(一)共享和专有密码文件
与密码文件有关的参数REMOTE_LOGIN_PASSWORDFILE
- NONE: Setting this parameter to NONE causes Oracle Database to behave as if the password file does not exist. That is, no privileged connections are allowed over nonsecure connections.
- EXCLUSIVE: (The default) An EXCLUSIVE password file can be used with only one instance of one database. Only an EXCLUSIVE file can be modified. Using an EXCLUSIVE password file enables you to add, modify, and delete users. It also enables you to change the SYS password with the ALTER USER command.
例:
SQL> alter system set remote_login_passwordfile=none scope=spfile;
System altered.
SQL> shutdonw immediate
SP2-0734: unknown command beginning "shutdonw i..." - rest of line ignored.
SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 217157632 bytes
Fixed Size 2211928 bytes
Variable Size 159387560 bytes
Database Buffers 50331648 bytes
Redo Buffers 5226496 bytes
Database mounted.
Database opened.
SQL> show parameter remote_login_passwordfile
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string NONE
- SHARED: A SHARED password file can be used by multiple databases running on the same server, or multiple instances of an Oracle Real Application Clusters (Oracle RAC) database. A SHARED password file cannot be modified. Therefore, you cannot add users to a SHARED password file. Any attempt to do so or to change the password of SYS or other users with the SYSDBA or SYSOPER privileges generates an error. All users needing SYSDBA or SYSOPER system privileges must be added to the password file when REMOTE_LOGIN_PASSWORDFILE is set to EXCLUSIVE. After all users are added, you can change REMOTE_LOGIN_PASSWORDFILE to SHARED, and then share the file.
修改:
SQL> alter system set remote_login_passwordfile=shared scope=spfile;
System altered.
SQL> alter user sys identified by oracle;
alter user sys identified by oracle
*
ERROR at line 1:
ORA-28046: Password change for SYS disallowed -----在此模式下是不允许修改密码的
在管理多个数据库或者RAC环境时,使用shared模式
当remote_login_passwordfile为shared或者exclusive并且密码文件丢失,与remote_login_passwordfile设置成none是等效的
(二)保持管理员的密码和数据字典同步
如果修改了sys用户的密码,使用alter user语句保持密码文件和数据字典密码的一致性
如果同步具有sysdba或者sysoper权限的非sys用户的密码,必须先revoke然后再重新grant权限
- 例:
- Find all users who have been granted the SYSDBA privilege.
SELECT USERNAME FROM V$PWFILE_USERS WHERE USERNAME != 'SYS' AND SYSDBA='TRUE';
- Revoke and then re-grant the SYSDBA privilege to these users.
REVOKE SYSDBA FROM non-SYS-user;
GRANT SYSDBA TO non-SYS-user;
- Find all users who have been granted the SYSOPER privilege.
SELECT USERNAME FROM V$PWFILE_USERS WHERE USERNAME != 'SYS' AND SYSOPER='TRUE';
- Revoke and regrant the SYSOPER privilege to these users.
REVOKE SYSOPER FROM non-SYS-user;
GRANT SYSOPER TO non-SYS-user;
-
(三)在密码文件中增加用户
当给用户授予sysdba或者sysoper权限时,其用户的名字和权限信息将记录到密码文件中。
并且当remote_login_passwordfile的值为none或者shared,也或者密码文件丢失,在这3种情况下是不能授予用户sysdba和sysoper权限,会报错。
shared模式下:
SQL> grant sysdba to dsg;
grant sysdba to dsg
*
ERROR at line 1:
ORA-01999: password file cannot be updated in SHARED mode
密码文件丢失:
SQL> show parameter remote_lo
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string EXCLUSIVE
SQL> grant sysdba to dsg;
grant sysdba to dsg
*
ERROR at line 1:
ORA-01994: GRANT failed: password file missing or disabled
取回密码文件
[oracle@dsg2 dbs]$ mv orapwdsg02.bak orapwdsg02
SQL> grant sysdba to dsg;
Grant succeeded.
用户的sysdba或者sysoper权限被回收后用户的信息就从密码文件中删除
不要在授权的时候加with admin option!!!
(四)与密码文件相关的视图
Use the V$PWFILE_USERS view to see the users who have been granted the SYSDBA, SYSOPER, or SYSASM system privileges. The columns displayed by this view are as follows:
Column
Description
USERNAME
This column contains the name of the user that is recognized by the password file.
SYSDBA
If the value of this column is TRUE, then the user can log on with the SYSDBA system privileges.
SYSOPER
If the value of this column is TRUE, then the user can log on with the SYSOPER system privileges.
SYSASM
If the value of this column is TRUE, then the user can log on with the SYSASM system privileges.
SQL> desc v$pwfile_users
Name Null? Type
----------------------------------------- -------- ----------------------------
USERNAME VARCHAR2(30)
SYSDBA VARCHAR2(5)
SYSOPER VARCHAR2(5)
SYSASM VARCHAR2(5)
SQL> select * from v$pwfile_users;
USERNAME SYSDB SYSOP SYSAS
------------------------------ ----- ----- -----
SYS TRUE TRUE FALSE
SQL> grant sysdba to dsg;
Grant succeeded.
SQL> select * from v$pwfile_users;
USERNAME SYSDB SYSOP SYSAS
------------------------------ ----- ----- -----
SYS TRUE TRUE FALSE
DSG TRUE FALSE FALSE
(五)维护一个密码文件
1.扩展密码文件
Ora-1996
官方:If you receive the file full error (ORA-1996) when you try to grant SYSDBA or SYSOPER system privileges to a user, you must create a larger password file and regrant the privileges to the users.
通过V$pwfile_uses视图验证,确定后删除原来的密码文件,然后使用orapwd重建密码文件,保证entries足够,最后重新把用户加入。
2.删除密码文件
直接删除密码文件或者修改remote_login_passwordfile值为none