DB2最小化权限问题

最新推荐文章于 2024-04-23 22:52:08 发布
最新推荐文章于 2024-04-23 22:52:08 发布
阅读量2.4k 收藏 3
点赞数
文章标签: java 数据库 mysql python linux
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/hbhe0316/article/details/122701218
版权

—创建角色 test_write_role:具有DML操作权限 test_read_role:只读权限
db2 create role test_write_role
db2 create role test_read_role

———————————————————————-#
—给角色 test_write_role 授权
db2 grant usage on workload sysdefaultuserworkload to role test_write_role
db2 grant connect on database to role test_write_role
db2 grant bindadd on database to role test_write_role
db2 grant load on database to role test_write_role
db2 grant create_external_routine on database to role test_write_role
db2 grant createtab on database to role test_write_role
db2 grant use of tablespace userspace1 to role test_write_role
db2 grant implicit_schema on database to role test_write_role
db2 grant dataaccess on database to role test_write_role

问题:如何确定应用用户需要哪些package的执行权限?
db2 grant execute on package nullid.sqlc2j25 to role test_write_role
db2 grant execute on package nullid.syssh200 to role test_write_role
db2 grant execute on package nullid.sqlubj05 to role test_write_role
db2 grant execute on package nullid.sqlukj0b to role test_write_role
db2 grant execute on package nullid.sqlupj00 to role test_write_role
db2 grant execute on package nullid.sqlucj05 to role test_write_role
db2 grant execute on package nullid.sqluaj20 to role test_write_role
db2 grant execute on package nullid.sqlufj14 to role test_write_role
db2 grant execute on package nullid.sqluoj01 to role test_write_role
db2 grant execute on function sysproc.base_table to role test_write_role

db2 grant select on table syscat.colidentattributes to role test_write_role
db2 grant select on table sysibmadm.dbcfg to role test_write_role
db2 grant select on table sysibm.systables to role test_write_role
db2 grant select on table sysibm.sysindexes to role test_write_role
db2 grant select on table sysibm.syscolumns to role test_write_role
db2 grant select on table sysibm.dual to role test_write_role
db2 grant select on table syscat.packages to role test_write_role
db2 grant select on table syscat.columns to role test_write_role
db2 grant select on table syscat.indexcoluse to role test_write_role
db2 grant select on table syscat.sequences to role test_write_role
db2 grant select on table syscat.functions to role test_write_role
db2 grant select on table syscat.tables to role test_write_role
db2 grant select on table syscat.tabauth to role test_write_role
db2 grant select on table syscat.tbspaceauth to role test_write_role
db2 grant select on table syscat.views to role test_write_role
db2 grant select on table syscat.schemaauth to role test_write_role
db2 grant select on table syscat.sequences to role test_write_role
db2 grant select on table syscat.sequenceauth to role test_write_role
db2 grant select on table syscat.roles to role test_write_role
db2 grant select on table syscat.roleauth to role test_write_role
db2 grant select on table syscat.procedures to role test_write_role
db2 grant select on table syscat.references to role test_write_role
db2 grant select on table syscat.packages to role test_write_role
db2 grant select on table syscat.packageauth to role test_write_role

———————————————————————-#
—给角色 test_read_role 授权
db2 grant connect on database to role test_read_role
db2 grant select on table syscat.tables to role test_read_role
db2 grant select on table syscat.tabauth to role test_read_role
db2 grant select on table syscat.tbspaceauth to role test_read_role
db2 grant select on table syscat.views to role test_read_role
db2 grant select on table syscat.schemaauth to role test_read_role
db2 grant select on table syscat.sequences to role test_read_role
db2 grant select on table syscat.sequenceauth to role test_read_role
db2 grant select on table syscat.roles to role test_read_role
db2 grant select on table syscat.roleauth to role test_read_role
db2 grant select on table syscat.procedures to role test_read_role
db2 grant select on table syscat.references to role test_read_role
db2 grant select on table syscat.packages to role test_read_role
db2 grant select on table syscat.packageauth to role test_read_role
db2 grant select on table sysibm.dual to role test_read_role

———————————————————————-#
—创建模式
1)没有隐式模式权限(IMPLICIT_SCHEMA)的用户必须显示创建模式
2)没有DBADM权限的应用用户testview可以创建与用户名同名的模式testview
testview@sles11:~> db2 “create schema testview”
DB20000I The SQL command completed successfully.

—授权模式testview的权限给角色test_write_role
db2 grant createin,alterin,dropin on schema testview to role test_write_role

—理解以下两个概念很重要!
1)对象的创建者自动拥有了该对象的所有权限。
2)用户拥有模式的DML权限后,在该模式上就拥有了创建对象的权限。
3)对象包含:表,视图,索引,序列,触发器,存储过程,函数

https://www.cndba.cn/hbhe0316/article/103903

—给应用用户授权角色test_write_role
db2 grant role test_write_role to user testview

———————————————————————-#
回收创建表的权限后,使用表空间的权限也将默认回收:
db2 revoke CREATETAB on DATABASE from testview

———————————————————————#
设置应用要连接的实例的环境变量
———————————————————————#
1)DB2实例查看方法
cd /opt/IBM/db2/V10.1/instance
./db2ilist
db2inst1 #DB2的实例名其实是操作系统的一个用户名
2)查看实例 db2inst1 家目录
cat /etc/passwd|grep db2inst1
db2inst1:x:1001:1000::/home/db2inst1:/bin/bash
3)修改应用用户的 .profile
testview@sles11:~> cat >> ~/.profile < if [ -f /home/db2inst2/sqllib/db2profile ]; then
. /home/db2inst2/sqllib/db2profile
fi
EOF
———————————————————————#
END 设置应用要连接的实例的环境变量
———————————————————————#https://www.cndba.cn/hbhe0316/article/103903

—————————————————————————————————————————#
最小化权限管理实验
—————————————————————————————————————————#
—建库语句,必须用 RESTRICTIVE 参数
db2 “create database test2 on /db2data1,/db2data2,/db2data3 using codeset UTF-8 territory cn RESTRICTIVE”

—DB2数据库rest为restrict模式
db2inst2@sles11:~> db2 get db cfg |grep -i restrict
Restrict access = YES

对于没有任何权限的OS用户testview,执行如下操作报错的解决方法:

1)没有connect权限
testview@sles11:~> db2 connect to rest
SQL1060N User “testVIEW “ does not have the CONNECT privilege. SQLSTATE=08004

解决方法:db2 grant connect on database to testview

testview@sles11:~> db2 connect to rest

Database Connection Information

Database server = DB2/LINUXX8664 10.1.3
SQL authorization ID = testVIEW
Local database alias = REST

2)列出模式testview的表,没有workload权限
testview@sles11:~> db2 list tables
SQL5193N The current session user does not have usage privilege on any
enabled workloads. SQLSTATE=42524

解决方法:db2 grant usage on workload sysdefaultuserworkload to user testview

3)没有执行包NULLID.SQLC2J25权限
testview@sles11:~> db2 list tables
SQL0551N “testVIEW” does not have the required authorization or privilege to
perform operation “EXECUTE” on object “NULLID.SQLC2J25”. SQLSTATE=42501https://www.cndba.cn/hbhe0316/article/103903

解决方法:db2 GRANT EXECUTE ON PACKAGE NULLID.SQLC2J25 TO testview

4)没有视图syscat.tables的查询权限
testview@sles11:~> db2 list tables
SQL0551N “testVIEW” does not have the required authorization or privilege to
perform operation “SELECT” on object “SYSCAT.TABLES”. SQLSTATE=42501

解决方法:db2 grant select on table syscat.tables to user testview

通过以上4种权限:用户testview可以正常连接上rest,并可以列出模式testview下表:
testview@sles11:~> db2 list tables for schema testview

Table/View Schema Type Creation time

0 record(s) selected.

5)没有create table权限
testview@sles11:~> db2 “create table t1(id int)”
DB21034E The command was processed as an SQL statement because it was not a
valid Command Line Processor command. During SQL processing it returned:
SQL0552N “testVIEW” does not have the privilege to perform operation “CREATE
TABLE”. SQLSTATE=42502

解决方法:db2 grant CREATETAB ON DATABASE to testview

6)没有隐式的创建模式权限:IMPLICIT CREATE SCHEMA
testview@sles11:~> db2 “create table t1(id int)”
DB21034E The command was processed as an SQL statement because it was not a
valid Command Line Processor command. During SQL processing it returned:
SQL0552N “testVIEW” does not have the privilege to perform operation “IMPLICIT
CREATE SCHEMA”. SQLSTATE=42502

解决方法:
对于没有IMPLICIT_SCHEMA权限的用户,有两种解决办法:
1)直接授予IMPLICIT_SCHEMA权限:
db2 grant IMPLICIT_SCHEMA ON DATABASE to user testview
2)使用DBADM的用户创建testview所需要的模式,然后授权
db2 create schema s1
db2 grant createin,alterin,dropin on schema s1 to user testview

https://www.cndba.cn/hbhe0316/article/103903

7)没有表空间权限,若不指定表空间名字,默认使用表空间USERSPACE1
testview@sles11:~> db2 “create table s1.t1(id int) in userspace1”
DB21034E The command was processed as an SQL statement because it was not a
valid Command Line Processor command. During SQL processing it returned:
SQL0551N “testVIEW” does not have the required authorization or privilege to
perform operation “CREATE TABLE” on object “USERSPACE1”. SQLSTATE=42501

解决方法: db2 grant use of TABLESPACE USERSPACE1 to testview

testview@sles11:~> db2 “create table s1.t1(id int) in userspace1”
DB20000I The SQL command completed successfully.

8)没有存储过程执行的权限
testview@sles11:~> db2 “call s1.sleep(10)”
SQL0551N “testVIEW” does not have the required authorization or privilege to
perform operation “EXECUTE” on object “NULLID.SYSSH200”. SQLSTATE=42501

解决方法: db2 grant execute on package NULLID.SYSSH200 to user testview

testview@sles11:~> db2 “call s1.sleep(2)”

Return Status = 0https://www.cndba.cn/hbhe0316/article/103903

9)没有export权限
testview@sles11:~> db2 “export to s1.t1.ixf of ixf messages s1.t1.msg select * from s1.t1”
SQL3020N The user does not have the authority to run the specified EXPORT
command.
testview@sles11:~> ll
total 8
drwxr-xr-x 2 testview users 4096 Feb 1 17:04 bin
-rw-r—r— 1 testview users 719 Feb 4 12:24 s1.t1.msg
testview@sles11:~> cat s1.t1.msg
SQL3015N An SQL error “-551” occurred during processing.

SQL0551N “testVIEW” does not have the required authorization or privilege to
perform operation “EXECUTE” on object “NULLID.SQLUBJ05”. SQLSTATE=42501

SQL3015N An SQL error “-551” occurred during processing.

SQL0551N “testVIEW” does not have the required authorization or privilege to
perform operation “EXECUTE” on object “NULLID.SQLUKJ0B”. SQLSTATE=42501

SQL3015N An SQL error “-551” occurred during processing.

SQL0551N “testVIEW” does not have the required authorization or privilege to
perform operation “EXECUTE” on object “NULLID.SQLUPJ00”. SQLSTATE=42501

SQL3020N The user does not have the authority to run the specified EXPORT
command.

解决方法:
db2 grant execute on package nullid.sqlubj05 to user testVIEW
db2 grant execute on package nullid.sqlukj0b to user testVIEW
db2 grant execute on package nullid.sqlupj00 to user testVIEW
db2 grant execute on package nullid.sqlucj05 to user testVIEW
db2 grant execute on package nullid.sqluaj20 to user testVIEW
db2 grant execute on function sysproc.base_table to user testVIEW
db2 grant select on table SYSCAT.COLIDENTATTRIBUTES to user testVIEW
db2 grant select on table SYSCAT.INDEXCOLUSE to user testVIEW
db2 grant select on table SYSCAT.SEQUENCES to user testVIEW
db2 grant select on table SYSIBM.SYSTABLES to user testVIEW
db2 grant select on table SYSIBM.SYSINDEXES to user testVIEW
db2 grant select on table syscat.functions to user testVIEW
db2 grant select on table sysibm.syscolumns to user testVIEW

—授予上面的权限后,最终报错:
testview@sles11:~> cat s1.t1.msg
SQL3104N The Export utility is beginning to export data to file “s1.t1.ixf”.

SQL27981W The utility could not verify presence of attached or detached data
partitions in the target table or the source table.

SQL0551N “” does not have the required authorization or privilege to perform
operation “” on object “”.

SQL3105N The Export utility has finished exporting “1” rows.https://www.cndba.cn/hbhe0316/article/103903

10)没有import权限
testview@sles11:~> db2 “import from s1.t1.ixf of ixf insert into s1.t1”
SQL0551N “testVIEW” does not have the required authorization or privilege to
perform operation “EXECUTE” on object “NULLID.SQLUFJ14”. SQLSTATE=42501

testview@sles11:~> db2 “import from s1.t1.ixf of ixf insert into s1.t1”
SQL0551N “testVIEW” does not have the required authorization or privilege to
perform operation “SELECT” on object “SYSIBMADM.DBCFG”. SQLSTATE=42501

testview@sles11:~> db2 “import from s1.t1.ixf of ixf insert into s1.t1”
SQL3015N An SQL error “-551” occurred during processing.https://www.cndba.cn/hbhe0316/article/103903https://www.cndba.cn/hbhe0316/article/103903

SQL0551N “testVIEW” does not have the required authorization or privilege to
perform operation “EXECUTE” on object “NULLID.SQLUOJ01”. SQLSTATE=42501

testview@sles11:~> db2 “import from s1.t1.ixf of ixf insert into s1.t1”
SQL3015N An SQL error “-551” occurred during processing.

SQL0551N “testVIEW” does not have the required authorization or privilege to
perform operation “SELECT” on object “SYSCAT.PACKAGES”. SQLSTATE=42501

SQL3015N An SQL error “” occurred during processing.

解决方法:
db2 grant execute on package nullid.SQLUFJ14 to user testVIEW
db2 grant select on table SYSIBMADM.DBCFG to user testVIEW
db2 grant execute on package NULLID.SQLUOJ01 to user testVIEW
db2 grant select on table SYSCAT.PACKAGES to user testVIEW
db2 grant select on table SYSCAT.COLUMNS to user testVIEWhttps://www.cndba.cn/hbhe0316/article/103903

testview@sles11:~> db2 “import from s1.t1.ixf of ixf insert into s1.t1”
SQL27981W The utility could not verify presence of attached or detached data
partitions in the target table or the source table.https://www.cndba.cn/hbhe0316/article/103903

SQL3150N The H record in the PC/IXF file has product “DB2 02.00”, date
“20150204”, and time “124100”.

SQL3153N The T record in the PC/IXF file has name “s1.t1.ixf”, qualifier “”,
and source “ “.

SQL3015N An SQL error “-551” occurred during processing.

SQL0551N “testVIEW” does not have the required authorization or privilege to
perform operation “SELECT” on object “SYSCAT.COLUMNS”. SQLSTATE=42501

SQL3110N The utility has completed processing. “0” rows were read from the
input file.

版权声明:本文为博主原创文章,未经博主允许不得转载。

DB2

hbhe0316
关注
  • 0
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
db2 用户权限
weixin_30569153的博客
07-31 312
DB2数据库权限分为实例级权限(SYSADM、SYSCTRL、SYSMAINT、SYSMON)和DB2数据库权限(DBAMD、LOAD)。DB2中用户所拥有的权限主要考虑三个方面:实例级、数据库级、数据库操作级别,查看命令是db2 get authorizations。 DB2授权可分为实例级权限授权和数据库级别授权,实例级别权限必须由拥有SYS...
DB2 给指定用户授权查询功能
weixin_41326227的博客
03-23 3172
这个功能在生产环境比较常用,一般指定某个特定用户查询,在此记录一下。 grant select on table 表名 to 用户名,posrpt; 示例:db2 "grant select on table t_merch to test_user,posrpt"; 用有权限的用户直接拿到服务器执行一下即可。 ...
Linux系统安全:从面临的攻击和风险到安全加固、安全维护策略(文末有福利)
最新发布
所有成功的背后,都是痛苦的坚持,所有的痛苦,都是傻瓜般的不放弃!
04-23 2245
Nessus不同于传统的漏洞扫描软件,Nessus可同时在本机或远端上遥控,进行系统的漏洞分析扫描。PAM是Linux上的可插拨认证模块机制,通过提供一些动态链接库和一套统一的api,将系统提供的服务和该服务的认证方式分开,使得系统管理呐可以根据需要给不同的服务配置不同的认证方式而无需更改服务程序,同时也便于向系统中添加新的认证手段。umask(默认文件权限666,文件夹777) 为用户创建权限掩码,是创建文件或文件夹时默认权限的基础,用户在创建时,文件的默认权限-掩码的权限就是文件的实际权限
db2用户权限赋予
网络安全领域优质创作者
06-08 4778
id xxxsudo su - xxxxdatedb2 list db directorydb2 connect to xxxxxdb2 "select * from syscat.dbauth where grantee = 'xxx'" |tr -s " "db2 "select * from syscat.tabauth where grantee = 'xxx'" |tr -s " "db...
DB2 Client端export报错:SQL0552N "DB2CLNT" does not have the privilege to perform operation "BIND".
匿_名_用_户的专栏
08-15 5314
问题描述 新安装的db2 client端执行export操作时报错:SQL0552N  "DB2CLNT" does not have the privilege to perform operation "BIND". 其中client端版本为10.5.10, db2 server版本为10.5.8   解决过程 尝试重现问题db2 10.5.8 server上创建数据库sample...
DB2 export详解
cuigaijiao2361的博客
12-05 891
EXPORT实用程序使用SQL select语句或XQUERY语句抽取数据,并将信息放到文件中。可使用输出文件移动数据以便执行IMPORT或LOAD操作,或者将数据用于分析。 EXPORT TO filename OF ...
db2安装文档图形化
11-28
本文将详细讲解如何在图形化环境下安装 DB2,包括操作系统准备、安装环境配置、系统环境调整等关键步骤。 1. **操作系统安装** 在安装 DB2 之前,首先确保操作系统已经正确安装。根据描述中的信息,如果选择图形...
db2(DBA手册)
07-11
- 学习如何进行在线备份和热备份,以最小化数据库服务的影响。 7. **高可用性和灾难恢复**: - 掌握复制技术,如纯复制、Q Replication、Global Transaction Protocol (GTP)等,实现数据同步和故障切换。 - ...
DB2_Install_ for_linux
09-19
3. 初始化实例:`db2start` 四、创建数据库 1. 登录DB2控制中心:`db2cmd -c` 2. 创建新数据库:`db2 create database mydb` 3. 启动数据库:`db2 start db mydb` 4. 配置数据库参数,例如内存分配、日志文件位置等...
关于DB2的实用技巧
02-16
- 设置用户权限,限制对敏感数据的访问,遵循最小权限原则。 - 使用角色来组织和管理权限,方便权限的批量分配和调整。 5. **性能监控** - 使用`MONITOR`命令监控数据库性能,如CPU使用率、内存消耗、I/O等待等...
linuxDB2数据库安装教程.pdf
11-05
DB2是一款由IBM开发的关系型数据库管理系统,广泛应用于企业级数据存储和管理。在Linux环境下安装DB2...在实际操作中,可能还需要解决兼容性问题、性能优化以及错误排查等问题,这些都是DB2数据库管理的重要组成部分。
DB2_UDB_9.1_For_AIX_安装指南.doc
05-25
硬件需求方面,DB2 UDB v9.1支持IBM System p全系列硬件,最小内存要求为256MB,磁盘空间至少500MB,用于存放安装文件。对于同时运行DB2和GUI工具的系统,推荐至少1GB内存以提高性能。内存需求会根据并发客户端连接...
Linux版DataStage服务器端安装手册(支持DB2
05-26
考虑到企业级环境的安全性,应配置用户权限和访问控制,限制对DataStage资源的访问,遵循最小权限原则。 这个安装手册会详细指导每个步骤,包括可能遇到的问题及解决方法,确保在Linux环境下成功部署和运行...
DB2_400数据库设计与编程
02-02
- **第三范式(3NF)**:遵循3NF以确保数据冗余最小化,提高数据一致性和查询效率。 - **索引设计**:合理地创建索引可以显著提升查询性能,但需权衡存储空间和写入速度。 2. **SQL编程**: - **DDL(Data ...
智慧社区信息化建设设计方案报价.doc
09-27
网络管理软件提供图形化界面,便于监控和故障诊断,同时具有权限管理功能,防止误操作导致系统异常。交换机内置ACD功能,即使CTI故障也能保证语音接续和呼叫排队。 2. CTI系统: CTI中间件平台与交换机同厂,用于...
IBMDataMovementTool
01-05
4. 计划好停机时间,以最小化对业务的影响。 5. 定期备份源和目标数据库,以防意外情况。 总之,IBM Data Movement Tool是数据库管理员和IT专业人员在进行跨平台数据迁移时的重要工具,它通过自动化和优化流程,...
在C中嵌入SQL语句访问DB2数据库
超级无敌小地主
03-15 4539
SQL/C学习笔记 在C中嵌入SQL公司最近有个项目,需要在Linux下访问DB2数据库Linux在我机器上装了好几年了也没碰过,郁闷。DB2就只是听说过,没有见过。C倒是用过一段时间。于是打开百度,狗狗开搜。于是找到一部分文章,从中找了一些代码:短小,感觉适合入门。被我改了改,程序如下:#include #include #include #include "util.h"#inclu
DB2 SQL Error: SQLCODE=-805, SQLSTATE=51002
日出东方
11-01 2888
com.icitic.artery.exceptions.KeyedException: IC卡平台生成业务数据文件或请求签名文件错误!com.ibm.db2.jcc.b.SqlException: DB2 SQL Error: SQLCODE=-805, SQLSTATE=51002, SQLERRMC=NULLID.SYSLH203 0X5359534C564C3031, DRIVER=3.5...
DB2 GRANT 授权问题
热门推荐
baidu_34051990的博客
11-02 1万+
DB2 中有三种主要的安全机制,可以帮助 DBA 实现数据库安全计划:身份验证(authentication)、授权(authorization) 和特权(privilege)。 身份验证是用户在尝试访问 DB2 实例或数据库时遇到的第一种安全特性。DB2 身份验证与底层操作系统的安全特性紧密协作来检验用户 ID 和密码。DB2 还可以利用 Kerberos 这样的安全协议对用户进行身份验证。
The DB2Night Show #216 Db2 LUW Problem Determination Class
11-18
"Db2LUWProblemDeterminationandTroubleshootingWorkshop是由PavelSustr在IBM多伦多实验室主持的Db2NightShow第10季的最后一集,日期为2019年6月21日,专注于Db2 for LUW(Linux, Unix, Windows)的问题确定和故障...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值