oracle密码文件详解

来源:互联网 发布:真三国无双7捏脸数据 编辑:程序博客网 时间:2024/06/16 01:11

一、密码文件

   作用:主要进行DBA权限的身份认证

   DBA用户:具有sysdbasysoper权限的用户被称为dba用户。默认情况下sysdba角色中存在sys用户,sysoper角色中存在system用户

   

二、Oracle的两种认证方式;

   1.使用与操作系统集成的身份验证

   2.使用Oracle数据库的密码文件进行身份认证

 

三、密码文件的位置

   Linux下的存放位置:$ORACLE_HOME/dbs/orapw$ORACLE_SID

                 即:ORACLE_HOME/dbs/orapw<sid>

   Windows下的存放位置:$ORACLE_HOME/database/PWD%ORACLE_SID%.ora

 

   密码文件查找的顺序

   --->orapw<sid>--->orapw--->Failure

 

   两种认证方式:类似于SQL server中的windows认证和SQL server认证

   决定在两个参数中

   1.remote_login_passwordfile = none | exclusive |shared 位于$ORACLE_HOME/dbs/spfile$ORACLE_SID.ora参数文件中

      none : 不使用密码文件认证

      exclusive :要密码文件认证,自己独占使用(默认值),10G已经将其等同于shared了

      shared :要密码文件认证,不同实例dba用户可以共享密码文件

     

   2. $ORACLE_HOME/network/admin/sqlnet.ora 

      SQLNET.AUTHENTICATION_SERVICES = none | all | ntf(windows)

      none : 表示关闭操作系统认证,只能密码认证

      all : 用于linuxunix平台,关闭本机密码文件认证,采用操作系统认证,但远程<异机>可以使用密码文件认证

      nts : 用于windows平台

     

   不同的组合

     1           2

   none          none      sys用户无论是本机还是远程均不可用

  

  

四、演示:

   1.sqlnet.ora中追加SQLNET.AUTHENTICATION_SERVICES = none 

   [oracle@robinson ~]$ sqlplus /as sysdba/*登陆失败*/

 

   SQL*Plus: Release 10.2.0.1.0- Productionon Fri Apr 9 10:41:28 2010

 

   Copyright (c) 1982, 2005, Oracle. All rights reserved.

 

   ERROR:

   ORA-01031: insufficient privileges

   Enter user-name:

   --------------------------------------------------------------------------------

   [oracle@robinson ~]$ sqlplus sys/redhatas sysdba/*使用密码文件认证,登陆成功*/

 

   SQL*Plus: Release 10.2.0.1.0- Productionon Fri Apr 9 10:42:35 2010

 

   Copyright (c) 1982, 2005, Oracle. All rights reserved.

 

 

   Connected to:

   Oracle Database 10g Enterprise Edition Release 10.2.0.1.0- Production

   With the Partitioning, OLAPand Data Mining options

 

   SQL>

   --=================================================================================

   

   2.将SQLNET.AUTHENTICATION_SERVICES的值改为all

 

   [oracle@robinson admin]$ sqlplus /as sysdba/*采用本机认证可以登陆*/

 

   SQL*Plus: Release 10.2.0.1.0- Productionon Fri Apr 9 10:46:55 2010

 

   Copyright (c) 1982, 2005, Oracle. All rights reserved.

 

 

   Connected to:

   Oracle Database 10g Enterprise Edition Release 10.2.0.1.0- Production

   With the Partitioning, OLAPand Data Mining options

 

   SQL>

   --------------------------------------------------------------------------------------

   [oracle@robinson admin]$ sqlplus sys/redhat@orclas sysdba/*使用密码文件登陆认证失败*/

 

   SQL*Plus: Release 10.2.0.1.0- Productionon Fri Apr 9 10:48:35 2010

 

   Copyright (c) 1982, 2005, Oracle. All rights reserved.

 

   ERROR:

   ORA-12641: Authenticationservice failedto initialize

 

   Enter user-name:

 

   --注:此时可以使用远程登陆。 

 

   --使用#符号将新增的SQLNET.AUTHENTICATION_SERVICES行注释掉恢复到缺省值

 

   /*

五、密码文件的建立:orapwd */

   [oracle@robinson ~]$ orapwd

   Usage: orapwd file=<fname> password=<password> entries=<users> force=<y/n>

 

     where

      file - name of passwordfile(mand), /*密码文件的名字orapw<sid>*/

      password - password for SYS (mand),  /*sys用户的密码*/

      entries - maximum number of distinct DBA and /*可以有多少个sysdba,sysoper权限用户放到密码文件中去,去掉重复记录*/

                                                                                           /*注意entries中存放的个数但不是实际个数,这个是二进制数据*/  

      force - whether to overwrite existingfile (opt),/*10g新增的参数,默认值为n ,y表示允许覆盖*/

   OPERs (opt),

     There are no spaces around the equal-to(=)character.

    

   --修改密码:

   [oracle@robinson ~]$ cd $ORACLE_HOME/dbs

   [oracle@robinson dbs]$ ll orapworcl

   -rw-r----- 1 oracle oinstall 1536 Apr 7 15:50 orapworcl

   [oracle@robinson dbs]$ orapwd file=orapworcl password=oracle force=y

   [oracle@robinson dbs]$ sqlplus sys/oracle@orclas sysdba

 

   SQL*Plus: Release 10.2.0.1.0- Productionon Fri Apr 9 11:34:09 2010

 

   Copyright (c) 1982, 2005, Oracle. All rights reserved.

 

 

   Connected to:

   Oracle Database 10g Enterprise Edition Release 10.2.0.1.0- Production

   With the Partitioning, OLAPand Data Mining options

 

   SQL>  

   --将密码改回原来的密码

   [oracle@robinson dbs]$ orapwd file=orapworcl password=redhat

 

   OPW-00005:Filewith samename exists - pleasedeleteor rename

   [oracle@robinson dbs]$ orapwd file=orapworcl password=redhat force=y

   [oracle@robinson dbs]$ rm orapworcl  /*删除密码文件*/

   [oracle@robinson dbs]$ orapwd file=orapworcl password=redhat/*重建密码文件*/

 

   --演示将entries改为,然后将多个用户设置为sysdbasysoper

   [oracle@robinson dbs]$ orapwd file=orapworcl password=redhat entries=1

   [oracle@robinson dbs]$ strings orapworcl

   ]/[Z

   ORACLE Remote Password file

   INTERNAL

   F7AC0C5E9C3C37AB

   E100B964899CDDDF

 

   --创建PL/SQL增加个新用户

   SQL> begin

     2  for iin 1..20 loop

     3  execute immediate'create user u'||i||' identified by u'||i||'';

     4  end loop;

     5  end;

     6  /

   --将新用户赋予sysdba角色

   PL/SQL procedure successfully completed.

 

   SQL> begin

     2  for iin 1..20 loop

     3  execute immediate'grant sysdba to u'||i||'';

     4  end loop;

     5  end;

     6  /

   begin  /*得到和密码文件相关的错误提示*/

   *

   ERROR at line 1:

   ORA-01996:GRANT failed: passwordfile''is full

   ORA-06512: at line 3

 

   --再次查看orapworcl发现多出了行,即当设置为的时候多出了个用户。原因是该密码文件是二进制文件,按矩阵计算可存放多少

   [oracle@robinson dbs]$ strings orapworcl

   ]/[Z

   ORACLE Remote Password file

   INTERNAL

   F7AC0C5E9C3C37AB

   E100B964899CDDDF

   3E81B724A296E296

   668509DF9DD36B43

   9CE6AF1E3F609FFC

   7E19965085C9ED47

 

 

   --注意不要轻易删掉密码文件,这样会将其他账户的信息也删除

 

   /*

六、导致密码文件内容修改的几种方式:

   1.使用orapwd建立,修改密码文件,不建议使用

   2.使用alter user sys identified by <>

   3.使用grant sysdba to <>grant sysoper to <>revoke sysdba |sysoper from <>

 

七、查看密码文件内容 */

 

   [oracle@robinson dbs]$ strings orapworcl

   ]/[Z

   ORACLE Remote Password file

   INTERNAL

   F7AC0C5E9C3C37AB

   E100B964899CDDDF

 

   --sys密码不记得可以使用OS系统身份认证登陆到sqlplus,再使用alter user修改密码

   SQL> alter  user sys identified by oracle;

 

   User altered

   --再次查看密码文件与上一次对比,已经发生变化

   SQL> ho strings orapworcl

   ]/[Z

   ORACLE Remote Password file

   INTERNAL

   AB27B53EDC5FEF41

   8A8F025737A9097A

 

 

   --通过授予权限来修改密码,密码文件中多出了scott的信息

   SQL> grant sysdba  to scott;

 

   Grant succeeded.

 

   SQL> ho strings orapworcl

   ]/[Z

   ORACLE Remote Password file

   INTERNAL

   AB27B53EDC5FEF41

   8A8F025737A9097A

   SCOTT

   F894844C34402B67

 

 

   --注意此处中登陆后,显示的账户信息还是sys,而不是scott,但此时的scott已经具备了sys权限

   [oracle@robinson dbs]$ sqlplus scott/tiger@orcl  as sysdba

 

   SQL*Plus: Release 10.2.0.1.0- Productionon Fri Apr 9 11:56:09 2010

 

   Copyright (c) 1982, 2005, Oracle. All rights reserved.

 

 

   Connected to:

   Oracle Database 10g Enterprise Edition Release 10.2.0.1.0- Production

   With the Partitioning, OLAPand Data Mining options

 

   SQL> show user

   USER is "SYS"

 

   /*

八、sysdbasysoper的区别*/

   SQL> select  * from system_privilege_map  where  namelike '%SYS%';

 

    PRIVILEGE NAME                                      PROPERTY

   ---------- ---------------------------------------- ----------

          -3 ALTER SYSTEM                                     0

          -4 AUDIT SYSTEM                                      0

         -83 SYSDBA                                                 0

         -84 SYSOPER                                             0

        

   --下面的链接是两者不同的权限说明   

   http://download.oracle.com/docs/cd/B19306_01/server.102/b14231/dba.htm#sthref137

   The manner in which you are authorizedtouse these privileges depends upon the methodof authentication that youuse.

 

   When you connect with SYSDBA or SYSOPER privileges, you connec twith adefault schema,

   not with the schema thatis generally associated with your username.

   For SYSDBA this schemai s SYS; for SYSOPER the schema isPUBLIC.

   --两者的schema不同

   SQL> show user

   USER is "SYS"

   SQL> conn /as sysoper

   Connected.

   SQL> show user

   USER is "PUBLIC"

 

   --查看密码文件视图,可以得到哪些用户为sysdba,哪些用户为sysoper

   SQL> select* from v$pwfile_users;

 

   USERNAME                       SYSDB SYSOP

   ------------------------------ ----- -----

   SYS                            TRUE  TRUE

   SCOTT                          TRUE  FALSE

   USER1                          FALSE TRUE

   --下面演示了使用不同的角色来登陆

   SQL> conn scott/tiger@orclas sysdba

   Connected.

   SQL> conn scott/tiger@orclas sysoper /*scottsysop列为false*/

   ERROR:

   ORA-01031: insufficient privileges

 

 

   Warning: You are no longer connected to ORACLE.

   SQL> conn user1/user1@orclas sysdba

   ERROR:

   ORA-01031: insufficient privileges

 

 

   SQL> conn user1/user1as sysoper

   Connected.


文章转自:http://blog.csdn.net/leshami/article/details/5611672