linuxboy823 发表于 2011-12-23 01:06

禁止用户的DDL操作

<DIV><BR>Kevin Zou<BR>2011-9-21<BR><BR>给用户赋权过大有时就是一把双刃剑,虽然可以减少DBA的操作,但如果用户操作失误,把就要DBA介入来做恢复 。合理的授权一直我们DBA倡导的,人只要做合适的事情,不要做过分的事情。<BR>一般用户就是拥有INSERT/DELETE/UPDATE 的权限,如果需要做DDL,那就交给DBA来操作好了。如何禁止用户对TABLE/INDEX等对象进行DDL的操作,有多种方法,常见的有两种:<BR>1)SCHEMA的ONWER和读写分离,就是有两个USER,其中一个USER拥有这些对象,另外一个USER只能对这些对象进行DML;<BR>2)在ORACLE 8I开始,ORACLE 允许在DDL做触发器。在对象级别加入触发器,禁止对象的修改。<BR><BR>这里只列出OPETION 2 的例子:<BR>SQL&gt; select * from v$version where rownum &lt; 2;<BR><BR>BANNER<BR>------------------------------------------------------------------------------<BR><BR>Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production<BR>SQL&gt; conn /as sysdba<BR>Connected.<BR>SQL&gt; create user kk identified by kk;<BR><BR>User created.<BR><BR>SQL&gt; grant connect,resource to kk;<BR><BR>Grant succeeded.<BR><BR>SQL&gt; conn kk/kk<BR>Connected.<BR>SQL&gt; create table test (id int);<BR><BR>Table created.<BR><BR>SQL&gt; insert into test values(100);<BR><BR>1 row created.<BR><BR>SQL&gt; commit;<BR><BR>SQL&gt; conn /as sysdba<BR>Connected.<BR><BR>SQL&gt; grant select on v_$session to kk;<BR><BR>Grant succeeded.<BR><BR>SQL&gt; grant execute on dbms_system to kk;<BR><BR>SQL&gt; CREATE or replace TRIGGER db_ddl_trigger<BR>2 before ddl on kk.schema<BR>3 declare<BR>4 n number;<BR>5 l_trace number;<BR>6<BR>7 BEGIN<BR>8 if ora_dict_obj_name() = 'TEST' then<BR>9 raise_application_error(-20001,'You can not execute ddl on '||<BR>ora_dict_obj_name );<BR>10 end if;<BR>11<BR>12 END;<BR>13<BR>14 /<BR><BR>Trigger created.<BR><BR>SQL&gt; conn kk/kk<BR>Connected.<BR>SQL&gt; alter table test add (age char(20));<BR>alter table test add (age char(20))<BR>*<BR>ERROR at line 1:<BR>ORA-00604: error occurred at recursive SQL level 1<BR>ORA-20001: You can not execute ddl on TEST<BR>ORA-06512: at line 7<BR><BR>在触发器里ora_dict_obj_name 是ORACLE 自定义的系统定义事件属性,代表Name of the dictionary object on which the DDL operation occurred.<BR>还有很多函数,详细的列表:<BR>http://download.oracle.com/docs/cd/B10501_01/appdev.920/a96590/adg14evt.htm<BR><BR>如果要运行用户执行DDL,怎么办? 呵呵。凉拌。。<BR>DISABLE 触发器呗。<BR>想要DISABLE这样独立的触发器,必须有ALTER TRIGGER的权限。<BR>SQL&gt; alter trigger db_ddl_trigger disable;<BR><BR>触发器已更改<BR>SQL&gt; conn /as sysdba<BR>Connected.<BR>SQL&gt; alter trigger db_ddl_trigger disable;<BR><BR>Trigger altered.<BR><BR>SQL&gt; conn kk/kk<BR>Connected.<BR>SQL&gt; alter table test add (age char(20));<BR><BR>Table altered.<BR><BR>-THE END-</DIV>
页: [1]
查看完整版本: 禁止用户的DDL操作