oracle 密码文件passwordfile-liuxiaoyin666-ChinaUnix博客

liuxiaoyin666的ChinaUnix博客

首页　| 　博文目录　| 　关于我

liuxiaoyin666

博客访问： 35607
博文数量： 16
博客积分： 0
博客等级：民兵
技术积分： 5
用户组：普通用户
注册时间： 2017-09-11 08:57

文章分类

全部博文（16）

未分配的博文（16）

文章存档

2013年（16）

我的朋友

相关博文

oracle 密码文件passwordfile

分类： Oracle

2013-05-09 14:43:32

密码文件的作用：作为DBA用户身份认证的文件
DBA用户指拥有sysdba或者sysoper权限的用户（sys，system）
身份认证有两种情况
1、操作系统认证
2、密码文件认证

密码文件的位置
$ORACLE_HOME/dbs/orapw

oracle如何判断何时使用密码文件认证和OS认证
1）、查看参数remote_login_passwordfile，此参数有3个值，分别为EXCLUSIVE,NONE,SHARED
SQL> show parameter login
NAME TYPE VALUE
------------------------------------ -------------------------------- ------------------------------
remote_login_passwordfile string EXCLUSIVE

NONE---不使用密码文件认证
EXCLUSIVE---使用密码文件认证，当前实例独有（默认）
SHARED----不同的实例可以共享密码文件（把多个实例的密码放入一个密码文件中）
2）、查看sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES = (ALL,NONE,NTS)

Values

Authentication Methods Available with Oracle Net Services:
- none for no authentication methods, including Microsoft Windows native operating system authentication. WhenSQLNET.AUTHENTICATION_SERVICES is set to none, a valid user name and password can be used to access the database.
- all for all authentication methods.
- nts for Microsoft Windows native operating system authentication.

NONE----不能使用OS认证
ALL-----都可以使用
nts---windows使用
文档里说是默认的是none，但测试感觉是ALL。不知道有没有童鞋是一样的。

建立密码文件，命令：orapwd
$orapwd
Usage: orapwd file= password= entries= force= nosysdba=
where
file - name of password file (mand),密码文件的文件名：orapw
password - password for SYS (mand),sys用户密码
entries - maximum number of distinct DBA,可以有多少DBA权限的用户
(密码文件不仅仅保存sys的密码，还有其他拥有sysdba和sysoper权限的用户)
force - whether to overwrite existing file (opt),force=y 存在也可以建立
nosysdba - whether to shut out the SYSDBA logon (opt for Database Vault only).
There are no spaces around the equal-to (=) character.
示例
orapwd file=orapwtest password=oracle force=y

哪些情况会修改密码文件
orapwd命令，重建密码文件
对sysdba，和sysoper权限进行操作

sysdba和sysoper权限的区别
查询相关视图system_privilege_map,这两个东西就是2个系统权限
SQL> select * from system_privilege_map where name like '%SYS%';
PRIVILEGE NAME PROPERTY
---------- ---------------------------------------- ----------
-3 ALTER SYSTEM 0
-4 AUDIT SYSTEM 0
-83 SYSDBA 0
-84 SYSOPER 0

SYSDBA and SYSOPER

The following operations are authorized by the SYSDBA and SYSOPER system privileges:

System Privilege	Operations Authorized
SYSDBA	Perform STARTUP and SHUTDOWN operations ALTER DATABASE: open, mount, back up, or change character set CREATE DATABASE DROP DATABASE CREATE SPFILE ALTER DATABASE ARCHIVELOG ALTER DATABASE RECOVER Includes the RESTRICTED SESSION privilege Effectively, this system privilege allows a user to connect as user SYS.
SYSOPER	Perform STARTUP and SHUTDOWN operations CREATE SPFILE ALTER DATABASE OPEN/MOUNT/BACKUP ALTER DATABASE ARCHIVELOG ALTER DATABASE RECOVER (Complete recovery only. Any form of incomplete recovery, such as UNTIL TIME\|CHANGE\|CANCEL\|CONTROLFILE requires connecting as SYSDBA.) Includes the RESTRICTED SESSION privilege This privilege allows a user to perform basic operational tasks, but without the ability to look at user data.

System Privilege

Operations Authorized

SYSDBA

Perform STARTUP and SHUTDOWN operations
ALTER DATABASE: open, mount, back up, or change character set
CREATE DATABASE
DROP DATABASE
CREATE SPFILE
ALTER DATABASE ARCHIVELOG
ALTER DATABASE RECOVER
Includes the RESTRICTED SESSION privilege

Effectively, this system privilege allows a user to connect as user SYS.

SYSOPER

Perform STARTUP and SHUTDOWN operations
CREATE SPFILE
ALTER DATABASE OPEN/MOUNT/BACKUP
ALTER DATABASE ARCHIVELOG
ALTER DATABASE RECOVER (Complete recovery only. Any form of incomplete recovery, such as UNTIL TIME|CHANGE|CANCEL|CONTROLFILE requires connecting as SYSDBA.)
Includes the RESTRICTED SESSION privilege

This privilege allows a user to perform basic operational tasks, but without the ability to look at user data.

The manner in which you are authorized to use these privileges depends upon the method of authentication that you use.

When you connect with SYSDBA or SYSOPER privileges, you connect with a default schema, not with the schema that is generally associated with your username. For SYSDBA this schema is SYS; for SYSOPER the schema is PUBLIC.

看官方的文档发现，sysoper权限不包括：修改字符集和不完全恢复的操作，其实还有很多系统视图是不能查看的
另外登陆的默认用户不一致，sysdba默认登陆用户为sys，sysoper默认登陆用户为public。

怎用查看密码文件有哪些用户对应拥有哪些权限
SQL> select * from v$pwfile_users;
USERNAME SYSDB SYSOP
------------------------------ ----- -----
SYS TRUE TRUE

阅读(3271) | 评论(0) | 转发(0) |

上一篇：oracle_误删参数文件后的惨痛经历

下一篇：oracle_启动过程分析

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6