pl/sql - 比较 2 个用户表的记录计数
我在模式“staff”下有一个用户名为“staff”的表“stf_table”。
我在模式“employee”下有表“emp_table”,用户名为“employee”。
这两个都位于相同的数据库 SID/主机/端口下,但用户“staff”没有查询模式“employee”下的表的权限,反之亦然(即用户“employee”没有查询模式“employee”下的表的权限)模式“员工”)。但每个用户都可以在自己的模式下查询该表。注意:我无法授予额外的权限,并且我不想将两个表转储到本地模式中。
是否可以编写一个 PL/SQL 过程或包来执行以下操作?
select count(*) from stf_table;
select count(*) from emp_table;
然后将两个计数输出到文件(即不涉及的 .txt 或 .dat),如下所示:
stf_table count: 47830
emp_table count: 36462
difference: 11368
counts match: FALSE
I have table 'stf_table' under the schema 'staff' with username 'staff'.
I have table 'emp_table' under the schema 'employee' with username 'employee'.
Both of these are under the same database SID/host/port but user 'staff' doesn't have privelege to query tables under schema 'employee' and vice versa (ie. user 'employee' doesn't have privelege to query tables under schema 'staff'). But each user can query the table under their own schema. Note: I cannot grant extra privileges and I don't want to have to dump both tables into a local schema.
Is it possible to write a PL/SQL proc or package that would do the following?
select count(*) from stf_table;
select count(*) from emp_table;
then output both counts to a file (ie a .txt or .dat not concerned) like so:
stf_table count: 47830
emp_table count: 36462
difference: 11368
counts match: FALSE
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果您不想向任一用户授予额外权限,则没有太多选择。
您可以创建一个由超级用户拥有的过程,例如具有 SELECT ANY TABLE(但不是 SYS 或 SYSTEM)的帐户,该帐户既进行计数又计算差异。
所以这里最关键的是AUTHID DEFINER。这意味着该函数以拥有该函数的用户的权限运行;因为他们拥有查询两个表所需的权限,因此用户可以运行该函数,并且他们授予
EXECUTE ON GET_DIFF的任何其他用户也可以。这确实是你能逃脱惩罚的最低要求。
注意:我还没有解决写入文件的问题,因为我真的不认为这是你问题的主旨。最主要的是权限。
不是安全模型的工作方式。STAFF
的数据归 STAFF 所有,EMPLOYEE 的数据归 EMPLOYEE 所有。默认情况下,STAFF 无法看到 EMPLOYEE 的数据,反之亦然。要改变这种情况,您有两个方法选项:
。显然,第一种方法很可能存在数据保护问题,您可以进行一些改进:
If you don't want to grant additional privileges to either user, you don't have many options.
You can create a procedure owned by a super user, say an account which has SELECT ANY TABLE, (but not SYS or SYSTEM) which does both counts and calculates the difference.
So the crucial thing here is the AUTHID DEFINER. That means the function runs with the permissions of the user who owns the function; because they have the neecssary permissions to query both tables that user can run the function, and so can any other user to whom they grant
EXECUTE ON GET_DIFF.That really is the minimum about of granting you can get away with.
NB: I haven't addressed the question of writing to a file, because I don't really think that's the thrust of your question. The main thing is permissions.
No. That's not the way the security model works.
STAFF's data is owned by STAFF and EMPLOYEE's data is owned by EMPLOYEE. By default, STAFF cannot see EMPLOYEE's data and vice versa. To change this situation you have two options:
Obviously, there may well be data protection issues with the first approach. If that is your concern there are some refinements open to you:
授予权限是正确的做法,但是正如您所说这是不可能的:
一种解决方案可能是使用脚本在命令行中执行此操作。
(最大的缺点是用户名和密码将嵌入脚本中供所有人查看,因此请确保脚本得到适当的保护)
首先创建 2 个脚本:
a.sql:
b.sql:
现在创建一个脚本文件提取。 bat 获取输出:
现在只需在命令提示符下执行
extract.batGranting permissions is the correct thing to do however as you state this is not possible:
one solution could be to do it at the command line using scripts.
(the biggest drawback is the username & password would be embedded in the script for all to see, so make sure the scripts are appropriately secured)
first create 2 scripts:
a.sql:
b.sql:
now create a script file extract.bat to get the output:
now simply execute
extract.batat the command promptAPC 是对的,因为如果不授予额外的权限,您无法轻松解决此问题。可能有比他建议的更简单的方法。
我建议创建一个视图并将对该视图的访问权限授予其他模式。
在 STAFF 模式中,您可以创建一个视图 stf_table_count:
然后将该视图上的 select 授予员工模式:
然后从员工模式中您可以找到结果,而无需获取数据
您也可以重复此过程以获取员工中的员工计数架构。
我并不是真正的 Oracle 数据库安全专家,因此您对这个答案的理解可能会有所不同,但我认为它应该有效。
APC is right in that you can't solve this problem easily without granting additional permissions. There might be a simpler way than what he is suggesting.
I would suggest creating a view and granting access to that view to the other schema.
In the STAFF schema you can create a view stf_table_count:
Then grant select on that view to the employee schema:
Then from the employee schema you can find the result without getting the data
You can also repeat this process to get the employee counts in the staff schema.
I'm not really an Oracle database security expert so your mileage may vary on this answer but I think it should work.