我在做wallet实验,为解决sys用户明文密码问题的时候,也在思考我们是不是可以压根就不使用sys用户呢?
从官方文档上查到相关资料,我通过做实验,验证了确实可以。新创建一个用户,赋予sysdba权限,就可以通过新用户进行备份操作,新用户虽然有sysdba权限,但是跟sys用户相比,安全级别完全不是一个等级。例如有很多视图就已经不能查询。当然,我觉得还 有必要进行优化,再细化。因为该用户依然有停止实例的权限。
尽可能少地使用SYS这样的超级用户去做常规操作,可以减少误操作的风险,给自己的db一个更加安全的Level。
我们在数据库技术上追求卓越,在数据库安全上面追求更高的水平面。
官方手册地址:
http://docs.oracle.com/cd/B28359_01/backup.111/b28270/rcmcnctg.htm#BRADV89391
测试过程:
SQL*Plus: Release 11.2.0.3.0 Production on Sun Sep 22 23:03:31 2013
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> CREATE USER rmantest IDENTIFIED BY rmantestt
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE temp; 2 3
User created.
SQL>
SQL> GRANT CONNECT,RESOURCE TO rmantest;
Grant succeeded.
SQL> grant SYSDBA to rmantest;
Grant succeeded.
SQL> REVOKE UNLIMITED TABLESPACE FROM rmantest;
Revoke succeeded.
dg-primary:/oracle/product/11gR2/db/network/admin> mkstore -wrl /oracle/product/11gR2/db/network/admin/wallet -createCredential rman_connect3 rmantest "rmantestt"
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: 5
Create credential oracle.security.client.connect_string3
dg-primary:/oracle/product/11gR2/db/network/admin> mkstore -wrl /oracle/product/11gR2/db/network/admin/wallet -listCredential
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: o
List credential (index: connect_string username)
3: rman_connect3 rmantest
2: rman_connect2 sys
1: rman_connect system
dg-primary:/oracle/product/11gR2/db/network/admin> vi tnsnames.ora
dg-primary:/oracle/product/11gR2/db/network/admin> sqlplus /nolog
SQL*Plus: Release 11.2.0.3.0 Production on Sun Sep 22 23:07:34 2013
Copyright (c) 1982, 2011, Oracle. All rights reserved.
SQL> conn rmantest/rmantestt
Connected.
SQL> conn /@rman_connect3
Connected.
SQL> show user;
USER is "RMANTEST"
SQL> select name from v$datafile;
select name from v$datafile
*
ERROR at line 1:
ORA-00942: table or view does not exist
SQL> select * from tab;
no rows selected
SQL>
SQL> conn / as sysdba
Connected.
SQL> select file_name from dba_data_files;
FILE_NAME
--------------------------------------------------------------------------------
/oracle/oradata/ebai/system01.dbf
/oracle/oradata/ebai/sysaux01.dbf
/oracle/oradata/ebai/undotbs01.dbf
/oracle/oradata/ebai/users01.dbf
/oracle/oradata/ebai/indx01.dbf
/oracle/oradata/ebai/users02.dbf
/oracle/oradata/ebai/users03.dbf
7 rows selected.
SQL> select name from v$datafile;
NAME
--------------------------------------------------------------------------------
/oracle/oradata/ebai/system01.dbf
/oracle/oradata/ebai/sysaux01.dbf
/oracle/oradata/ebai/undotbs01.dbf
/oracle/oradata/ebai/users01.dbf
/oracle/oradata/ebai/indx01.dbf
/oracle/oradata/ebai/users02.dbf
/oracle/oradata/ebai/users03.dbf
7 rows selected.
dg-primary:/oracle/product/11gR2/db/network/admin> rman target /@rman_connect3
Recovery Manager: Release 11.2.0.3.0 - Production on Sun Sep 22 23:17:16 2013
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
connected to target database: EBAI (DBID=2009644852)
RMAN> backup current controlfile tag='bak_ctlfile' format='/oracle/rman/rmantest/ctl_file_%U_%T';
Starting backup at 22-SEP-13
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=1829 device type=DISK
allocated channel: ORA_DISK_2
channel ORA_DISK_2: SID=615 device type=DISK
allocated channel: ORA_DISK_3
channel ORA_DISK_3: SID=1221 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current control file in backup set
channel ORA_DISK_1: starting piece 1 at 22-SEP-13
channel ORA_DISK_1: finished piece 1 at 22-SEP-13
piece handle=/oracle/rman/rmantest/ctl_file_0jokhaf3_1_1_20130922 tag=BAK_CTLFILE comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:03
Finished backup at 22-SEP-13
Starting Control File and SPFILE Autobackup at 22-SEP-13
piece handle=/oracle/product/11gR2/db/dbs/c-2009644852-20130922-00 comment=NONE
Finished Control File and SPFILE Autobackup at 22-SEP-13
RMAN> backup spfile tag='spfile' format='/oracle/rman/rmantest/spfile_%U_%T';
Starting backup at 22-SEP-13
using channel ORA_DISK_1
using channel ORA_DISK_2
using channel ORA_DISK_3
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current SPFILE in backup set
channel ORA_DISK_1: starting piece 1 at 22-SEP-13
channel ORA_DISK_1: finished piece 1 at 22-SEP-13
piece handle=/oracle/rman/rmantest/spfile_0lokhai1_1_1_20130922 tag=SPFILE comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 22-SEP-13
Starting Control File and SPFILE Autobackup at 22-SEP-13
piece handle=/oracle/product/11gR2/db/dbs/c-2009644852-20130922-01 comment=NONE
Finished Control File and SPFILE Autobackup at 22-SEP-13
___________________________________________________________________________________
版权所有,文章允许转载,但必须以链接方式注明源地址,否则追究法律责任!
Author: laven54 (lurou)
Email: laven54@163.com
Blog: http://blog.csdn.net/laven54
QQ群: 164734649 可以到群里来提问,Oracle相关的问题我都很感兴趣
扫一扫
5573
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
