- Oracle Database 12c Security Cookbook
- Zoran Pavlovi? Maja Veselica
- 441字
- 2021-07-02 16:43:17
Creating and using definer's rights procedures
In this recipe, you'll learn to create and use definer's rights procedures.
Getting ready
To complete this recipe, you'll use a user who has a DBA role.
How to do it...
- Connect to the database as a user with the DBA role (for example,
zoran)SQL> connect zoran - Create two users (
procownerandprocuser) and grant them appropriate privileges:SQL> create user procowner identified by oracle1; SQL> create user procuser identified by oracle2; SQL> grant create session, create procedure to procowner; SQL> grant create session to procuser;
- Create a table called
zoran.tbland grant users privileges on this table:SQL> create table zoran.tbl(a number, b varchar2(40)); SQL> insert into zoran.tbl values(1, 'old_value'); SQL> commit; SQL> grant select on zoran.tbl to procuser; SQL> grant update on zoran.tbl to procowner;
- Connect as a user,
procowner, create a procedure to update tablezoran.tbl, and grantexecuteon this procedure to userprocuser:SQL> connect procowner/oracle1 CREATE OR REPLACE PROCEDURE UpdateTbl (x IN number, y IN varchar2) AUTHID DEFINER AS BEGIN UPDATE ZORAN.TBL SET b = y WHERE a = x; END; / SQL> grant execute on UpdateTbl to procuser;
- Connect as user
procuserand try to directly update tablezoran.tbl:SQL> connect procuser/oracle2 SQL> UPDATE ZORAN.TBL SET B = 'value1' WHERE A = 1; UPDATE ZORAN.TBL SET B = 'value1' WHERE A = 1 * ERROR at line 1: ORA-01031: insufficient privileges
- When the previous step fails, update table by using the
UpdateTblprocedure:SQL> EXEC procowner.UpdateTbl(1, 'new_value'); PL/SQL procedure successfully completed.
- Check whether the table is updated:
SQL> select * from zoran.tbl; A B ---------- ---------------------------------------- 1 new_value
How it works...
Definer's rights procedures are executed by using privileges that are granted to the owner of the procedure. In our example, we have two users: procowner - a user who is the owner of the procedure and has privilege to update table zoran.tbl and procuser - a user who just executes the procedure. In step 4, procuser creates procedure by using the AUTHID DEFINER clause, which means that this procedure will be definer's rights procedure. This is a default behavior (we can omit the AUTHID DEFINER clause). In step 5, procuser tries to update table zoran.tbl directly, but it gets an error:
SQL> UPDATE ZORAN.TBL SET B = 'value1' WHERE A = 1; UPDATE ZORAN.TBL SET B = 'value1' WHERE A = 1 * ERROR at line 1: ORA-01031: insufficient privileges
This is the expected behavior, considering that procuser doesn't have an update privilege on zoran.tbl. When procuser executes the procedure in step 6, the table is updated because the privilege of the definer is applied.
- 極簡算法史:從數學到機器的故事
- JavaScript全程指南
- Learning Cython Programming(Second Edition)
- Modular Programming with Python
- Angular UI Development with PrimeNG
- JavaScript修煉之道
- 軟件架構設計:大型網站技術架構與業務架構融合之道
- 云原生Spring實戰
- 編譯系統透視:圖解編譯原理
- MySQL數據庫基礎實例教程(微課版)
- 高級語言程序設計(C語言版):基于計算思維能力培養
- 軟件測試技術指南
- Node.js開發指南
- INSTANT Silverlight 5 Animation
- Mastering Concurrency Programming with Java 9(Second Edition)