关于数据库SCHEMA用户与应用中连接用户分离的两种方法简介及评估

Schema Owners and Application Users

In the context of this article, the schema owner represents the Oracle user that owns all your database objects, while application users are Oracle users that need access to those schema objects.

Allowing applications to make direct connections to the schema owner is a bad idea because it gives those applications far to many privileges, which can easily result in damage to your data and the objects themselves. Instead, it is better to define application users and grant those users the necessary privileges on the schema owners objects.

This article presents two methods for achieving this separation and highlights their pros and cons. For simplicities sake I've only defined two roles, but you can define as many roles as you wish, making the security as granular as you need for each type of application user.

• CURRENT_SCHEMA Approach
• Synonym Approach

CURRENT_SCHEMA Approach

This method uses the CURRENT_SCHEMA session attribute to automatically point application users to the correct schema.

First, we create the schema owner and an application user.

CONN sys/password AS SYSDBA-- Remove existing users and roles with the same names.DROP USER schema_owner CASCADE;DROP USER app_user CASCADE;DROP ROLE schema_rw_role;DROP ROLE schema_ro_role;-- Schema owner.CREATE USER schema_owner IDENTIFIED BY password  DEFAULT TABLESPACE users  TEMPORARY TABLESPACE temp  QUOTA UNLIMITED ON users;  GRANT CONNECT, CREATE TABLE TO schema_owner;-- Application user.CREATE USER app_user IDENTIFIED BY password  DEFAULT TABLESPACE users  TEMPORARY TABLESPACE temp;GRANT CONNECT TO app_user;

Notice that the application user can connect, but does not have any tablespace quotas or privileges to create objects.

Next, we create some roles to allow read-write and read-only access.

CREATE ROLE schema_rw_role;CREATE ROLE schema_ro_role;

We want to give our application user read-write access to the schema objects, so we grant the relevant role.

GRANT schema_rw_role TO app_user;

We need to make sure the application user has its default schema pointing to the schema owner, so we create an AFTER LOGON trigger to do this for us.

CREATE OR REPLACE TRIGGER app_user.after_logon_trgAFTER LOGON ON app_user.SCHEMABEGIN  DBMS_APPLICATION_INFO.set_module(USER, 'Initialized');  EXECUTE IMMEDIATE 'ALTER SESSION SET current_schema=SCHEMA_OWNER';END;/

Now we are ready to create an object in the schema owner.

CONN schema_owner/passwordCREATE TABLE test_tab (  id          NUMBER,  description VARCHAR2(50),  CONSTRAINT test_tab_pk PRIMARY KEY (id));GRANT SELECT ON test_tab TO schema_ro_role;GRANT SELECT, INSERT, UPDATE, DELETE ON test_tab TO schema_rw_role;

Notice how the privileges are granted to the relevant roles. Without this, the objects would not be visible to the application user. We now have a functioning schema owner and application user.

SQL> CONN app_user/passwordConnected.SQL> DESC test_tab Name                                                  Null?    Type ----------------------------------------------------- -------- ------------------------------------ ID                                                    NOT NULL NUMBER DESCRIPTION                                                    VARCHAR2(50)SQL>

This method is ideal where the application user is simply an alternative entry point to the main schema, requiring no objects of its own. It is clean and doesn't require management of thousands of synonyms. I don't find it very useful for developers who need to make copies or modify schema objects during development.

Synonym Approach

This method relies on synonyms owned by the application user to point to the correct location of the schema objects.

First, we create the users in a similar way to the previous example.

CONN sys/password AS SYSDBA-- Remove existing users and roles with the same names.DROP USER schema_owner CASCADE;DROP USER app_user CASCADE;DROP ROLE schema_rw_role;DROP ROLE schema_ro_role;-- Schema owner.CREATE USER schema_owner IDENTIFIED BY password  DEFAULT TABLESPACE users  TEMPORARY TABLESPACE temp  QUOTA UNLIMITED ON users;  GRANT CONNECT, CREATE TABLE TO schema_owner;-- Application user.CREATE USER app_user IDENTIFIED BY password  DEFAULT TABLESPACE users  TEMPORARY TABLESPACE temp;GRANT CONNECT, CREATE SYNONYM TO app_user;

Once again, the application user can connect, but does not have any tablespace quotas. The difference here is that the application user does have the privilege to create synonyms.

Next, we create some roles to allow read-write and read-only access and grant the read-write role to the application user.

CREATE ROLE schema_rw_role;CREATE ROLE schema_ro_role;GRANT schema_rw_role TO app_user;

Now we are ready to create an object in the schema owner in the same way we did in the previous example.

CONN schema_owner/passwordCREATE TABLE test_tab (  id          NUMBER,  description VARCHAR2(50),  CONSTRAINT test_tab_pk PRIMARY KEY (id));GRANT SELECT ON test_tab TO schema_ro_role;GRANT SELECT, INSERT, UPDATE, DELETE ON test_tab TO schema_rw_role;

If we now connect to the application user we are not able to see the object without qualifying it with a schema name. We can either proceed in this fashion, or use a synonym to point to the correct object.

SQL> CONN app_user/passwordConnected.SQL> DESC test_tabERROR:ORA-04043: object test_tab does not existSQL> DESC schema_owner.test_tab Name                                                  Null?    Type ----------------------------------------------------- -------- ------------------------------------ ID                                                    NOT NULL NUMBER DESCRIPTION                                                    VARCHAR2(50)SQL> CREATE SYNONYM test_tab FOR schema_owner.test_tab;Synonym created.SQL> DESC test_tab Name                                                  Null?    Type ----------------------------------------------------- -------- ------------------------------------ ID                                                    NOT NULL NUMBER DESCRIPTION                                                    VARCHAR2(50)SQL>

I find this method rather cumbersome due to the sheer number of synonyms required, especially when there are a large number of application users. Obviously, it is possible to use public synonyms, but this can be problematic when you have multiple application schemas on a single instance. I only use this method when I have developers who need to create their own schema objects for testing.

Hope this helps. Regards Tim...

Back to the Top.

原文链接：http://www.oracle-base.com/articles/misc/schema-owners-and-application-users.php#current_schema_approach

注意：

方法一的优点是操作简便，可以说是会话转移的方式，将当前登录用户的会话临时以对象拥有者的身份运行，只需要一个触发器，在当前用户登录时，做一次会话转移。

方法二相对方法一无优点，缺点是要管理大量的同义词，在新增对象是需要同时建同义词，否则该对象只能以schema_user.objectName的方式访问。