当前位置:网站首页>About with admin option and with grant option
About with admin option and with grant option
2022-06-24 16:45:00 【start. zhou】
Hello, friends of Tencent cloud community .
Studying recently SQL, About WITH ADMIN OPTION and WITH GRANT OPTION What's the difference .
Follow me!
1. Database permission concept
jurisdiction Privileges Is the permission to execute specific statements .
Database security includes system security and data security .
System permissions : Gain access to the database , And can perform specific DDL operation ( System security ).
Object permissions : Dealing with the contents of database objects such as SELECT UPDATE INSERT.....( Data security ).
programme / Pattern (SCHEMA): A collection of objects , Such as table 、 View 、 A collection of sequences and synonyms . also SCHEMA and USER It's the same name .
By using DCL Language empowers users (GRANT), And revoke permissions (REVOKE)
User's system permissions :
CREATE SESSION Create a session
CREATE TABLE Create table
CREATE SEQUENCE Create sequence
CREATE VIEW Create view
CREATE PROCEDURE Create stored procedure
WITH ADMIN OPTION Used for system permission authorization ,WITH GRANT OPTION Used for object permission authorization .
Next, we will thoroughly understand the difference between the two authorizations through a small experiment .
2. The experiment
a. Environmental preparation
-- Create two users and assign passwords to ensure that the user is not locked , And view the user's system permissions CREATE USER a IDENTIFIED BY oracle ACCOUNT UNLOCK; CREATE USER b IDENTIFIED BY oracle ACCOUNT UNLOCK; -- View user permissions [email protected]:1521/ORCLPDB>select GRANTEE,PRIVILEGE from dba_sys_privs where GRANTEE='A'; no rows selected [email protected]:1521/ORCLPDB>select GRANTEE,PRIVILEGE from dba_sys_privs where GRANTEE='B'; no rows selected -- The newly created user does not have any permissions
b.WITH ADMIN OPTION Authority experiment
-- Grant create session permission to A user [email protected]:1521/ORCLPDB>GRANT CREATE SESSION TO a WITH ADMIN OPTION; Grant succeeded. [email protected]:1521/ORCLPDB>select GRANTEE,PRIVILEGE from dba_sys_privs where GRANTEE='A'; G PRIVILEGE - ---------------------------------------- A CREATE SESSION -- Even on A Users will CREATE SESSION Authority granted to B user [email protected]:1521/ORCLPDB>conn a/[email protected]:1521/ORCLPDB Connected. [email protected]:1521/ORCLPDB>GRANT CREATE SESSION TO b; Grant succeeded. -- At this point to see A and B User's rights ( In possession of DBA Query under authorized users , I am here sys user ) [email protected]:1521/ORCLPDB>select GRANTEE,PRIVILEGE from dba_sys_privs where GRANTEE in ('A','B'); GRANT PRIVILEGE ----- ---------------------------------------- A CREATE SESSION B CREATE SESSION -- here A and B Have the permission to create a session , Test whether you can log in [email protected]:1521/ORCLPDB>conn a/[email protected]:1521/ORCLPDB Connected. [email protected]:1521/ORCLPDB>show user USER is "A" [email protected]:1521/ORCLPDB>conn b/[email protected]:1521/ORCLPDB Connected. [email protected]:1521/ORCLPDB>show user USER is "B" --A and B Users can log in normally , At this time will be A Withdrawal of authority [email protected]:1521/ORCLPDB>REVOKE CREATE SESSION FROM A; Revoke succeeded. [email protected]:1521/ORCLPDB>select GRANTEE,PRIVILEGE from dba_sys_privs where GRANTEE in ('A','B'); GRANT PRIVILEGE ----- ---------------------------------------- B CREATE SESSION -- here A Your permission has been revoked ,B Your permission is still . Test it A,B Login status of [email protected]:1521/ORCLPDB>conn a/[email protected]:1521/ORCLPDB ERROR: ORA-01045: user A lacks CREATE SESSION privilege; logon denied Warning: You are no longer connected to ORACLE. @>conn b/[email protected]:1521/ORCLPDB Connected. [email protected]:1521/ORCLPDB>
We found that A User CREATE SESSION System permission is revoked , however B User CREATE SESSION The system permission has not been revoked
c.WITH GRAT OPTION Authority experiment
-- grant A user CREATE SESSION [email protected]:1521/ORCLPDB>GRANT CREATE SESSION TO a; Grant succeeded. [email protected]:1521/ORCLPDB>select GRANTEE,PRIVILEGE from dba_sys_privs where GRANTEE in ('A','B'); GRANT PRIVILEGE ----- ---------------------------------------- A CREATE SESSION B CREATE SESSION -- Sign in HR user , take EMPLOYEES Tabular SELECT Authority granted to A user , Additionally endowed WITH GRANT OPTION [email protected]:1521/ORCLPDB>conn hr/[email protected]:1521/ORCLPDB Connected. [email protected]:1521/ORCLPDB>GRANT SELECT ON EMPLOYEES TO a WITH GRANT OPTION; Grant succeeded. [email protected]:1521/ORCLPDB>select GRANTOR,OWNER,TABLE_NAME,PRIVILEGE from user_tab_privs where GRANTOR ='A'; GRANTOR OWNER TABLE_NAME PRIVILEGE ---------- ---------- -------------------- ---------------------------------------- A HR EMPLOYEES SELECT -- Log in to A Users will EMPLOYEES Of SELECT Authority granted to B user , And query A,B The user rights of [email protected]:1521/ORCLPDB>GRANT SELECT ON HR.EMPLOYEES TO b; Grant succeeded. -- Log in to B The user query authorizer is A The entry of [email protected]:1521/ORCLPDB>conn b/[email protected]:1521/ORCLPDB Connected. [email protected]:1521/ORCLPDB>select GRANTOR,OWNER,TABLE_NAME,PRIVILEGE from user_tab_privs where GRANTOR ='A'; GRANTOR OWNER TABLE_NAME PRIVILEGE ---------- ---------- -------------------- ---------------------------------------- A HR EMPLOYEES SELECT -- Here it is B I saw a message on the website that the authorizer is A, The object is HR.EMPLOYEES The table of SELECT jurisdiction . There is nothing wrong with testing permissions . [email protected]:1521/ORCLPDB>select * from hr.employees; -- Sign in HR The user withdraws HR.EMPLOYEES Of SELECT jurisdiction [email protected]:1521/ORCLPDB>REVOKE SELECT ON EMPLOYEES FROM a; Revoke succeeded. -- Re examination A.B Authority [email protected]:1521/ORCLPDB>select GRANTOR,OWNER,TABLE_NAME,PRIVILEGE from user_tab_privs where GRANTOR ='A'; no rows selected [email protected]:1521/ORCLPDB>select GRANTOR,OWNER,TABLE_NAME,PRIVILEGE from user_tab_privs where GRANTOR ='B'; no rows
We found that A and B Of SELECT ON HR.EMPLOYEES All permissions of are revoked
d. Come to the conclusion :
By WITH ADMIN OPTION System permissions granted by permissions , When the system permission given to the account is recycled , By WITH ADMIN OPTION System permissions granted by permissions are not recycled .
WITH GRANT OPTION Object permissions granted by permissions , When the permission granted to the user is recycled , By WITH GRANT OPTION The object permissions granted to the user are also cascaded back .
?END!
边栏推荐
- Where is the most formal and safe account opening for speculation futures? How to open a futures account?
- A survey on model compression for natural language processing (NLP model compression overview)
- Is Guotai Junan Futures safe? How to open a futures account? How to reduce the futures commission?
- [tke] whether to configure SNAT when the container accesses services outside the node
- Scuffle on China's low code development platform -- make it clear that low code
- Video intelligent analysis platform easycvr derivative video management platform menu bar small screen adaptive optimization
- Funny! Pictures and texts give you a comprehensive understanding of the effects of dynamics and mass
- AI structured intelligent security video monitoring technology, supporting the protective umbrella of the reserve / wild animals
- Go deep into the implementation principle of go language defer
- [play with Tencent cloud] my operation strategy from domain name application to website filing in Tencent cloud
猜你喜欢
Applet wxss
There are potential safety hazards Land Rover recalls some hybrid vehicles
Problems encountered in the work of product manager
Ui- first lesson
Cognition and difference of service number, subscription number, applet and enterprise number (enterprise wechat)
![[leetcode108] convert an ordered array into a binary search tree (medium order traversal)](/img/e1/0fac59a531040d74fd7531e2840eb5.jpg)
[leetcode108] convert an ordered array into a binary search tree (medium order traversal)
A survey of training on graphs: taxonomy, methods, and Applications
C. K-th not divisible by n (Mathematics + thinking) codeforces round 640 (Div. 4)
A survey on model compression for natural language processing (NLP model compression overview)
A survey on dynamic neural networks for natural language processing, University of California
随机推荐
Istio FAQ: sidecar stop sequence
Yuanqi forest started from 0 sugar and fell at 0 sugar
Activeindex selection and redirection in the menu bar on the right of easycvs
Kubernetes 1.20.5 setting up Sentinel
【prometheus】1. Monitoring overview
National standard gb28181 protocol video platform easygbs alarm reporting function adds video alarm reporting and video recording
Funny! Pictures and texts give you a comprehensive understanding of the effects of dynamics and mass
What is the difference between optical fiber jumper and copper wire
The RTSP video structured intelligent analysis platform easynvr stops calling the PTZ interface through the onvif protocol to troubleshoot the pending status
Coding's first closed door meeting on financial technology exchange was successfully held
Join in ABAP CDs
Introduction to koa (III) koa routing
Bitwise Operators
Go path customized project path package dependency
Regular expression learning artifact!
One article combs multi task learning (mmoe/ple/dupn/essm, etc.)
Use Google search like a professional
A survey of training on graphs: taxonomy, methods, and Applications
Introduction to koa (IV) koa operation database
What is Ethernet