Oracle

從過程呼叫時從 V$LOGMNR_CONTENTS 中選擇失敗

  • January 19, 2021

假設以下使用者被授予這些權限:

-- create admin user on CDB
CREATE USER c##myadmin IDENTIFIED BY myadmin DEFAULT TABLESPACE system QUOTA UNLIMITED ON system ACCOUNT UNLOCK
/
-- allow access to all PDBs to the admin user
ALTER USER c##myadmin SET CONTAINER_DATA=ALL CONTAINER=CURRENT
/ 
-- grant needed permissions
GRANT DBA to c##myadmin                            ;
GRANT CREATE SESSION TO c##myadmin                 ;
GRANT CREATE TABLE TO c##myadmin                   ;
GRANT EXECUTE_CATALOG_ROLE TO c##myadmin           ;
GRANT EXECUTE ON DBMS_LOGMNR TO c##myadmin         ;
GRANT SELECT ON V_$DATABASE TO c##myadmin          ;
GRANT SELECT ON V_$LOGMNR_CONTENTS TO c##myadmin   ;
GRANT SELECT ON V_$ARCHIVED_LOG TO c##myadmin      ;
GRANT SELECT ON V_$LOG TO c##myadmin               ;
GRANT SELECT ON V_$LOGFILE TO c##myadmin           ;
GRANT RESOURCE, CONNECT TO c##myadmin              ;

現在,當我以我的管理員身份連接時,我可以執行以下命令:

BEGIN 
 DECLARE v NUMBER := 0;
BEGIN
 DBMS_LOGMNR.ADD_LOGFILE(LogFileName=>'/path/to/archive/log/arc0000013.0001', Options=>DBMS_LOGMNR.new);
 DBMS_LOGMNR.START_LOGMNR(StartScn=>23456789, EndScn=>23567890,  Options=>DBMS_LOGMNR.DICT_FROM_ONLINE_CATALOG+DBMS_LOGMNR.NO_ROWID_IN_STMT);
 select count(*) into v from v$logmnr_contents;
END;
END;
/
PL/SQL procedure successfully completed.

但是當它作為一個過程創建時,它因權限不足而失敗:

Create Or Replace Procedure Test AS
v NUMBER:=0;
BEGIN
DBMS_LOGMNR.ADD_LOGFILE(LogFileName=>'/path/to/archive/log/arc0000013.0001', Options=>DBMS_LOGMNR.new);
DBMS_LOGMNR.START_LOGMNR(StartScn=>23456789, EndScn=>23567890,  Options=>DBMS_LOGMNR.DICT_FROM_ONLINE_CATALOG+DBMS_LOGMNR.NO_ROWID_IN_STMT); 
Select Count(*) into v from v$logmnr_contents;
END;
/
Exec Test
/
Procedure Test compiled


Error starting at line 9 in command -
BEGIN Test; END;
Error report - 
ORA-01031: insufficient privileges
ORA-06512: at "C##MYADMIN.TEST", line 6
ORA-06512: at line 1
01031. 00000 -  "insufficient privileges"
*Cause:    An attempt was made to perform a database operation without
          the necessary privileges.
*Action:   Ask your database administrator or designated security
          administrator to grant you the necessary privileges

如果我註釋掉select程序成功。

是否有額外的權限使其能夠select從過程中執行?

V$LOGMNR_CONTENTS

V$LOGMNR_CONTENTS 包含日誌歷史資訊。要查詢此視圖,您必須具有 LOGMINING 權限。

特權被LOGMINING授予DBA角色。執行匿名塊時,您通過角色授予的所有權限都是有效的。執行使用預設定義者權限選項定義的儲存過程時,將忽略通過角色授予的權限。該LOGMINING權限應直接授予您的使用者:

grant logmining to c##myadmin;

您需要REFERENCE表格/視圖的能力才能包含在預編譯的 ptogram 中。

僅用於試錯測試,您可以授予ALL權限。但是,這是一個嚴重的安全風險。

引用自:https://dba.stackexchange.com/questions/283558