Grants by role changed in Oracle 11g?
https://stackoverflow.com/questions/2282061
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian문제
I tried to grant CONNECT to a user through a role:
CREATE ROLE my_role IDENTIFIED BY "passwd";
GRANT CONNECT TO my_role;
CREATE USER my_user IDENTIFIED BY "passwd";
GRANT my_role TO my_user;
When I try this in 10g it works fine, while in 11g login is rejected:
ORA-01045:user MY_USER lacks CREATE SESSION privilege; logon denied
Granting CREATE SESSION to the role does not make a difference.
I can only login after directly granting CONNECT (or CREATE SESSION) to the user.
Has Oracle changed this behavior or am I doing something wrong?
해결책
I think you might have gotten away with a security "feature" in 10g. The way I read the SQL Reference and Security Guide for 11g indicates that password-enabled roles require the use of the SET ROLE my_role IDENTIFIED BY passwd before any rights granted by that role are effective.
You can't CREATE SESSION until you have the role, and you can't have the role until you issue SET ROLE.
Catch-22.
다른 팁
Oracle Knowledge Base [ID 745407.1] explains this.
The DEFAULT clause in the:
alter user default roles ; specifies the roles granted by default to the user at logon. This clause can contain only roles that have been granted directly to the user with a GRANT statement, or roles created by the user with the CREATE ROLE privilege. You cannot use the DEFAULT ROLE clause to enable:
Roles not granted to the user
Roles granted through other roles
Roles managed by an external service (such as the operating system), or by the Oracle Internet Directory
Roles that are password authenticated.
Roles that are implemented as secure application roles.
For password authenticated roles, the change has been introduced in version 10.2.0.5 and 11.1.0.7. For secure application roles, the change has been introduced in the Oracle releases 10.2.0.4 and 11.1.0.7 These changes will apply to all future releases. The above mentioned restrictions will be introduced in the future documentation.
One can easily turn the password enabled roles into standard roles by running the script resulting from:
select 'alter role '||role||' not identified;' from dba_roles where password_required='YES' and role not in (select role from dba_application_roles);
Activating default roles (granted to a user as Default) which are also password protected changed in Oracle 10g, version 10.2.0.5 (at least for our copy). In release 10.2.0.5, a password protected role would no longer become activated by default. It had to be specifically turned on with the appropriate password.
This was not documented as far as we could tell. But when our systems were upgraded from 10.2.0.4 to 10.2.0.5, this change broke several of our systems, and we had to create parallel non-protected roles for our functional accounts which did not have any mechanism to activate default roles. We basically created old_role_batch with no password as a copy of old_role whish was password protected.
