Oracle 12C 之 CDB/PDB用戶的建立與對象管理

 

在Oracle 12C中，帳號分爲兩種，一種是公用帳號，一種是本地帳號（亦可理解爲私有帳號）。共有帳號是指在CDB下建立，並在所有PDB中生效的帳號，另外一種是在PDB中建立的帳號。

針對這兩種帳號的測試以下：

1.1 在PDB中建立測試帳號

 

SQL> alter session set container=pdb01;

 

Session altered.

 

SQL> select username from dba_users where username like 'GUI%';

 

no rows selected

 

SQL> CREATE USER TEST IDENTIFIED BY test;

 

User created.

 

SQL> grant dba to test;

 

Grant succeeded.

 

SQL> show con_name

 

CON_NAME

------------------------------

PDB01

SQL> conn /as sysdba

Connected.

SQL> create user test identified by test;

create user test identified by test

            *

ERROR at line 1:

ORA-65096: invalid common user or role name

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

結論：

若是在PDB中已經存在一個用戶或者角色，則在CDB中不能建立相同的帳號或者角色名。

1.2 在CDB中建立測試帳號

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> create user C##GUIJIAN IDENTIFIED BY guijian;   ------注意CDB中建立用戶必定要帶上c##

User created.

SQL> create user c#gui identified by gui;

create user c#gui identified by gui

            *

ERROR at line 1:

ORA-65096: invalid common user or role name

 

SQL> select username from dba_users where username like '%GUI%';

 

USERNAME

--------------------------------------------------------------------------------

C##GUIJIAN

 

SQL> ALTER SESSION SET CONTAINER=PDB01;

 

Session altered.

 

SQL> select username from dba_users where username like '%GUI%';

 

USERNAME

--------------------------------------------------------------------------------

C##GUIJIAN

 

SQL> create user guijian identified by guijian;

 

User created.

一樣在CDB中建立帳號後不能在PDB中出現同名的帳號，因CDB中的帳號對全部的PDB都是有效的。

SQL> create user c##guijian identified by guijian;

create user c##guijian identified by guijian

            *

ERROR at line 1:

ORA-65094: invalid local user or role name

SQL> alter session set container=pdba;

 

Session altered.

 

SQL> show user

USER is "SYS"

SQL> alter user sys identified by sys;

alter user sys identified by sys

*

ERROR at line 1:

ORA-65066: The specified changes must apply to all containers

 

SQL> show con_name

 

CON_NAME

------------------------------

PDBA

 

SQL> conn /as sysdba

Connected.

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> alter user sys identified by sys;

 

User altered.

 

SQL>

 

1.3 CDB下建立帳號的權限問題

SQL> conn / as sysdba

Connected.

SQL> grant connect,create session to c##cdb;

 

Grant succeeded.

 

SQL> conn c##cdb/cdb@pdba

ERROR:

ORA-01045: user C##CDB lacks CREATE SESSION privilege; logon denied

 

 

Warning: You are no longer connected to ORACLE.

SQL> a

SP2-0004: Nothing to append.

SQL> conn / as sysdba

Connected.

SQL> alter session set container=pdba;

 

Session altered.

 

SQL> grant resource,connect to c##cdb;

 

Grant succeeded.

 

SQL> conn  /as sysdba

Connected.

SQL> conn c##cdb/cdb@pdba

Connected.

SQL>

SQL> conn / as sysdba

Connected.

SQL> create user guijian identified by guijian container=current;

create user guijian identified by guijian container=current

                                  *

ERROR at line 1:

ORA-65049: creation of local user or role is not allowed in CDB$ROOT

 

 

SQL> create user c##guijian identified by guijian container=current;

create user c##guijian identified by guijian container=current

            *

ERROR at line 1:

ORA-65094: invalid local user or role name

 

 

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> create user c##guijian identified by guijian container=all;

 

User created.

 

SQL> create user c##guijian01 identified by guijian;

 

User created.

 

SQL> conn  /as sysdba

Connected.

SQL> show con_name            

 

CON_NAME

------------------------------

CDB$ROOT

SQL> grant dba to c##guijian01;

 

Grant succeeded.

 

SQL> conn c##guijian01/guijian@pdba

ERROR:

ORA-01045: user C##GUIJIAN01 lacks CREATE SESSION privilege; logon denied

 

 

Warning: You are no longer connected to ORACLE.

SQL> conn  /as sysdba

Connected.

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> grant dba to c##guijian01 container=all;

 

Grant succeeded.

 

SQL> conn c##guijian01/guijian@pdba

Connected.

1.4 對象管理測試

對象管理測試中，咱們簡單測試在共有帳號的數據對象的CDB和PDB下的不一樣。

一、在CDB下建立對象，在PDB下查看：

SQL> conn c##cdb/cdb

Connected.

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> create table cdb as select * from dba_users;

 

Table created.

 

SQL> commit;

 

Commit complete.

 

SQL>

能夠看到，在CDB下的共有帳號建立的對象在PDB下是看不到的。

二、在PDB下的共有帳號建立對象,在CDB下查看：

SQL> show con_name

 

CON_NAME

------------------------------

PDBA

SQL> show user

USER is "C##CDB"

SQL> select object_name from user_objects;

 

no rows selected

 

SQL> create table cdb as select * from dba_users;

 

Table created.

能夠看出，針對同一個共有帳號在PDB下建立的帳號在CDB是看不到的，此外咱們還注意到一個細節，針對同一個共有帳號，在PDB和CDB下建立的共有帳號因在CDB和PDB下被賦予了不一樣的含義，故在CDB下建立的對象和在PDB下建立的對象是能夠同名的，反之也成立。

結論：

一、 若是在PDB中已經存在一個用戶或者角色，則在CDB中不能建立相同的帳號或者角色名。

二、 一樣在CDB中建立帳號後不能在PDB中出現同名的帳號，因CDB中的帳號對全部的PDB都是有效的。

三、 在CDB中建立的帳號將會在所有的PDB中出現，可是在CDB中的受權，如非特別指定的話，並不能傳遞到PDB中。

四、 針對同一個共有帳號在PDB下建立的帳號在CDB是看不到的。針對同一個共有帳號，在PDB和CDB下建立的共有帳號因在CDB和PDB下被賦予了不一樣的含義，故在CDB下建立的對象和在PDB下建立的對象是能夠同名的，反之也成立。