如何在Oracle中为dbms_lock授予执行权限?
[英]How to grant execute on dbms_lock in Oracle?
问题描述
I need to use dbms_lock.sleep procedure from user usr1. 
我需要使用用户usr1的dbms_lock.sleep过程。 I can't login as sys, but I have a password for user usr2 which have "grant any object privilege" privilege. 我无法以sys身份登录,但我有一个用户usr2的密码,该密码具有“grant any object privilege”权限。 However, when I'm logged in as usr2 and try to issue 但是,当我以usr2身份登录并尝试发布时
grant execute on sys.dbms_lock to usr1
I get the ORA-01031 "insufficient privileges" exception. 我得到了ORA-01031“权限不足”的例外情况。 The same works with a test package on another user. 同样适用于另一个用户的测试包。 Are the system packages treated specially, or have I missed something? 系统包是专门处理的,还是我错过了什么?
2 个解决方案
解决方案1
11 已采纳 2012-11-16 10:19:57
The system packages are treated specially, depending on the value of the initialisation parameter O7_DICTIONARY_ACCESSIBILITY . 系统包经过特殊处理,具体取决于初始化参数O7_DICTIONARY_ACCESSIBILITY的值。 If that is FALSE , which is the default since Oracle 9i, then ANY privileges don't apply to the data dictionary. 如果这是FALSE (这是Oracle 9i以来的默认值),则ANY特权都不适用于数据字典。 The documentation refers to this as 'dictionary protection'. 文档将其称为“字典保护”。
The closest I can find in the security guide - here and here - only refer to tables as examples. 我在安全指南中找到的最接近的 - 这里和这里 - 仅作为示例引用表格。
Oracle Support note 174753.1, however, explicitly states that dictionary protection supersedes grant any object privilege . 但是,Oracle支持说明174753.1明确声明字典保护取代grant any object privilege 。 I'm not allowed to quote that but it explains what you're seeing; 我不允许引用它,但它解释了你所看到的; it might be worth looking up if you have access to it. 如果您可以访问它,可能值得查找。
So, the only way for usr2 to be able to grant execute on sys.dbms_lock to usr1 is for the DBA to have done grant execute on sys.dbms_lock to usr2 with grant option . 因此, usr2能够将grant execute on sys.dbms_lock to usr1的唯一方法是让DBA grant execute on sys.dbms_lock to usr2 with grant option 。
As Ben says, you'll have to either get the DBA to grant the permission to usr1 directly, or add the with grant option to the privileges granted to usr2 ; 正如Ben所说,你必须让DBA直接向usr1授予权限,或者将to with grant option添加到授予usr2的权限中; or have usr2 create a wrapper procedure around the dbms_lock call and grant permissions on that to usr1 . 或者让usr2围绕dbms_lock调用创建一个包装程序,并将权限授予usr1 。
解决方案2
4 2012-11-15 22:58:43
It sounds as though SYS hasn't been granted the DBA role or that SYS doesn't have the GRANT ANY OBJECT privilege. 听起来好像SYS没有被授予DBA角色或者SYS没有GRANT ANY OBJECT特权。 To quote from the documentation 引用文档
To grant an object privilege, you must own the object, or the owner of the object must have granted you the object privileges with the GRANT OPTION, or you must have been granted the GRANT ANY OBJECT PRIVILEGE system privilege.
This implies that you can't grant execute on dbms_lock because SYS wouldn't have been able to do so. 这意味着您无法在dbms_lock上授予执行dbms_lock因为SYS无法执行此操作。
On installation SYS is automatically granted the DBA role so maybe someone's been changing this or created another user with the DBA role. 在安装时, SYS会自动被授予DBA角色,因此可能有人正在更改此角色或创建具有DBA角色的其他用户。
Either way you're going to have to get your DBA involved if you only have access to these two users. 无论哪种方式,如果您只能访问这两个用户,您将不得不让您的DBA参与其中。 Ask them to grant execute on the packages you need to the users that need it. 要求他们将需要的包授予需要的用户。 It's up to them to give you a good reason why they won't grant you execute on the packages you need in order to do your job. 他们有充分的理由告诉你为什么他们不会授予你执行你所需的包以执行你的工作。
If you can't get full access to dbms_lock you can always create a procedure in another user that wraps dbms_lock.sleep you need and then grant execute on that procedure alone. 如果无法获得对dbms_lock完全访问权限, dbms_lock可以始终在另一个用户创建一个包含dbms_lock.sleep的过程,然后单独为该过程授予执行dbms_lock.sleep 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.