简体繁体 English

开发人员应在Dev数据库实例中拥有哪些权限

[英]What permissions should Developers have in the Dev database instance

原文 2009-09-17 22:03:57 3 7 oracle/ permissions/ database-administration

...and how should those permissions be granted. ...以及应如何授予这些权限。 I work in a large IT dept with 70+ applications, some in SQL server and most in oracle. 我在一个大型IT部门工作，拥有70多个应用程序，其中一些使用SQL Server，大多数使用oracle。 Each system has a prod, QA and Dev instance. 每个系统都有一个prod，QA和Dev实例。 We (I'm a developer) have readonly access to prod/qa, which I'm fine with. 我们（我是一名开发人员）具有对prod / qa的只读访问权限，对此我很好。 In SQL server development instances devs are given db_owner, which works totally fine. 在SQL Server开发实例中，为开发人员提供了db_owner，它可以很好地工作。 The debate is over what permissions I should have in the DEV oracle databases. 争论是关于我应该在DEV oracle数据库中拥有什么权限。

I recognize that best case would be to have each dev run their own instance on their workstation for development, but because of the size of the databases this has not been considered an option. 我知道最好的情况是让每个开发人员都在自己的工作站上运行自己的实例进行开发，但是由于数据库的规模，这并不是一种选择。

I'm also interested in HOW these permissions should be applied. 我也对如何应用这些权限感兴趣。 In oracle permissions granted via a role are not active during PL/SQL execution so roles (even the "dba" role) are not useful. 在oracle中，通过角色授予的权限在PL / SQL执行期间不会处于活动状态，因此角色（即使是“ dba”角色）也没有用。 That leaves using a built in account (system) or creating dozens of users accross dozens of database and directly granting dozens of permissions to each. 这就需要使用内置帐户（系统）或在数十个数据库中创建数十个用户，并直接为每个数据库授予数十个权限。 In my mind just letting the devs login as system is making a lot of sense, but our DBAs claim that's a bad idea. 在我看来，让开发人员作为系统登录很有意义，但是我们的DBA认为这是个坏主意。

7 个解决方案

We used to just give developers access to the application account. 我们过去只是给开发人员访问应用程序帐户的权限。 This works for small shops but rapidly gets out of hand as the number of developers increase. 这适用于小型商店，但随着开发商数量的增加而迅速失控。

Here's what we do now: 这是我们现在要做的：

the Application has it's own account (aka schema). 该应用程序具有其自己的帐户（也称为架构）。
Developers have their own accounts 开发者有自己的帐户
Data resides in the application schema 数据驻留在应用程序架构中
We have an ant build script to build code into whatever schema you want. 我们有一个ant构建脚本，可以将代码构建到所需的任何模式中。
- code includes views, packages, objects etc.. 代码包括视图，包，对象等。
- the build script includes a step to run a stored procedure to grant explicit rights to developers to the application data 构建脚本包括运行存储过程以向开发人员授予对应用程序数据的显式权限的步骤
Developers make changes in their own schema 开发人员在自己的模式中进行更改
When happy they check that into subversion 当他们高兴的时候，他们把它变成颠覆
The Application's dev schema is built from the new subversion build. 应用程序的dev模式是从新的subversion构建中构建的。
Developers can check out and rebuild their own environments. 开发人员可以签出并重建自己的环境。
DDL changes to table structures are done via the DBA 通过DBA对表结构进行DDL更改
- these can be scripted as well 这些也可以编写脚本

This has the benefit of ensure any front end application is not broken by database developers constantly rebuilding everything. 这样做的好处是可以确保数据库开发人员不会不断重建所有内容，从而不会破坏任何前端应用程序。

I assume that there are a relatively small number of application accounts that own the actual objects. 我假设拥有实际对象的应用程序帐户数量相对较少。 So one or more logical applications are comprised of tables owned by a particular Oracle user. 因此，一个或多个逻辑应用程序由特定Oracle用户拥有的表组成。 This would not by SYSTEM or SYS, it would not be any of the accounts that Oracle the company delivers. 这不会是SYSTEM或SYS，也不会是Oracle提供的任何帐户。 It would be an account that your DBAs created. 这将是您的DBA创建的帐户。 If you are familiar with the Oracle sample schemas, the HR user owns all the tables in the HR schema which comprise the back end for an HR application. 如果您熟悉Oracle示例模式，则HR用户将拥有HR模式中的所有表，这些表构成了HR应用程序的后端。

Starting from the principle of "the simplest thing that could possibly work," my first thought would be to see if the developers could log in directly to those application accounts. 从“可能的最简单的工作原理”开始，我的第一个想法是查看开发人员是否可以直接登录那些应用程序帐户。 This isn't the securest possible configuration, and you are opening up the possibility that a developer accidentally or intentionally does some damage that may be difficult to track or easily resolve. 这不是最安全的配置，您可能会发现开发人员意外或有意造成了一些可能难以跟踪或轻松解决的损坏。 But it can work reasonably well depending on the organization. 但是，根据组织的不同，它可以正常工作。 Privilege management is trivial-- the application owner account already has all the privileges it needs most likely. 特权管理是微不足道的-应用程序所有者帐户已经具有最可能需要的所有特权。

The next step up would be giving every developer a separate schema to develop in, presumably in conjunction with a load of public synonyms in the database and an absence of schema qualifiers in the application code, so that any object created in the developer's schema automatically overrides the shared version of that object. 下一步将是为每个开发人员提供一个单独的模式来进行开发，大概与数据库中大量公共同义词以及应用程序代码中缺少模式限定符一起使用，以便在开发人员模式中创建的任何对象都将自动覆盖该对象的共享版本。 This provides much better isolation. 这样可以提供更好的隔离。 Permissions are generally granted by either creating scripts that contain all the grants a developer needs or by creating a script that copies all the privileges from a "known good" account to the new account. 通常通过创建包含开发人员需要的所有授予的脚本或通过创建将所有特权从“已知的好”帐户复制到新帐户的脚本来授予权限。 Neither is particularly difficult to write-- you just have to make sure that all the developers end up with the same set of privileges, which is generally just another script that gets run when a new privilege is granted. 两者都不是很难写的-您只需要确保所有开发人员都拥有相同的特权集，通常这只是授予新特权时运行的另一个脚本。

If you are developing stored PL/SQL objects, then the schema owning those objects needs, as you mentioned, explicit grants on the objects used. 如果您正在开发存储的PL / SQL对象，那么拥有这些对象的架构就需要如所提到的那样，对所使用的对象进行显式授权。 If you have a single 'data' schema but are developing code in your own individual schemas then you should get the ability to grant access on the data schema objects to your development schemas. 如果您只有一个“数据”模式，但正在以自己的单个模式开发代码，则应该能够将对数据模式对象的访问权限授予您的开发模式。 Normally I'd expect username/password for the data schema. 通常，我希望数据模式的用户名/密码。

In regards to system privileges (eg CREATE), I'd expect CREATE TABLE, TYPE, VIEW, PROCEDURE TRIGGER, SYNONYM. 关于系统特权（例如CREATE），我希望CREATE TABLE，TYPE，VIEW，PROCEDURE TRIGGER，SYNONYM。 Others may be appropriate (eg CONTEXT) depending on what you do. 根据您的工作，其他选项可能更合适（例如，语境）。 The DBA may rule out CREATE DIRECTORY as that could be damaging if mis-used. DBA可能会排除CREATE DIRECTORY，因为如果使用不当可能会造成损害。 Ditto for privileges with ANY in them (eg SELECT ANY TABLE, DELETE ANY TABLE) 同上具有ANY的特权（例如，SELECT ANY TABLE，DELETE ANY TABLE）

For performance tuning / system monitoring, on a dev database SELECT_CATALOG_ROLE is good. 对于性能调整/系统监视，在开发数据库上SELECT_CATALOG_ROLE很好。 If the DBA is risk-averse, you may have to negotiate grants on individual views. 如果DBA规避风险，则可能必须就各个视图协商拨款。 Go through the REFERENCE guide for your version and ask for any you may use. 查看适用于您的版本的参考指南，并索取可以使用的任何指南。

One of the DBA's jobs is to manage user privileges. DBA的工作之一是管理用户权限。 I don't think system is a good idea for a few reasons, not the least being the ability to drop an entire schema which I am sure you don't want. 我认为，出于以下几个原因，系统不是一个好主意，最重要的是可以删除我肯定不需要的整个架构。 That being said, I think it is perfectly fine to grant all to your users and let the DBAs manage these permissions no matter how many dozens of accounts there may be. 话虽如此，我认为将所有权限授予您的用户并让DBA不管可能存在多少个帐户都可以管理这些权限是完全可以的。 Most DBAs will have scripts they can use to manage these permissions anyway. 大多数DBA都有脚本，无论如何它们都可以用来管理这些权限。

Listen to your DBAs, they generally know what they are talking about. 听您的DBA，他们通常知道他们在说什么。

If it's just a dev instance; 如果仅仅是开发实例； i'd have all users have individual accounts added to the admin role. 我希望所有用户都将个人帐户添加到管理员角色。 That way you can still log activity on a per-user basis; 这样，您仍然可以按用户记录活动。 but give the devs enough breathing room to do their thing. 但是要给开发人员足够的呼吸空间来做他们的事情。

My group supports about 100 apps with about 20 of them having their own Oracle schema. 我的小组支持大约100个应用程序，其中大约20个具有自己的Oracle模式。 We have gone down the road of every developer has the password to the schema and it is convenient. 我们走的每一个开发人员都拥有该模式的密码，这很方便。 However, in hindsight I would recommend that each developer use their own Oracle account to develop. 但是，事后看来，我建议每个开发人员都使用自己的Oracle帐户进行开发。 The main reason is auditing. 主要原因是审计。

I recognize that best case would be to have each dev run their own instance on their workstation for development, but because of the size of the databases this has not been considered an option. 我知道最好的情况是让每个开发人员都在自己的工作站上运行自己的实例进行开发，但是由于数据库的规模，这并不是一种选择。

Is there a way to deal with this, maybe by reducing the amount of data in your personal copies? 是否可以通过减少个人副本中的数据量来解决此问题？ This seems like the ideal solution, since it would allow you to make any changes you need. 这似乎是理想的解决方案，因为它可以让您进行所需的任何更改。 Then you could submit them to the DBA when you're ready, and have him update the shared development server. 然后，您可以在准备就绪时将它们提交给DBA，并让他更新共享开发服务器。