Oracle
如何限制數據泵登錄到本地主機
我在 Oracle 12c 數據庫中有一個使用者,將用於執行完整的數據泵導出和導入。我想將該使用者的登錄限制為本地主機。
我試圖創建登錄觸發器:
create or replace trigger logon_trigger after logon on database declare host varchar2(50); begin host := trim(lower(sys_context('USERENV', 'HOST'))); if lower(user) = '<data pump user>' then if host <> '<hostname>' then raise_application_error(-20000, 'Login not allowed'); end if; end if; end; /我可以從審計跟踪中看到該觸發器已觸發(ORA-20000:不允許登錄),但仍允許使用者從遠端主機登錄。
此限制適用於普通使用者,但不適用於數據泵使用者。我懷疑這與角色 exp_full_database 和 imp_full_database 有關。
有什麼方法可以使這個觸發器工作還是我應該使用本地作業系統身份驗證?
ADMINISTER DATABASE TRIGGER 權限導致登錄觸發器跳過錯誤(文件 ID 265012.1)
ADMINISTER DATABASE TRIGGER Privilege Behavior with Database Logon Trigger -------------------------------------------------------------------------- Logon triggers can be used to mediate database access: when the restrictive conditions are not met, an application error with a message is raised that causes the logon to be denied. ... However, we need to keep at least one user who can still connect when there is a problem : a fallback mechanism must exist where an administrative user is exempt from such errors of a prohibited connection. Any user granted the ADMINISTER DATABASE TRIGGER system privilege can still connect : instead of getting the error causing the session to be terminated, the error is recorded in the alert.log and a trace file in user_dump_dest.和:
select * from dba_sys_privs where privilege = 'ADMINISTER DATABASE TRIGGER'; GRANTEE PRIVILEGE ADM ------------------------------ ---------------------------------------- --- WMSYS ADMINISTER DATABASE TRIGGER NO DBA ADMINISTER DATABASE TRIGGER YES SYS ADMINISTER DATABASE TRIGGER NO IMP_FULL_DATABASE ADMINISTER DATABASE TRIGGER NO所以是的,您可以嘗試本地作業系統身份驗證。