ORA-01031: insufficient privileges
Table of Contents
1 錯誤信息
例1 css
SQL*Plus: Release 11.2.0.3.0 Production on Thu Oct 29 15:46:33 2015 Copyright (c) 1982, 2011, Oracle. All rights reserved. ERROR: ORA-01031: insufficient privileges Enter user-name: ERROR: ORA-01017: invalid username/password; logon denied
例2 html
SQL> create view a.v_a as select a.* from a.emp a ,b.dept b where a.deptno=b.deptno; create view a.v_a as select a.* from a.emp a ,b.dept b where a.deptno=b.deptno * 第 1 行出現錯誤: ORA-01031: 權限不足例3 java
存儲過程當中提示無權限 python
SQL> exec boss.proc_test; begin boss.proc_test; end; ORA-01031: 權限不足 ORA-06512: 在 "BOSS.PROC_TEST", line 4 ORA-06512: 在 line 1
2 官方解析
$ oerr ora 1031 01031, 00000, "insufficient privileges" // *Cause: An attempt was made to change the current username or password // without the appropriate privilege. This error also occurs if // attempting to install a database without the necessary operating // system privileges. // When Trusted Oracle is configure in DBMS MAC, this error may occur // if the user was granted the necessary privilege at a higher label // than the current login. // *Action: Ask the database administrator to perform the operation or grant // the required privileges. // For Trusted Oracle users getting this error although granted the // the appropriate privilege at a higher label, ask the database // administrator to regrant the privilege at the appropriate label.
從官方提供的解析來看,有兩種可能: sql
- 在沒有權限的狀況下對用戶或者用戶密碼進行修改
- 安裝數據庫的時候,沒有足夠的權限。
- 沒有足夠權限去受權
3 情景分析
3.1 登陸
3.1.1 用戶屬組缺失或不正確
用戶以操做系統認證方式登陸數據庫時,會把當前用戶的組信息與$ORACLE_HOME/rdbms/lib/config.c 文件中的配置進行比對。若是不匹配,有可能出現ORA-01017 或者ORA-01031錯誤。 shell
下面是config.c 文件內容 數據庫
/* SS_DBA_GRP defines the UNIX group ID for sqldba adminstrative access. */
/* Refer to the Installation and User's Guide for further information. */
/* IMPORTANT: this file needs to be in sync with
rdbms/src/server/osds/config.c, specifically regarding the
number of elements in the ss_dba_grp array.
*/
#define SS_DBA_GRP "dba"
#define SS_OPER_GRP "oinstall"
#define SS_ASM_GRP ""
char *ss_dba_grp[] = {SS_DBA_GRP, SS_OPER_GRP, SS_ASM_GRP};
從註釋中,能夠看出,ss_dba_grp 是以sqldba 身份登陸數據庫的必要條件之一。也就是說,只要以dba 身份 登陸,該操做系統用戶就須要隸屬於該用戶組。 sass
錯誤示例: ruby
# id oracle ## ==> 查看oracle 用戶當前屬組 uid=501(oracle) gid=501(oinstall) 01(oinstall),502(dba) # usermod -G oinstall oracle ## ==> 修改Oracle 用戶附屬組信息 # id oracle ## ==> 查看oracle 用戶當前屬組,與第一次查看,發現少了dba 組 uid=501(oracle) gid=501(oinstall) 01(oinstall) # su - oracle # sqlplus / as sysdba ## ==> 嘗試以sysdba身份登陸數據庫 SQL*Plus: Release 11.2.0.3.0 Production on Mon Jul 16 16:13:10 2018 Copyright (c) 1982, 2011, Oracle. All rights reserved. ERROR: ORA-01031: insufficient privileges ## ==> 重現錯誤信息 Enter user-name: ^C # usermod -G oinstall,dba oracle ## ==> 還原Oracle 用戶組信息 # su - oracle # sqlplus / as sysdba ## ==> 嘗試以sysdba 身份登陸oracle 數據庫 SQL*Plus: Release 11.2.0.3.0 Production on Mon Jul 16 16:13:51 2018 Copyright (c) 1982, 2011, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> exit ## ==> 登陸成功,退出SQL環境。
3.1.2 用戶認證方式不對
oracle 用戶登陸經過sqlnet.ora 中的SQLNET.AUTHENTICATION_SERVICES bash
3.1.3 ORACLE_SID
變量ORACLE_SID 未設置或者設置錯誤,也會引發此錯誤。
3.2 對象權限不足
錯誤信息:
ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at "schema.procedure_name", line 3 ORA-06512: at line 1
- 說明
- 不少時候,咱們明明有授與很高的權限,好比select any table,select any view 等,應該不會在查詢表或者視圖時出現權限問題,可是,事實上咱們就是會遇到。 緣由是這種受權方式,針對某個單獨對象來講,是隱式受權。 若是咱們在存儲過程或者物化視圖中想要訪問、修改某個對象的時候,須要對該對象進行 顯示受權:grant select on object_name to schema;
3.3 存儲過程當中報錯
有些時候,咱們會遇到這樣的狀況:DML/DDL 不在存儲過程當中執行是沒有問題的,但是放到 存儲過程當中之後執行會報錯,提示無權限。這個時候,咱們須要對相應的操做進行單獨受權。 好比ddl 操做:
create or replace procedure proc_test as begin execute immediate 'create table test(id number)'; end; /
這個操做是是建表,須要create table 權限, 咱們須要授予系統權限:create any table.
grant create any table to xxx;
若是是DML和查詢操做無權限,則針對相關對象單獨受權:
grant select on <user>.<object> to <the_other_user>; grant update on <user>.<object> to <the_other_user>; grant delete on <user>.<object> to <the_other_user>; grant insert on <user>.<object> to <the_other_user>;