一、密碼文件
作用:主要進行DBA權限的身份認證
DBA用戶:具有sysdba,sysoper權限的用戶被稱爲dba用戶。默認情況下sysdba角色中存在sys用戶,sysoper角色中存在system用戶
二、Oracle的兩種認證方式;
1.使用與操作系統集成的身份驗證
2.使用Oracle數據庫的密碼文件進行身份認證
三、密碼文件的位置
Linux下的存放位置:$ORACLE_HOME/dbs/orapw$ORACLE_SID
即:ORACLE_HOME/dbs/orapw<sid>
Windows下的存放位置:$ORACLE_HOME/database/PWD%ORACLE_SID%.ora
密碼文件查找的順序
--->orapw<sid>--->orapw--->Failure
兩種認證方式:類似於SQL server中的windows認證和SQL server認證
決定在兩個參數中
1.remote_login_passwordfile = none | exclusive |shared 位於$ORACLE_HOME/dbs/spfile$ORACLE_SID.ora參數文件中
none : 不使用密碼文件認證
exclusive :要密碼文件認證,自己獨佔使用(默認值),10G已經將其等同於shared了
shared :要密碼文件認證,不同實例dba用戶可以共享密碼文件
2. $ORACLE_HOME/network/admin/sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES = none | all | ntf(windows)
none : 表示關閉操作系統認證,只能密碼認證
all : 用於linux或unix平臺,關閉本機密碼文件認證,採用操作系統認證,但遠程<異機>可以使用密碼文件認證
nts : 用於windows平臺
不同的組合
1 2
none none sys用戶無論是本機還是遠程均不可用
四、演示:
1.在sqlnet.ora中追加SQLNET.AUTHENTICATION_SERVICES = none
[oracle@robinson ~]$ sqlplus /as sysdba /*登陸失敗*/
SQL*Plus: Release 10.2.0.1.0- Productionon Fri Apr 9 10:41:28 2010
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
--------------------------------------------------------------------------------
[oracle@robinson ~]$ sqlplus sys/redhatas sysdba /*使用密碼文件認證,登陸成功*/
SQL*Plus: Release 10.2.0.1.0- Productionon Fri Apr 9 10:42:35 2010
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0- Production
With the Partitioning, OLAPand Data Mining options
SQL>
--=================================================================================
2.將SQLNET.AUTHENTICATION_SERVICES的值改爲all
[oracle@robinson admin]$ sqlplus /as sysdba /*採用本機認證可以登陸*/
SQL*Plus: Release 10.2.0.1.0- Productionon Fri Apr 9 10:46:55 2010
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0- Production
With the Partitioning, OLAPand Data Mining options
SQL>
--------------------------------------------------------------------------------------
[oracle@robinson admin]$ sqlplus sys/redhat@orclas sysdba/*使用密碼文件登陸認證失敗*/
SQL*Plus: Release 10.2.0.1.0- Productionon Fri Apr 9 10:48:35 2010
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-12641: Authenticationservice failedto initialize
Enter user-name:
--注:此時可以使用遠程登陸。
--使用#符號將新增的SQLNET.AUTHENTICATION_SERVICES行註釋掉恢復到缺省值
/*
五、密碼文件的建立:orapwd */
[oracle@robinson ~]$ orapwd
Usage: orapwd file=<fname> password=<password> entries=<users> force=<y/n>
where
file - name of passwordfile (mand), /*密碼文件的名字orapw<sid>*/
password - password for SYS (mand), /*sys用戶的密碼*/
entries - maximum number of distinct DBA and /*可以有多少個sysdba,sysoper權限用戶放到密碼文件中去,去掉重複記錄*/
/*注意entries中存放的個數但不是實際個數,這個是二進制數據*/
force - whether to overwrite existingfile (opt),/*10g新增的參數,默認值爲n ,y表示允許覆蓋*/
OPERs (opt),
There are no spaces around the equal-to(=)character.
--修改密碼:
[oracle@robinson ~]$ cd $ORACLE_HOME/dbs
[oracle@robinson dbs]$ ll orapworcl
-rw-r----- 1 oracle oinstall 1536 Apr 7 15:50 orapworcl
[oracle@robinson dbs]$ orapwd file=orapworcl password=oracle force=y
[oracle@robinson dbs]$ sqlplus sys/oracle@orclas sysdba
SQL*Plus: Release 10.2.0.1.0- Productionon Fri Apr 9 11:34:09 2010
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0- Production
With the Partitioning, OLAPand Data Mining options
SQL>
--將密碼改回原來的密碼
[oracle@robinson dbs]$ orapwd file=orapworcl password=redhat
OPW-00005:Filewith same name exists - pleasedeleteor rename
[oracle@robinson dbs]$ orapwd file=orapworcl password=redhat force=y
[oracle@robinson dbs]$ rm orapworcl /*刪除密碼文件*/
[oracle@robinson dbs]$ orapwd file=orapworcl password=redhat/*重建密碼文件*/
--演示將entries改爲,然後將多個用戶設置爲sysdba或sysoper
[oracle@robinson dbs]$ orapwd file=orapworcl password=redhat entries=1
[oracle@robinson dbs]$ strings orapworcl
]/[Z
ORACLE Remote Password file
INTERNAL
F7AC0C5E9C3C37AB
E100B964899CDDDF
--創建PL/SQL增加個新用戶
SQL> begin
2 for iin 1..20 loop
3 execute immediate'create user u'||i||' identified by u'||i||'';
4 end loop;
5 end;
6 /
--將新用戶賦予sysdba角色
PL/SQL procedure successfully completed.
SQL> begin
2 for iin 1..20 loop
3 execute immediate'grant sysdba to u'||i||'';
4 end loop;
5 end;
6 /
begin /*得到和密碼文件相關的錯誤提示*/
*
ERROR at line 1:
ORA-01996:GRANT failed: passwordfile'' is full
ORA-06512: at line 3
--再次查看orapworcl發現多出了行,即當設置爲的時候多出了個用戶。原因是該密碼文件是二進制文件,按矩陣計算可存放多少
[oracle@robinson dbs]$ strings orapworcl
]/[Z
ORACLE Remote Password file
INTERNAL
F7AC0C5E9C3C37AB
E100B964899CDDDF
3E81B724A296E296
668509DF9DD36B43
9CE6AF1E3F609FFC
7E19965085C9ED47
--注意不要輕易刪掉密碼文件,這樣會將其他賬戶的信息也刪除
/*
六、導致密碼文件內容修改的幾種方式:
1.使用orapwd建立,修改密碼文件,不建議使用
2.使用alter user sys identified by <>
3.使用grant sysdba to <>或grant sysoper to <>或revoke sysdba |sysoper from <>
七、查看密碼文件內容 */
[oracle@robinson dbs]$ strings orapworcl
]/[Z
ORACLE Remote Password file
INTERNAL
F7AC0C5E9C3C37AB
E100B964899CDDDF
--當sys密碼不記得可以使用OS系統身份認證登陸到sqlplus,再使用alter user修改密碼
SQL> alter user sys identified by oracle;
User altered
--再次查看密碼文件與上一次對比,已經發生變化
SQL> ho strings orapworcl
]/[Z
ORACLE Remote Password file
INTERNAL
AB27B53EDC5FEF41
8A8F025737A9097A
--通過授予權限來修改密碼,密碼文件中多出了scott的信息
SQL> grant sysdba to scott;
Grant succeeded.
SQL> ho strings orapworcl
]/[Z
ORACLE Remote Password file
INTERNAL
AB27B53EDC5FEF41
8A8F025737A9097A
SCOTT
F894844C34402B67
--注意此處中登陸後,顯示的賬戶信息還是sys,而不是scott,但此時的scott已經具備了sys權限
[oracle@robinson dbs]$ sqlplus scott/tiger@orcl as sysdba
SQL*Plus: Release 10.2.0.1.0- Productionon Fri Apr 9 11:56:09 2010
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0- Production
With the Partitioning, OLAPand Data Mining options
SQL> show user
USER is "SYS"
/*
八、sysdba與sysoper的區別*/
SQL> select * from system_privilege_map where name like '%SYS%';
PRIVILEGE NAME PROPERTY
---------- ---------------------------------------- ----------
-3 ALTER SYSTEM 0
-4 AUDIT SYSTEM 0
-83 SYSDBA 0
-84 SYSOPER 0
--下面的鏈接是兩者不同的權限說明
http://download.oracle.com/docs/cd/B19306_01/server.102/b14231/dba.htm#sthref137
The manner in which you are authorizedto use these privileges depends upon the methodof authentication that youuse.
When you connect with SYSDBA or SYSOPER privileges, you connec twith a default schema,
not with the schema that is generally associated with your username.
For SYSDBA this schemai s SYS; for SYSOPER the schema is PUBLIC.
--兩者的schema不同
SQL> show user
USER is "SYS"
SQL> conn /as sysoper
Connected.
SQL> show user
USER is "PUBLIC"
--查看密碼文件視圖,可以得到哪些用戶爲sysdba,哪些用戶爲sysoper
SQL> select* from v$pwfile_users;
USERNAME SYSDB SYSOP
------------------------------ ----- -----
SYS TRUE TRUE
SCOTT TRUE FALSE
USER1 FALSE TRUE
--下面演示了使用不同的角色來登陸
SQL> conn scott/tiger@orclas sysdba
Connected.
SQL> conn scott/tiger@orclas sysoper /*scott的sysop列爲false*/
ERROR:
ORA-01031: insufficient privileges
Warning: You are no longer connected to ORACLE.
SQL> conn user1/user1@orclas sysdba
ERROR:
ORA-01031: insufficient privileges
SQL> conn user1/user1as sysoper
Connected.
文章轉自:http://blog.csdn.net/leshami/article/details/5611672