- Oracle Database 12c Security Cookbook
- Zoran Pavlovi? Maja Veselica
- 441字
- 2021-07-02 16:43:17
Creating and using definer's rights procedures
In this recipe, you'll learn to create and use definer's rights procedures.
Getting ready
To complete this recipe, you'll use a user who has a DBA role.
How to do it...
- Connect to the database as a user with the DBA role (for example,
zoran)SQL> connect zoran - Create two users (
procownerandprocuser) and grant them appropriate privileges:SQL> create user procowner identified by oracle1; SQL> create user procuser identified by oracle2; SQL> grant create session, create procedure to procowner; SQL> grant create session to procuser;
- Create a table called
zoran.tbland grant users privileges on this table:SQL> create table zoran.tbl(a number, b varchar2(40)); SQL> insert into zoran.tbl values(1, 'old_value'); SQL> commit; SQL> grant select on zoran.tbl to procuser; SQL> grant update on zoran.tbl to procowner;
- Connect as a user,
procowner, create a procedure to update tablezoran.tbl, and grantexecuteon this procedure to userprocuser:SQL> connect procowner/oracle1 CREATE OR REPLACE PROCEDURE UpdateTbl (x IN number, y IN varchar2) AUTHID DEFINER AS BEGIN UPDATE ZORAN.TBL SET b = y WHERE a = x; END; / SQL> grant execute on UpdateTbl to procuser;
- Connect as user
procuserand try to directly update tablezoran.tbl:SQL> connect procuser/oracle2 SQL> UPDATE ZORAN.TBL SET B = 'value1' WHERE A = 1; UPDATE ZORAN.TBL SET B = 'value1' WHERE A = 1 * ERROR at line 1: ORA-01031: insufficient privileges
- When the previous step fails, update table by using the
UpdateTblprocedure:SQL> EXEC procowner.UpdateTbl(1, 'new_value'); PL/SQL procedure successfully completed.
- Check whether the table is updated:
SQL> select * from zoran.tbl; A B ---------- ---------------------------------------- 1 new_value
How it works...
Definer's rights procedures are executed by using privileges that are granted to the owner of the procedure. In our example, we have two users: procowner - a user who is the owner of the procedure and has privilege to update table zoran.tbl and procuser - a user who just executes the procedure. In step 4, procuser creates procedure by using the AUTHID DEFINER clause, which means that this procedure will be definer's rights procedure. This is a default behavior (we can omit the AUTHID DEFINER clause). In step 5, procuser tries to update table zoran.tbl directly, but it gets an error:
SQL> UPDATE ZORAN.TBL SET B = 'value1' WHERE A = 1; UPDATE ZORAN.TBL SET B = 'value1' WHERE A = 1 * ERROR at line 1: ORA-01031: insufficient privileges
This is the expected behavior, considering that procuser doesn't have an update privilege on zoran.tbl. When procuser executes the procedure in step 6, the table is updated because the privilege of the definer is applied.
- Data Visualization with D3 4.x Cookbook(Second Edition)
- MySQL數據庫管理實戰
- Mastering phpMyAdmin 3.4 for Effective MySQL Management
- Visual Basic學習手冊
- PostgreSQL Replication(Second Edition)
- Java項目實戰精編
- 程序是怎樣跑起來的(第3版)
- Learning Unity 2D Game Development by Example
- Kotlin編程實戰:創建優雅、富于表現力和高性能的JVM與Android應用程序
- Java面向對象程序設計
- Python 3 數據分析與機器學習實戰
- 后臺開發:核心技術與應用實踐
- 監控的藝術:云原生時代的監控框架
- Java程序設計實用教程(第2版)
- Mastering Machine Learning with R