Oracle
從過程呼叫時從 V$LOGMNR_CONTENTS 中選擇失敗
假設以下使用者被授予這些權限:
-- create admin user on CDB CREATE USER c##myadmin IDENTIFIED BY myadmin DEFAULT TABLESPACE system QUOTA UNLIMITED ON system ACCOUNT UNLOCK / -- allow access to all PDBs to the admin user ALTER USER c##myadmin SET CONTAINER_DATA=ALL CONTAINER=CURRENT / -- grant needed permissions GRANT DBA to c##myadmin ; GRANT CREATE SESSION TO c##myadmin ; GRANT CREATE TABLE TO c##myadmin ; GRANT EXECUTE_CATALOG_ROLE TO c##myadmin ; GRANT EXECUTE ON DBMS_LOGMNR TO c##myadmin ; GRANT SELECT ON V_$DATABASE TO c##myadmin ; GRANT SELECT ON V_$LOGMNR_CONTENTS TO c##myadmin ; GRANT SELECT ON V_$ARCHIVED_LOG TO c##myadmin ; GRANT SELECT ON V_$LOG TO c##myadmin ; GRANT SELECT ON V_$LOGFILE TO c##myadmin ; GRANT RESOURCE, CONNECT TO c##myadmin ;
現在,當我以我的管理員身份連接時,我可以執行以下命令:
BEGIN DECLARE v NUMBER := 0; BEGIN DBMS_LOGMNR.ADD_LOGFILE(LogFileName=>'/path/to/archive/log/arc0000013.0001', Options=>DBMS_LOGMNR.new); DBMS_LOGMNR.START_LOGMNR(StartScn=>23456789, EndScn=>23567890, Options=>DBMS_LOGMNR.DICT_FROM_ONLINE_CATALOG+DBMS_LOGMNR.NO_ROWID_IN_STMT); select count(*) into v from v$logmnr_contents; END; END; /
PL/SQL procedure successfully completed.
但是當它作為一個過程創建時,它因權限不足而失敗:
Create Or Replace Procedure Test AS v NUMBER:=0; BEGIN DBMS_LOGMNR.ADD_LOGFILE(LogFileName=>'/path/to/archive/log/arc0000013.0001', Options=>DBMS_LOGMNR.new); DBMS_LOGMNR.START_LOGMNR(StartScn=>23456789, EndScn=>23567890, Options=>DBMS_LOGMNR.DICT_FROM_ONLINE_CATALOG+DBMS_LOGMNR.NO_ROWID_IN_STMT); Select Count(*) into v from v$logmnr_contents; END; / Exec Test /
Procedure Test compiled Error starting at line 9 in command - BEGIN Test; END; Error report - ORA-01031: insufficient privileges ORA-06512: at "C##MYADMIN.TEST", line 6 ORA-06512: at line 1 01031. 00000 - "insufficient privileges" *Cause: An attempt was made to perform a database operation without the necessary privileges. *Action: Ask your database administrator or designated security administrator to grant you the necessary privileges
如果我註釋掉
select
程序成功。是否有額外的權限使其能夠
select
從過程中執行?
V$LOGMNR_CONTENTS 包含日誌歷史資訊。要查詢此視圖,您必須具有 LOGMINING 權限。
特權被
LOGMINING
授予DBA
角色。執行匿名塊時,您通過角色授予的所有權限都是有效的。執行使用預設定義者權限選項定義的儲存過程時,將忽略通過角色授予的權限。該LOGMINING
權限應直接授予您的使用者:grant logmining to c##myadmin;
您需要
REFERENCE
表格/視圖的能力才能包含在預編譯的 ptogram 中。僅用於試錯測試,您可以授予
ALL
權限。但是,這是一個嚴重的安全風險。