SELECT a.username, 'ROLE' AS TYPE, b.granted_role || DECODE (admin_option, 'YES', ' (With Admin Option)', NULL) what_granted FROM sys.dba_users a, sys.dba_role_privs b WHERE a.username = b.grantee UNION SELECT a.username, 'SysPrivs' AS TYPE, b.privilege || DECODE (admin_option, 'YES', ' (With Admin Option)', NULL) what_granted FROM sys.dba_users a, sys.dba_sys_privs b WHERE a.username = b.grantee UNION SELECT a.username, 'ObjPrivs' AS TYPE, b.owner || '.' || b.table_name || ' - ' || b.privilege || DECODE (grantable, 'YES', ' (With Grant Option)', NULL) what_granted FROM sys.dba_users a, sys.dba_tab_privs b WHERE a.username = b.grantee ORDER BY 1) WHERE username = upper('&input_username'); --提取指定用户权限DDL脚本,通过Oracle自带的包dbms_metadata.get_ddl来实现 robin@SZDB:~/dba_scripts/custom/sql> more generate_user_ddl.sql -- Oracle 10g above clear screen accept uname prompt 'Enter User Name : ' accept outfile prompt ' Output filename : ' spool &&outfile..gen SET LONG 2000000 PAGESIZE 0 head off verify off feedback off linesize 180 SELECT dbms_metadata.get_ddl('USER','&&uname') FROM dual; SELECT dbms_metadata.get_granted_ddl('SYSTEM_GRANT','&&uname') from dual; SELECT dbms_metadata.get_granted_ddl('ROLE_GRANT','&&uname') from dual; SELECT dbms_metadata.get_granted_ddl('OBJECT_GRANT','&&uname') from dual; spool off --下面的脚本是通过手动方式读取数据字典来实现 robin@SZDB:~/dba_scripts/custom/sql> more generate_user_ddl_manual.sql clear screen accept uname prompt 'Enter User Name : ' accept outfile prompt ' Output filename : ' col username noprint col lne newline set heading off pagesize 0 verify off feedback off linesize 180 spool &&outfile..gen prompt -- genarate user ddl SELECT username, 'CREATE USER '||username||' '|| DECODE(password, 'EXTERNAL', 'IDENTIFIED EXTERNALLY', 'IDENTIFIED BY VALUES '''||password||''' ') lne, 'DEFAULT TABLESPACE '||default_tablespace lne, 'TEMPORARY TABLESPACE '||temporary_tablespace||';' lne FROM DBA_USERS WHERE USERNAME LIKE UPPER('%&&uname%') OR UPPER('&&uname') IS NULL ORDER BY USERNAME; SELECT username, 'ALTER USER '||username||' QUOTA '|| DECODE(MAX_BYTES, -1, 'UNLIMITED', TO_CHAR(ROUND(MAX_BYTES/1024))||'K') ||' ON '||tablespace_name||';' lne FROM DBA_TS_QUOTAS WHERE USERNAME LIKE UPPER('%&&uname%') OR UPPER('&&uname') IS NULL ORDER BY USERNAME; col grantee noprint select grantee, granted_role granted_priv, 'GRANT '||granted_role||' to '||grantee|| DECODE(ADMIN_OPTION, 'Y', ' WITH ADMIN OPTION;', ';') from dba_role_privs where grantee like upper('%&&uname%') UNION select grantee, privilege granted_priv, 'GRANT '||privilege||' to '||grantee|| DECODE(ADMIN_OPTION, 'Y', ' WITH ADMIN OPTION;', ';') from dba_sys_privs where grantee like upper('%&&uname%') order by 1, 2; spool off
更多参考
有关Oracle RAC请参考
使用crs_setperm修改RAC资源的所有者及权限
使用crs_profile管理RAC资源配置文件
RAC 数据库的启动与关闭
再说 Oracle RAC services
Services in Oracle Database 10g
Migrate datbase from single instance to Oracle RAC
Oracle RAC 连接到指定实例
Oracle RAC 负载均衡测试(结合服务器端与客户端)
Oracle RAC 服务器端连接负载均衡(Load Balance)
Oracle RAC 客户端连接负载均衡(Load Balance)
ORACLE RAC 下非缺省端口监听配置(listener.ora tnsnames.ora)
ORACLE RAC 监听配置 (listener.ora tnsnames.ora)
配置 RAC 负载均衡与故障转移
CRS-1006 , CRS-0215 故障一例
基于Linux (RHEL 5.5) 安装Oracle 10g RAC
使用 runcluvfy 校验Oracle RAC安装环境
有关Oracle 网络配置相关基础以及概念性的问题请参考:
配置非默认端口的动态服务注册
配置sqlnet.ora限制IP访问Oracle
Oracle 监听器日志配置与管理
设置 Oracle 监听器密码(LISTENER)
配置ORACLE 客户端连接到数据库
有关基于用户管理的备份和备份恢复的概念请参考
Oracle 冷备份
Oracle 热备份
Oracle 备份恢复概念
Oracle 实例恢复
Oracle 基于用户管理恢复的处理
SYSTEM 表空间管理及备份恢复
SYSAUX表空间管理及恢复
Oracle 基于备份控制文件的恢复(unsing backup controlfile)
有关RMAN的备份恢复与管理请参考
RMAN 概述及其体系结构
RMAN 配置、监控与管理
RMAN 备份详解
RMAN 还原与恢复
RMAN catalog 的创建和使用
基于catalog 创建RMAN存储脚本
基于catalog 的RMAN 备份与恢复
RMAN 备份路径困惑
使用RMAN实现异机备份恢复(WIN平台)
使用RMAN迁移文件系统数据库到ASM
linux 下RMAN备份shell脚本
使用RMAN迁移数据库到异机
有关ORACLE体系结构请参考
Oracle 表空间与数据文件
Oracle 密码文件
Oracle 参数文件
Oracle 联机重做日志文件(ONLINE LOG FILE)
Oracle 控制文件(CONTROLFILE)
Oracle 归档日志
Oracle 回滚(ROLLBACK)和撤销(UNDO)
Oracle 数据库实例启动关闭过程
Oracle 10g SGA 的自动化管理
Oracle 实例和Oracle数据库(Oracle体系结构)