20 Database Security

001 This chapter provides an overview of Oracle database security.
 		 本章概要地介绍 Oracle 数据库的安全特性。
 
002 This chapter contains the following topics: 本章包含以下主题:
003

See Also:

Oracle Database Security Guide for more detailed information on everything in this chapter
另见:

Oracle Database Security Guide 了解与本章内容相关的详细信息
004

Introduction to Database Security

20.1 数据库安全简介
005 Database security entails allowing or disallowing user actions on the database and the objects within it. Oracle uses schemas and security domains to control access to data and to restrict the use of various database resources.
 		 数据库安全的作用是控制用户是否能够对数据库及其中的对象执行操作。Oracle 通过方案(schema)及安全域(security domain)来控制用户对数据库的访问,并限制对各种数据库资源的使用。
 
006 Oracle provides comprehensive discretionary access control. Discretionary access control regulates all user access to named objects through privileges. A privilege is permission to access a named object in a prescribed manner; for example, permission to query a table. Privileges are granted to users at the discretion of other users.
 		 Oracle 提供了完善的随需定义的访问控制(discretionary access control)。随需定义的访问控制指通过权限(privilege)来控制用户对数据库对象的访问。权限即以规则的形式(prescribed manner)表示的用户对数据库对象的访问许可(permission),例如查询表的许可。管理员可以分别为每个用户授予权限,不同用户的权限设定是相互独立的。
 
007

Database Users and Schemas

20.1.1 数据库用户与数据库方案
008 Each Oracle database has a list of user names. To access a database, a user must use a database application and attempt a connection with a valid user name of the database. Each user name has an associated password to prevent unauthorized use.
 		 一个 Oracle 数据库中可以存在多个用户。在访问数据库时,用户在数据库应用程序中使用有效的用户名连接到数据库。每个用户都应有一个对应的密码,以防止未授权的访问。
 
009

Security Domain

20.1.1.1 安全域
010 Each user has a security domain—a set of properties that determine such things as:
  • The actions (privileges and roles) available to the user
  • The tablespace quotas (available disk space) for the user
  • The system resource limits (for example, CPU processing time) for the user
 每个用户都有一个对应的安全域(security domain),所谓安全域实际上是一组属性,这组属性决定了:
  • 用户可执行的操作(权限(privilege)或角色(role))
  • 用户的表空间限额(tablespace quota)(即可用的磁盘空间)
  • 用户的系统资源限制(例如,CPU 处理时间)
011 Each property that contributes to a user's security domain is discussed in the following sections.
 		 以下各节将分别介绍构成用户安全域的各个属性。
 
012

Privileges

20.1.2 权限
013 A privilege is a right to run a particular type of SQL statement. Some examples of privileges include the right to:
  • Connect to the database (create a session)
  • Create a table in your schema
  • Select rows from someone else's table
  • Run someone else's stored procedure
 权限(privilege)即执行特定类型 SQL 语句的权利。以下为一些权限的例子:
  • 连接到数据库(创建会话)
  • 在用户方案(schema)下创建表
  • 查询其他用户表中的数据
  • 执行其他用户的存储过程
014

See Also:

"Introduction to Privileges"
另见:

权限简介
015

Roles

20.1.3 角色
016 Oracle provides for easy and controlled privilege management through roles. Roles are named groups of related privileges that you grant to users or other roles.
 		 在 Oracle 中,可以通过角色(role)来实现更严格且更简单的权限管理。角色即一组命名的权限,可以授予用户或其他角色。
 
017

See Also:

"Introduction to Roles" information about role properties
另见:

角色简介”了解关于角色的信息
018

Storage Settings and Quotas

20.1.4 存储设置及限额
019 You can direct and limit the use of disk space allocated to the database for each user, including default and temporary tablespaces and tablespace quotas.
 		 管理员可以对每个用户所能使用的数据库磁盘空间进行限制,限制的对象包括默认表空间,临时表空间,及表空间限额。
 
020

Default Tablespace

20.1.4.1 默认表空间
021 Each user is associated with a default tablespace. When a user creates a table, index, or cluster and no tablespace is specified to physically contain the schema object, the user's default tablespace is used if the user has the privilege to create the schema object and a quota in the specified default tablespace. The default tablespace provides Oracle with information to direct space use in situations where schema object's location is not specified.
 		 每个数据库用户都具有一个默认表空间(default tablespace)。如果用户创建表,索引,或簇时没有设定物理上使用哪个表空间来存储方案对象,Oracle 将使用用户的默认表空间(用户必须具备创建方案对象的权限,且在默认表空间上具有足够的限额)。当用户没有为方案对象设定存储位置属性时,Oracle 就会使用默认表空间。
 
022

Temporary Tablespace

20.1.4.2 临时表空间
023 Each user has a temporary tablespace. When a user runs a SQL statement that requires the creation of temporary segments (such as the creation of an index), the user's temporary tablespace is used. By directing all users' temporary segments to a separate tablespace, the temporary tablespace can reduce I/O contention among temporary segments and other types of segments.
 		 每个用户需使用一个临时表空间(temporary tablespace)。当用户执行的 SQL 语句需要创建临时段(temporary segment)时(例如在创建索引时),Oracle 将使用用户的临时表空间。将用户的所有临时段存储于相对独立的临时表空间中,有助于减少临时段和其他类型数据段(segment)间的 I/O 竞争(contention)。
 
024

Tablespace Quotas

20.1.4.3 表空间限额
025 Oracle can limit the collective amount of disk space available to the objects in a schema. Quotas (space limits) can be set for each tablespace available to a user. This permits selective control over the amount of disk space that can be consumed by the objects of specific schemas.
 		 Oracle 可以限制方案内对象所占用的总磁盘空间。管理员可以为用户所使用的每个表空间设定一个限额(Quota)(即存储空间限制)。这使管理员可以为每个方案单独设定其可用于存储数对象的磁盘空间。
 
026

Profiles and Resource Limits

20.1.4.4 配置模版及资源限制
027 Each user is assigned a profile that specifies limitations on several system resources available to the user, including the following:
  • Number of concurrent sessions the user can establish
  • CPU processing time available for the user's session and a single call to Oracle made by a SQL statement
  • Amount of logical I/O available for the user's session and a single call to Oracle made by a SQL statement
  • Amount of idle time available for the user's session
  • Amount of connect time available for the user's session
  • Password restrictions:

    •  
    • Account locking after multiple unsuccessful login attempts
    • Password expiration and grace period
    • Password reuse and complexity restrictions
 每个用户都对应一套配置模版(profile),其中描述了用户使用多种系统资源时的限制,具体包括:
  • 用户能够建立的并发会话(concurrent session)数
  • 用户会话及 SQL 语句对 Oracle 进行一次调用时可用的 CPU 处理时间
  • 用户会话及 SQL 语句对 Oracle 进行一次调用时可用的逻辑 I/O(logical I/O)量
  • 用户会话的最大空闲时间(idle time)
  • 用户会话的最大连接时间(connect time)
  • 密码限制规则:

    •  
    • 多次尝试登录均失败时对帐户加锁
    • 密码过期时间(expiration period)及宽限期(grace period)
    • 密码重用(reuse)及复杂度(complexity)限制规则
028
See Also:

"Profiles"
另见:

配置模版
029

Overview of Transparent Data Encryption

20.2 透明数据加密概述
030 The Oracle database provides security in the form of authentication, authorization, and auditing. Authentication ensures that only legitimate users gain access to the system. Authorization ensures that those users only have access to resources they are permitted to access. Auditing ensures accountability when users access protected resources. Although these security mechanisms effectively protect data in the database, they do not prevent access to the operating system files where the data is stored. Transparent data encryption enables encryption of sensitive data in database columns as it is stored in the operating system files. In addition, it provides for secure storage and management of encryption keys in a security module external to the database.
 		 Oracle 数据库通过身份验证(authentication),授权(authorization),及审计(auditing)实现数据库安全。身份验证用于确保只有合法用户才能访问数据库。授权 用于确保用户只能访问其有权访问的资源。审计用于确保用户对受保护资源的访问有据可查。上述安全机制可以有效地保护数据库数据,但 无法阻止非授权用户直接访问用于存储数据的操作系统文件。透明数据加密(transparent data encryption)组件能够对存储于操作系统文件中的敏感数据进行加密。此外,此组件还能在数据库外部的安全模块(security module)存储及管理密钥(encryption key),以保证密钥的安全。
 
031 Using an external security module separates ordinary program functions from those that pertain to security, such as encryption. Consequently, it is possible to divide administration duties between DBAs and security administrators, a strategy that enhances security because no administrator is granted comprehensive access to data. External security modules generate encryption keys, perform encryption and decryption, and securely store keys outside of the database.
 		 使用外部安全模块,可以将用于安全管理的程序功能(例如加密)与其他常规数据库功能分开。因此得以将管理工作划分给 DBA 及安全管理员(security administrator),任何一个管理员都不能完全地访问数据,从而增强了系统的安全性。外部安全模块可以生成用于执行加密工作的密钥,并在数据库外安全地存储密钥。
 
032 Transparent data encryption is a key-based access control system that enforces authorization by encrypting data with a key that is kept secret. There can be only one key for each database table that contains encrypted columns regardless of the number of encrypted columns in a given table. Each table's column encryption key is, in turn, encrypted with the database server's master key. No keys are stored in the database. Instead, they are stored in an Oracle wallet, which is part of the external security module.
 		 透明数据加密是一个基于密钥的访问控制系统,通过密钥对数据加密从而阻止未授权的访问。一个密钥可以用于对多个数据表进行加密,其中每个数据表又可以包含多个被加密的数据列。而这个密钥又 使用数据库的主密钥(master key)被加密。所有的密钥都不存储在数据库中,而是存储在外部安全组件(例如 Oracle wallet)中。
 
033 Before you can encrypt any database columns, you must generate or set a master key. This master key is used to encrypt the column encryption key which is generated automatically when you issue a SQL command with the ENCRYPT clause on a database column.
 		 在用户对数据列进行加密前,必须生成或手工设置一个主密钥。如果用户执行的 SQL 语句中,在数据列上使用了 ENCRYPT 子句,Oracle 将为数据列生成一个密钥,并使用主密钥对此密钥进行加密。
 
034
See Also:

Oracle Database Advanced Security Administrator's Guide for details about using transparent data encryption
另见:

Oracle Database Advanced Security Administrator's Guide 了解使用透明数据加密的详细信息
035

Overview of Authentication Methods

20.3 身份验证方法概述
036 Authentication means verifying the identity of someone (a user, device, or other entity) who wants to use data, resources, or applications. Validating that identity establishes a trust relationship for further interactions. Authentication also enables accountability by making it possible to link access and actions to specific identities. After authentication, authorization processes can allow or limit the levels of access and action permitted to that entity.
 		 身份验证(authentication)指验证需要使用数据,资源,及应用程序的用户(包括人员,设备,或其他实体)的身份。经过身份验证后即在用户与系统间建立了可信任的关系,以便于以后的交互操作。身份验证还能够将资源访问及操作执行与某一用户相联系,从而确保了数据库的可审计性(accountability)。经过身验认证后,授权系统 (authorization process)才能决定用户可以访问的资源,以及可以执行的操作。
 
037 For simplicity, the same authentication method is generally used for all database users, but Oracle allows a single database instance to use any or all methods. Oracle requires special authentication procedures for database administrators, because they perform special database operations. Oracle also encrypts passwords during transmission to ensure the security of network authentication.
 		 在实际应用中为了简化工作,通常所有数据库用户都使用相同的身份验证方法。但 Oracle 支持在同一数据库实例内使用多种身份验证方法。对于数据库管理员,Oracle 使用特殊的身份验证过程,因为管理员需要执行特殊的数据库操作。为了确保网络身份验证的安全性,Oracle 能够在传输过程中对密码加密。
 
038 To validate the identity of database users and prevent unauthorized use of a database user name, you can authenticate using any combination of the methods described in the following sections: 为了验证数据库用户身份,阻止非授权的用户访问系统,用户可以组合使用以下各节介绍的身份验证方式:
039

Authentication by the Operating System

20.3.1 操作系统身份验证
040 Some operating systems let Oracle use information they maintain to authenticate users, with the following benefits:
  • Once authenticated by the operating system, users can connect to Oracle more conveniently, without specifying a user name or password. For example, an operating-system-authenticated user can invoke SQL*Plus and skip the user name and password prompts by entering the following:

    SQLPLUS /
  • With control over user authentication centralized in the operating system, Oracle need not store or manage user passwords, though it still maintains user names in the database.
  • Audit trails in the database and operating system use the same user names.
 在某些操作系统中,Oracle 可以利用操作系统维护的信息进行用户身份验证,这有以下好处:
  • 经过操作系统的身份验证后,用户可以更便捷地连接到 Oracle,而无需提供用户名及密码。例如,经过操作系统验证的用户,按以下方式调用 SQL*Plus,即可跳过输入用户名及密码的步骤:

    SQLPLUS /
  • 在操作系统中集中地进行用户身份验证,Oracle 不必再存储及管理用户密码,但 Oracle 仍旧需要在数据库中维护用户名。
  • 在数据库及操作系统中记录审计跟踪数据(audit trail)时可以使用相同的用户名。
041 When an operating system is used to authenticate database users, managing distributed database environments and database links requires special care.
 		 在使用操作系统进行数据库用户身份验证时,应注意其对分布式数据库系统及数据库链接(database link)的影响。
 
042

Authentication by the Network

20.3.2 网络身份验证
043 Oracle supports the following methods of authentication by the network: Oracle 支持以下网络身份验证方式:
044
Note:

These methods require Oracle Database Enterprise Edition with the Oracle Advanced Security option.
提示:

必须使用 Oracle Database Enterprise Edition (Oracle 数据库企业版)并购买 Oracle Advanced Security (Oracle 高级安全)选件,才能使用上述身份验证方式。
045

Third Party-Based Authentication Technologies

20.3.2.1 基于第三方的身份验证技术
046 If network authentication services are available to you (such as DCE, Kerberos, or SESAME), then Oracle can accept authentication from the network service. If you use a network authentication service, then some special considerations arise for network roles and database links.
 		 如果系统中存在(DCE,Kerberos,或 SESAME 等)的网络身份验证服务(network authentication service),Oracle 可以使用这些网络服务进行身份验证。在使用网络身份验证服务时,应注意其对网络角色(network role)及数据库链接(database link)的影响。
 
047

Public-Key-Infrastructure-Based Authentication

20.3.2.2 基于 PKI 的身份验证
048 Authentication systems based on public key cryptography issue digital certificates to user clients, which use them to authenticate directly to servers in the enterprise without directly involving an authentication server. Oracle provides a public key infrastructure (PKI) for using public keys and certificates, consisting of the following components:
  • Authentication and secure session key management using Secure Sockets Layer (SSL).
  • Oracle Call Interface (OCI) and PL/SQL functions to sign user-specified data using a private key and certificate, and verify the signature on data using a trusted certificate.
  • Trusted certificates, identifying third-party entities that are trusted as signers of user certificates when an identity is being validated as the entity it claims to be.
  • Oracle wallets, which are data structures that contain a user private key, a user certificate, and the user's set of trust points (trusted certificate authorities).
  • Oracle Wallet Manager, a standalone Java application used to manage and edit the security credentials in Oracle wallets.
  • X.509v3 certificates obtained from (and signed by) a trusted entity, a certificate authority outside of Oracle.
  • Oracle Internet Directory to manage security attributes and privileges for users, including users authenticated by X.509 certificates. It enforces attribute-level access control and enables read, write, or update privileges on specific attributes to be restricted to specific named users, such as administrators.
  • Oracle Enterprise Security Manager, provides centralized privilege management to make administration easier and increase your level of security. This lets you store and retrieve roles from Oracle Internet Directory.
  • Oracle Enterprise Login Assistant, a Java-based tool to open and close a user wallet to enable or disable secure SSL-based communications for an application.
 基于公共密钥加密(public key cryptography)的身份验证系统能够为用户客户端生成数字证书(digital certificate),客户端使用此证书在业务服务器上进行身份验证,而不是直接和身份验证服务器交互(authentication server)。Oracle 提供了支持公共密钥(public key)及数字证书的公共密钥基础结构(public key infrastructure,PKI),其中包含以下组件:
  • 基于 SSL(Secure Sockets Layer(安全套接字层))的身份验证及安全会话密钥(secure session key)管理。
  • Oracle Call Interface 函数及 PL/SQL 函数,用于使用私有密钥(private key)及证书来保护用户指定的数据,或使用可信证书(trusted certificate)验证数据上的签名(signature)。
  • 可信证书,用于验证第三方实体的身份,确认其是否为可信的用户证书签署者。
  • Oracle wallet,用于储存用户私有密钥,用户证书,及用户信任点(trust point)(即可信的认证机构)集的数据结构。
  • Oracle Wallet Manager,用于管理及编辑 Oracle wallet 安全身份证明(security credentials)的单机 Java 应用程序。
  • 由 Oracle 之外的认证机构签署并发布的 X.509v3 证书。
  • Oracle Internet Directory,用于管理用户的权限及安全属性,包括通过 X.509 证书进行用户身份验证。OID 能够确保属性级(attribute-level)的访问控制,并使读,写,及更新等权限可以控制到具体的用户,例如管理员。
  • Oracle Enterprise Security Manager,实现集中化的权限管理,从而简化管理员的工作,并提升系统的安全级别。用户可以通过此组件在 Oracle Internet Directory 中存储或提取角色信息。
  • Oracle Enterprise Login Assistant 是一个基于 Java 的工具,用于打开或关闭用户的 wallet,从而控制应用程序是否采用基于 SSL 的安全通讯。
049

Remote Authentication

20.3.2.3 远程身份验证
050 Oracle supports remote authentication of users through Remote Dial-In User Service (RADIUS), a standard lightweight protocol used for user authentication, authorization, and accounting.
 		 Oracle 能够利用远程拨号用户服务(Remote Dial-In User Service,RADIUS)支持远程用户身份验证。RADIUS 是一个标准的轻量级协议,主要用于用户身份验证,授权,及审计(accounting)。
 
051

Authentication by the Oracle Database

20.3.3 Oracle 数据库身份验证
052 Oracle can authenticate users attempting to connect to a database by using information stored in that database.
 		 Oracle 能够利用存储在数据库内的信息对尝试连接数据库的用户进行身份验证。
 
053 To set up Oracle to use database authentication, create each user with an associated password that must be supplied when the user attempts to establish a connection. This prevents unauthorized use of the database, since the connection will be denied if the user provides an incorrect password. Oracle stores a user's password in the data dictionary in an encrypted format to prevent unauthorized alteration, but a user can change the password at any time.
 		 如果采用数据库身份验证(database authentication),在创建用户时必须同时设定一个密码,用户在连接数据库时需要提供此密码。如果用户提供的密码不正确,连接将被拒绝,从而阻止非授权的用户使用数据库。Oracle 将数据密码以加密的形式存储在数据字典中以防止非授权的修改,而授权用户可以随时修改此密码。
 
054 Database authentication includes the following facilities: 数据库身份验证包括以下功能
055

Password Encryption

20.3.3.1 密码加密
056 To protect password confidentiality, Oracle always encrypts passwords before sending them over the network. Oracle encrypts the passwords using a modified AES (Advanced Encryption Standard) algorithm.
 		 为了确保密码的机密性,Oracle 在通过网络传输密码时会首先对密码进行加密。Oracle 使用改进的 AES(Advanced Encryption Standard(高级加密标准))算法来加密密码。
 
057

Account Locking

20.3.3.2 帐户锁定
058 Oracle can lock a user's account after a specified number of consecutive failed log-in attempts. You can configure the account to unlock automatically after a specified time interval or to require database administrator intervention to be unlocked. The database administrator can also lock accounts manually, so that they must be unlocked explicitly by the database administrator.
 		 如果连续的失败登录次数超过了默认值,Oracle 将锁定用户帐户。用户可以设定一个时间间隔,使被锁定帐户自动解锁,也可以请求 DBA 执行解锁操作。DBA 也可以手工锁定数据库帐户,经过手工锁定数据库帐户必须由 DBA 显式地解锁。
 
059

Password Lifetime and Expiration

20.3.3.3 密码有效期及截至日期
060 The database administrator can specify a lifetime for passwords, after which they expire and must be changed before account login is again permitted. A grace period can be established, during which each attempt to login to the database account receives a warning message to change the password. If it is not changed by the end of that period, then the account is locked. No further logins to that account are allowed without assistance by the database administrator.
 		 DBA 可以为密码设定有效期,在有效期后用户必须修改密码才能再次登录数据库。DBA 还可以设定密码宽限期(grace period),在宽限期内用户每次登录数据库时都将收到需要修改密码的警告信息。如果在宽限期内仍未修改密码,帐户将被锁定。必须经过 DBA 处理后被锁定帐户才能解锁。
 
061 The database administrator can also set the password state to expired, causing the user's account status to change to expired. The user or the database administrator must then change the password before the user can log in to the database.
 		 DBA 也可以手工地将密码状态设定为过期,从而使用户帐户状态变为过期。用户或 DBA 需要重设密码,过期帐户才能再次登录。
 
062 The password history option checks each newly specified password to ensure that a password is not reused for a specified amount of time or for a specified number of password changes.
 		 密码历史对比(password history)选项能够检查新设定的密码,确保其不与之前一定时期内的密码重复,或不与之前一定时期内的密码过分相似。
 
063

Password Complexity Verification

20.3.3.4 密码复杂度验证
064 Complexity verification checks that each password is complex enough to provide reasonable protection against intruders who try to break into the system by guessing passwords.
 		 复杂度验证(complexity verification)检查密码的复杂程度是否能提供足够的保护,防止入侵者通过猜测密码来闯入系统。
 
065 The Oracle default password complexity verification routine checks that each password meet the following requirements:
  • Be a minimum of four characters in length
  • Not equal the userid
  • Include at least one alphabet character, one numeric character, and one punctuation mark
  • Not match any word on an internal list of simple words like welcome, account, database, user, and so on
  • Differ from the previous password by at least three characters
 Oracle 默认的密码复杂度验证程序将检查密码是否满足以下要求:
  • 长度超过 4 个字符
  • 不与用户 ID 相同
  • 至少包含一个字母字符,一个数字字符,及一个标点符号(punctuation mark)
  • 不能与 Oracle 内部存储的简单词汇列表相匹配,例如 welcome,account,database,user 等词汇
  • 与之前的密码相比至少有 3 个字符不相同
066

Multitier Authentication and Authorization

20.3.4 多层身份验证及授权
067 In a multitier environment, Oracle controls the security of middle-tier applications by limiting their privileges, preserving client identities through all tiers, and auditing actions taken on behalf of clients. In applications that use a heavy middle tier, such as a transaction processing monitor, the identity of the client connecting to the middle tier must be preserved. Yet one advantage of a middle tier is connection pooling, which allows multiple users to access a data server without each of them needing a separate connection. In such environments, you must be able to set up and break down connections very quickly.
 		 在多层系统(multitier environment)中,Oracle 能够限制中间层应用程序(middle-tier application)的权限,能够保存用户在系统各层内的身份,还能够审计(audit)用户执行的各种操作,从而控制中间层应用的安全性。在应用层,采用重量级中间件(heavy middle tier)(例如事务处理监视器(transaction processing monitor))的系统一定会记录连接到中间件的用户的身份。在中间件层,中间件的一大优势在于使用连接池(connection pooling), 连接池的特点是为多个用户提供一个共享的连接来访问数据库服务器,但这将导致无法记录用户对数据库的访问情况。为了实现对使用共享连接的用户进行身份验证,数据库必须能够快速地建立(set up)或结束(break down)用于身份验证的连接。
 
068 For these environments, Oracle database administrators can use the Oracle Call Interface (OCI) to create lightweight sessions, allowing database password authentication for each user. This preserves the identity of the real user through the middle tier without the overhead of a separate database connection for each user.
 		 为满足上述要求,Oracle DBA 可以使用 Oracle Call Interface (OCI)创建轻量级会话(lightweight session),对每个用户进行数据库身份验证(database password authentication)。此方案既实现了在中间层内记录真实用户的身份,也无需为每个用户创建数据库连接。
 
069 You can create lightweight sessions with or without passwords. However, if a middle tier is outside or on a firewall, then security is better when each lightweight session has its own password. For an internal application server, lightweight sessions without passwords might be appropriate.
 		 创建轻量级会话时不一定需要用户提供密码。但如果中间层在防火墙外,使用密码创建轻量级会话能够确保更好的安全性。而对于防火墙内部的应用服务器,创建轻量级会话时可以不提供密码。
 
070

Authentication by the Secure Socket Layer Protocol

20.3.5 SSL 协议身份验证
071 The Secure Socket Layer (SSL) protocol is an application layer protocol. Users identified either externally or globally (external or global users) can authenticate to a database through SSL.
 		 安全套接字层(Secure Socket Layer,SSL)协议是一种应用层协议。外部用户(external user)或全局用户(global user)可以通过 SSL 进行数据库身份验证。
 
072

Authentication of Database Administrators

20.3.6 数据库管理员的身份验证
073 Database administrators perform special operations (such as shutting down or starting up a database) that should not be performed by normal database users. Oracle provides a more secure authentication scheme for database administrator user names.
 		 数据库管理员能够执行普通数据库用户不该执行的特殊操作(例如启动或关闭数据库)。Oracle 为数据库管理员用户提供更为安全的身份验证方式。
 
074 You can choose between operating system authentication or password files to authenticate database administrators. Figure 20-1 illustrates the choices you have for database administrator authentication schemes. Different choices apply to administering your database locally (on the computer where the database resides) and to administering many different database computers from a single remote client.
 		 可以选择采用操作系统或密码文件为数据库管理员进行身份验证(authentication)。图 20-1 显示了数据库管理员身份验证的可选方式。数据库管理员可以管理本地的数据库(在运行数据库的计算机上),也可以在一个远程客户端上管理多个数据库,在这两种情况下,身份验证方式有所不同。
 
075 Figure 20-1 Database Administrator Authentication Methods
 		 图 20-1 数据库管理员身份验证方式
 
076


 


 
077
The Figure 20-1 shows a flowchart of choices for Remote Database Administration and Local Database Administration.

For Remote Database Administration: Do you have a secure connection? If "No," then use a password file. If "Yes," do you want to use operating system authentication? If "Yes," then use operating system authentication. If "No," then use a password file.

For Local Database Administration: Do you want to use operating system authentication? If "Yes," then use operating system authentication. If "No," then use a password file.
图 20-1 展示了本地数据库管理员及远程数据库管理员的身份验证流程图。

对于远程数据库管理员:首先确定其是否具备安全连接。如果“否”,则使用密码文件进行身份验证。如果“是”,则可选择是否使用操作系统身份验证。如果“是”,则使用操作系统身份验证。如果“否”,则使用密码文件进行身份验证。

对于本地数据库管理员:选择是否使用操作系统身份验证。如果“是”,则使用操作系统身份验证。如果“否”,则使用密码文件进行身份验证。
078 Operating system authentication for a database administrator typically involves placing his operating system user name in a special group or giving it a special process right. (On UNIX systems, the group is the dba group.)
 		 通过操作系统对数据库管理员进行身份验证时,通常需要将操作系统用户名放入特殊的用户组,或赋予此用户特殊的权限(在 UNIX 系统上,用户组名为 dba)。
 
079 The database uses password files to keep track of database user names that have been granted the SYSDBA and SYSOPER privileges, enabling the following operations:
  • SYSOPER lets database administrators perform STARTUP, SHUTDOWN, ALTER DATABASE OPEN/MOUNT, ALTER DATABASE BACKUP, ARCHIVE LOG, and RECOVER, and includes the RESTRICTED SESSION privilege.
  • SYSDBA contains all system privileges with ADMIN OPTION, and the SYSOPER system privilege. Permits CREATE DATABASE and time-based recovery.
 Oracle 数据库在密码文件(password file)中记录被授予了 SYSDBASYSOPER 权限的数据库用户,这些权限能够执行以下操作:
  • 具备 SYSOPER 权限的数据库管理员能够执行 STARTUPSHUTDOWNALTER DATABASE OPEN/MOUNTALTER DATABASE BACKUPARCHIVE LOG,及 RECOVER 命令,并具备 RESTRICTED SESSION 权限。
  • 具备 SYSDBA 权限的数据库管理员拥有所有系统权限(system privilege)及权限的 ADMIN OPTION 选项,还拥有 SYSOPER 所拥有的全部系统权限。此外,能够执行 CREATE DATABASE 命令,并能够执行基于时间的恢复操作(time-based recovery)。
080

See Also:

另见:
081

Overview of Authorization

20.4 授权概述
082 Authorization primarily includes two processes:
  • Permitting only certain users to access, process, or alter data
  • Applying varying limitations on users' access or actions. The limitations placed on (or removed from) users can apply to objects, such as schemas, tables, or rows; or to resources, such as time (CPU, connect, or idle times).
 授权(authorization)主要包括两方面内容:
  • 只允许特定的用户对数据进行访问,处理,及修改
  • 对用户的访问及行为(action)进行各种限制。对用户的限制可以针对对象,例如方案(schema),表,或数据行;也可以针对资源,例如时间(包括 CPU 时间,连接时间,空闲时间等)。
083 This section introduces the basic concepts and mechanisms for placing or removing such limitations on users, individually or in groups.
 		 本节介绍为用户(单一用户或一组用户)添加或移除限制的基本概念及机制。
 
084

User Resource Limits and Profiles

20.4.1 用户资源限制及配置模版
085 You can set limits on the amount of various system resources available to each user as part of a user's security domain. By doing so, you can prevent the uncontrolled consumption of valuable system resources such as CPU time.
 		 管理员能够对用户可用的系统资源进行限制,此功能是用户安全管理的一部分。进行限制后,可以防止用户对重要系统资源(例如 CPU 时间)的不可控的消费。
 
086 This is very useful in large, multiuser systems, where system resources are expensive. Excessive consumption of resources by one or more users can detrimentally affect the other users of the database.
 		 在大型多层应用系统中,系统资源使用量极大,因此资源限制功能极为重要。少数用户对系统资源的过度消费可能会严重影响其他用户使用数据库。
 
087 Manage a user's resource limits and password management preferences with his or her profile—a named set of resource limits that you can assign to that user. Each database can have an unlimited number of profiles. The security administrator can enable or disable the enforcement of profile resource limits universally.
 		 管理员可以使用配置模版(profile)来设置用户的资源限制(resource limit)及密码管理参数选项(password management preference)。在数据库内可以存储任意个配置模版。安全管理员(security administrator)能够全局地设置系统是否采用配置模版来限制用户对资源的使用。
 
088 If you set resource limits, then a slight degradation in performance occurs when users create sessions. This is because Oracle loads all resource limit data for the user when a user connects to a database.
 		 如果管理员设置了资源限制,将对用户创建会话的性能产生一定影响。因为 Oracle 需要在用户连接数据库时加载此用户的所有资源限制数据。
 
089
See Also:

Oracle Database Administrator's Guide for information about security administrators
另见:

Oracle Database Administrator's Guide 了解更多关于安全管理员的信息
090 Resource limits and profiles are discussed in the following sections: 以下两节将讨论资源限制及配置模版:
091

Types of System Resources and Limits

20.4.1.1 系统资源类型及资源限制类型
092 Oracle can limit the use of several types of system resources, including CPU time and logical reads. In general, you can control each of these resources at the session level, the call level, or both.
 		 Oracle 能够限制用户对多种系统资源的使用,其中包括 CPU 时间及逻辑读取(logical read)。一般来说,用户可以在会话级(session level),调用级(call level),或同时对这些资源进行限制。
 
093

Session Level

20.4.1.1.1 会话级
094 Each time a user connects to a database, a session is created. Each session consumes CPU time and memory on the computer that runs Oracle. You can set several resource limits at the session level.
 		 当用户连接到数据库时,Oracle 将创建一个会话(session)。每个会话都将消耗 Oracle 所在计算机的 CPU 时间及内存。用户可以在会话级(session level)设置多种资源限制(resource limit)。
 
095 If a user exceeds a session-level resource limit, then Oracle terminates (rolls back) the current statement and returns a message indicating that the session limit has been reached. At this point, all previous statements in the current transaction are intact, and the only operations the user can perform are COMMIT, ROLLBACK, or disconnect (in this case, the current transaction is committed). All other operations produce an error. Even after the transaction is committed or rolled back, the user can accomplish no more work during the current session.
 		 如果用户超过了某一会话级资源限制,Oracle 将终止(回滚)当前执行的语句,并通知用户此会话超出资源限制。此时,当前会话内已经执行的语句不受资源限制的影响,而用户则只能执行 COMMITROLLBACK,或断开连接(disconnect)(如断开连接,当前事务将被提交)。用户的其他所有操作都将导致报错。在事务被提交或回滚后,用户在当前会话内也不能执行其他任何操作。
 
096

Call Level

20.4.1.1.2 调用级
097 Each time a SQL statement is run, several steps are taken to process the statement. During this processing, several calls are made to the database as part of the different execution phases. To prevent any one call from using the system excessively, Oracle lets you set several resource limits at the call level.
 		 SQL 语句每次运行时,Oracle 都将执行一系列操作来处理此语句。在处理过程中,不同的执行阶段需要向数据库发起不同的调用。为了防止某个调用过度地使用系统资源,Oracle 允许管理员在调用级(call level)设定多种资源限制(resource limit)。
 
098 If a user exceeds a call-level resource limit, then Oracle halts the processing of the statement, rolls back the statement, and returns an error. However, all previous statements of the current transaction remain intact, and the user's session remains connected.
 		 如果用户超过了调用级资源限制,Oracle 将停止执行语句,并进行回滚,之后向用户报错。此时,当前会话内已经执行的语句不受资源限制的影响,用户会话也将保持连接状态。
 
099

CPU Time

20.4.1.1.3 CPU 时间
100 When SQL statements and other types of calls are made to Oracle, an amount of CPU time is necessary to process the call. Average calls require a small amount of CPU time. However, a SQL statement involving a large amount of data or a runaway query can potentially consume a large amount of CPU time, reducing CPU time available for other processing.
 		 当 Oracle 执行 SQL 语句或用户的其他各类调用(call)时,系统需要一定的 CPU 时间来处理此调用。普通的调用所需的 CPU 时间较少。但是需要处理大量数据的语句,或失控的查询(runaway query)可能占用大量的 CPU 时间,这减少了其他处理任务可用的 CPU 时间。
 
101 To prevent uncontrolled use of CPU time, limit the CPU time for each call and the total amount of CPU time used for Oracle calls during a session. Limits are set and measured in CPU one-hundredth seconds (0.01 seconds) used by a call or a session.
 		 为了防止 CPU 时间被不受控地占用,管理员可以限制会话内每个调用使用的 CPU 时间,以及会话中所有 Oracle 调用的 CPU 时间之和。设置及衡量调用或会话可使用的 CPU 时间的单位为百分之一秒。
 
102

Logical Reads

20.4.1.1.4 逻辑读取
103 Input/output (I/O) is one of the most expensive operations in a database system. SQL statements that are I/O intensive can monopolize memory and disk use and cause other database operations to compete for these resources.
 		 输入/输出(Input/output,I/O)是数据库系统中开销最大的操作。I/O 操作密集的 SQL 语句可能会占用大量内存及硬盘,并与其他需要同样资源的数据库操作产生竞争。
 
104 To prevent single sources of excessive I/O, Oracle lets you limit the logical data block reads for each call and for each session. Logical data block reads include data block reads from both memory and disk. The limits are set and measured in number of block reads performed by a call or during a session.
 		 为了防止 I/O 被独占,Oracle 可以限制调用及会话的逻辑数据块读取(logical data block read)。逻辑数据块读取包含从内存及磁盘读取数据。设置及衡量调用或会话可使用的逻辑读取的单位为数据块数量。
 
105

Other Resources

20.4.1.1.5 其他资源
106 Oracle also provides for the limitation of several other resources at the session level:
  • You can limit the number of concurrent sessions for each user. Each user can create only up to a predefined number of concurrent sessions.
  • You can limit the idle time for a session. If the time between Oracle calls for a session reaches the idle time limit, then the current transaction is rolled back, the session is aborted, and the resources of the session are returned to the system. The next call receives an error that indicates the user is no longer connected to the instance. This limit is set as a number of elapsed minutes.

    Shortly after a session is aborted because it has exceeded an idle time limit, the process monitor (PMON) background process cleans up after the aborted session. Until PMON completes this process, the aborted session is still counted in any session/user resource limit.
  • You can limit the elapsed connect time for each session. If a session's duration exceeds the elapsed time limit, then the current transaction is rolled back, the session is dropped, and the resources of the session are returned to the system. This limit is set as a number of elapsed minutes.
  • Oracle does not constantly monitor the elapsed idle time or elapsed connection time. Doing so would reduce system performance. Instead, it checks every few minutes. Therefore, a session can exceed this limit slightly (for example, by five minutes) before Oracle enforces the limit and aborts the session.
  • You can limit the amount of private SGA space (used for private SQL areas) for a session. This limit is only important in systems that use the shared server configuration. Otherwise, private SQL areas are located in the PGA. This limit is set as a number of bytes of memory in an instance's SGA. Use the characters K or M to specify kilobytes or megabytes.
 Oracle 还在会话级(session level)支持以下类型的资源限制:
  • 管理员可以限制用户并发会话数(concurrent sessions for each user)。每个用户的并发会话数不能超过预设值。
  • 管理员可以限制一个会话的空闲时间(idle time)。如果会话内两次 Oracle 调用间的间隔时间达到了限制值,当前事务将被回滚,会话将被终止(aborted),会话所占用的资源将被系统回收。下次会话将得到报错信息,提示用户已经终止了与实例的连接。此限制的设置单位为分钟。

    当会话由于超出空闲时间限制而被终止之后,进程监视器(process monitor,PMON)后台进程将对被终止的会话进行清理。在 PMON 完成此过程前,统计用户及会话资源使用时仍将包含被终止的会话。
  • 管理员可以限制每个会话的连接持续时间。如果会话持续连接时间超出限制值,当前事务将被回滚,会话将被移除(dropped),会话所占用的资源将被系统回收。此限制的设置单位为分钟。
  • Oracle 不会持续不断地监控会话的空闲时间及连接时间,因为这样做将降低系统性能。Oracle 的做法是每隔数分钟检查一次。因此,在 Oracle 依据资源限制终止会话前,会话有可能已经略微超出了限制时间(例如,超出 5 分钟)。
  • Oracle 能够限制一个会话所使用的私有 SGA 空间(作为私有 SQL 区(private SQL area))。只有在共享服务模式(shared server configuration)下此项资源限制才能发挥所用。而在专用服务模式(dedicated server configuration)下,私有 SQL 区位于 PGA 内。此限制表示可供会话使用的实例 SGA 内存的字节数。在设定时可以使用字符 K 或 M 表示千字节(kilobytes)及兆字节(megabytes)。
107
See Also:

Oracle Database Administrator's Guide for instructions about enabling and disabling resource limits
另见:

Oracle Database Administrator's Guide 了解如何开启或禁用资源限制
108

Profiles

20.4.1.2 配置模版
109 In the context of system resources, a profile is a named set of specified resource limits that can be assigned to a valid user name in an Oracle database. Profiles provide for easy management of resource limits. Profiles are also the way in which you administer password policy.
 		 在系统资源管理的概念里,配制模版(profile)是一个命名的资源限制(resource limit)集合,可以授予 Oracle 数据库内的某个用户。配制模版有助于简化资源限制管理。管理员还可以使用配制模版来控制密码策略(password policy)。
 
110 Different profiles can be created and assigned individually to each user of the database. A default profile is present for all users not explicitly assigned a profile. The resource limit feature prevents excessive consumption of global database system resources.
 		 在数据库中可以创建多个配制模版,之后可以为每个数据库用户设定一个配制模版。如果没有显式地为用户设定配制模版,用户将使用 Oracle 默认的配制模版。配制模版内的资源限制信息将防止用户过度地使用数据库系统资源。
 
111

When to Use Profiles

20.4.1.2.1 何时使用配制模版
112 You need to create and manage user profiles only if resource limits are a requirement of your database security policy. To use profiles, first categorize the related types of users in a database. Just as roles are used to manage the privileges of related users, profiles are used to manage the resource limits of related users. Determine how many profiles are needed to encompass all types of users in a database and then determine appropriate resource limits for each profile.
 		 如果数据库安全策略(database security policy)中需要包含资源限制(resource limit),管理员就应创建并管理用户配制模版(profile)。在使用配制模版前,首先要对数据库内相关的用户进行归类。配制模版的作用是管理一组用户的资源限制,这就如同使用角色(role)来管理一组用户的权限(privilege)一样。管理员首先要确定共需要几种配制模版来覆盖数据库内的全部用户,其次再为每个配制模版设定适当的资源限制。
 
113

Determine Values for Resource Limits of a Profile

20.4.1.2.2 确定配制模版内各资源限制值
114 Before creating profiles and setting the resource limits associated with them, determine appropriate values for each resource limit. You can base these values on the type of operations a typical user performs. Usually, the best way to determine the appropriate resource limit values for a given user profile is to gather historical information about each type of resource usage.
 		 在创建配制模版(profile)并设定资源限制(resource limit)前,首先要确定适当的资源限制值。管理员可以依据典型用户所执行的各类操作来确定这些值。通常,为配制模版确定适当的资源限制值的最佳方式是收集用户各类资源使用的历史信息。
 
115 You can gather statistics for other limits using the Monitor feature of Oracle Enterprise Manager (or SQL*Plus), specifically the Statistics monitor.
 		 管理员可以使用 Oracle Enterprise Manager(企业管理器)或 SQL*Plus 提供的各种监视器收集相关的统计信息,尤其可以使用统计信息监视器(Statistics monitor)。
 
116

Introduction to Privileges

20.4.2 权限简介
117 A privilege is a right to run a particular type of SQL statement or to access another user's object.
 		 权限(privilege)指运行特定 SQL 语句的权利,或访问其他用户对象的权利。
 
118 Grant privileges to users so that they can accomplish tasks required for their job. Grant privileges only to users who absolutely require them. Excessive granting of unnecessary privileges can compromise security. A user can receive a privilege in two different ways:
  • You can grant privileges to users explicitly. For example, you can explicitly grant the privilege to insert records into the employees table to the user SCOTT.
  • You can grant privileges to a role (a named group of privileges), and then grant the role to one or more users. For example, you can grant the privileges to select, insert, update, and delete records from the employees table to the role named clerk, which in turn you can grant to the users scott and brian.
 只有为数据库用户授权(grant)后,用户才能执行其所需的数据库操作。管理员只应授予一个用户其工作所必需的权限。不必要地过度授权可能会导致严重的安全问题。管理员可以采用两种方式为用户授权:
  • 管理员可以显式地为用户授权。例如,管理员可以显式地将向 employees 表插入数据的权限授予 SCOTT 用户。
  • 管理员可以将一组权限授予一个角色(role)(即命名的一组权限),再将角色授予一个或多个用户。例如,管理员可以将 employees 表的查询,插入,更新,删除权限授予 clerk 角色,再将此角色授予用户 scottbrian
119 Because roles allow for easier and better management of privileges, you should generally grant privileges to roles and not to specific users.
 		 由于角色能使权限管理更简单更规范,一般来说管理员应首先将权限赋予角色,而非直接赋予具体的用户。
 
120 There are two distinct categories of privileges: Oracle 中包含两类权限:
121
See Also:

Oracle Database Administrator's Guide for a list of all system and schema object privileges, as well as instructions for privilege management
另见:

Oracle Database Administrator's Guide 查询所有系统权限及方案对象权限的列表,以及与权限管理相关的指导意见。
122

System Privileges

20.4.2.1 系统权限
123 A system privilege is the right to perform a particular action, or to perform an action on any schema objects of a particular type. For example, the privileges to create tablespaces and to delete the rows of any table in a database are system privileges. There are over 100 distinct system privileges.
 		 系统权限(system privilege)是执行某一特定操作,或对某类方案对象执行操作的权利。例如,创建表空间的权限,或删除数据库中任意表数据的权限。Oracle 提供了超过 100 项系统权限。
 
124

Schema Object Privileges

20.4.2.2 方案对象权限
125 A schema object privilege is a privilege or right to perform a particular action on a specific schema object:
 		 方案对象权限(schema object privilege)是对某一方案对象执行特定操作的权利。
 
126 Different object privileges are available for different types of schema objects. For example, the privilege to delete rows from the departments table is an object privilege.
 		 不同类型的方案对象具有不同的对象权限。例如,从 departments 表中删除数据的权限就是一种对象权限。
 
127 Some schema objects, such as clusters, indexes, triggers, and database links, do not have associated object privileges. Their use is controlled with system privileges. For example, to alter a cluster, a user must own the cluster or have the ALTER ANY CLUSTER system privilege.
 		 簇(cluster),索引,触发器(trigger),及数据库链接(database link)等方案对象没有相关的对象权限。对这些对象的使用是由系统权限(system privilege)控制的。例如,用户必须是簇的拥有者或具备 ALTER ANY CLUSTER 系统权限才能修改(alter)一个簇。
 
128