我需要授予一些开发人员特权,以便能够在Oracle数据库上调试包/过程/函数。
但是当我允许调试任何程序或调试连接会话,他/她也可以更改代码。我该如何预防呢?
解决方案是将过程的所有者与开发人员分开。我来告诉你怎么做
创建一个拥有一个过程的用户
SQL> create user test4 identified by Oracle_1234 ;
User created.
SQL> grant create table, create procedure to test4 ;
Grant succeeded.
SQL> create procedure test4.pr_test ( p1 in number )
2 is
3 begin
4 dbms_output.put_line(p1);
5 end;
6 /
Procedure created.
创建一个对过程有调试权限的用户
SQL> create user test5 identified by Oracle_1234 ;
User created.
SQL> grant debug connect session , create session to test5 ;
Grant succeeded.
SQL> grant debug on test4.pr_test to test5 ;
Grant succeeded.
现在,用户test5可以调试属于test4的程序,但是他不能执行它,不能修改它。
sqlplus test5/Oracle_1234
SQL*Plus: Release 19.0.0.0.0 - Production on Wed Oct 6 17:04:20 2021
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.6.0.0.0
SQL> exec test4.pr_test ;
BEGIN test4.pr_test ; END;
*
ERROR at line 1:
ORA-06550: line 1, column 13:
PLS-00904: insufficient privilege to access object TEST4.PR_TEST
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored
SQL> create or replace procedure test4.pr_test
2 is
3 begin
4 null;
5 end;
6 /
create or replace procedure test4.pr_test
*
ERROR at line 1:
ORA-01031: insufficient privileges
避免这种情况的最佳方法是将owners/schemas与users解耦,因此您可以授予调试,但用户将无法更改代码或执行过程。
debug any procedure是一个非常糟糕的安全实践。ANY权限不应该授予任何人,除非是绝对必要的。