转 Oracle 12C 之 CDB/PDB用户的创建与对象管理

在Oracle 12C中,账号分为两种,一种是公用账号,一种是本地账号(亦可理解为私有账号)。共有账号是指在CDB下创建,并在全部PDB中生效的账号,另一种是在PDB中创建的账号。

针对这两种账号的测试如下:

1.1 在PDB中创建测试账号

 

SQL> alter session set container=pdb01;

 

Session altered.

 

SQL> select username from dba_users where username like 'GUI%';

 

no rows selected

 

SQL> CREATE USER TEST IDENTIFIED BY test;

 

User created.

 

SQL> grant dba to test;

 

Grant succeeded.

 

SQL> show con_name

 

CON_NAME

------------------------------

PDB01

SQL> conn /as sysdba

Connected.

SQL> create user test identified by test;

create user test identified by test

            *

ERROR at line 1:

ORA-65096: invalid common user or role name

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

结论:

如果在PDB中已经存在一个用户或者角色,则在CDB中不能创建相同的账号或者角色名。

1.2 在CDB中创建测试账号

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> create user C##GUIJIAN IDENTIFIED BY guijian;   ------注意CDB中创建用户一定要带上c##

User created.

SQL> create user c#gui identified by gui;

create user c#gui identified by gui

            *

ERROR at line 1:

ORA-65096: invalid common user or role name

 

SQL> select username from dba_users where username like '%GUI%';

 

USERNAME

--------------------------------------------------------------------------------

C##GUIJIAN

 

SQL> ALTER SESSION SET CONTAINER=PDB01;

 

Session altered.

 

SQL> select username from dba_users where username like '%GUI%';

 

USERNAME

--------------------------------------------------------------------------------

C##GUIJIAN

 

SQL> create user guijian identified by guijian;

 

User created.

同样在CDB中创建账号后不能在PDB中出现同名的账号,因CDB中的账号对所有的PDB都是有效的。

SQL> create user c##guijian identified by guijian;

create user c##guijian identified by guijian

            *

ERROR at line 1:

ORA-65094: invalid local user or role name

SQL> alter session set container=pdba;

 

Session altered.

 

SQL> show user

USER is "SYS"

SQL> alter user sys identified by sys;

alter user sys identified by sys

*

ERROR at line 1:

ORA-65066: The specified changes must apply to all containers

 

SQL> show con_name

 

CON_NAME

------------------------------

PDBA

 

SQL> conn /as sysdba

Connected.

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> alter user sys identified by sys;

 

User altered.

 

SQL>

 

1.3 CDB下创建账号的权限问题

SQL> conn / as sysdba

Connected.

SQL> grant connect,create session to c##cdb;

 

Grant succeeded.

 

SQL> conn c##cdb/cdb@pdba

ERROR:

ORA-01045: user C##CDB lacks CREATE SESSION privilege; logon denied

 

 

Warning: You are no longer connected to ORACLE.

SQL> a

SP2-0004: Nothing to append.

SQL> conn / as sysdba

Connected.

SQL> alter session set container=pdba;

 

Session altered.

 

SQL> grant resource,connect to c##cdb;

 

Grant succeeded.

 

SQL> conn  /as sysdba

Connected.

SQL> conn c##cdb/cdb@pdba

Connected.

SQL>

SQL> conn / as sysdba

Connected.

SQL> create user guijian identified by guijian container=current;

create user guijian identified by guijian container=current

                                  *

ERROR at line 1:

ORA-65049: creation of local user or role is not allowed in CDB$ROOT

 

 

SQL> create user c##guijian identified by guijian container=current;

create user c##guijian identified by guijian container=current

            *

ERROR at line 1:

ORA-65094: invalid local user or role name

 

 

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> create user c##guijian identified by guijian container=all;

 

User created.

 

SQL> create user c##guijian01 identified by guijian;

 

User created.

 

SQL> conn  /as sysdba

Connected.

SQL> show con_name            

 

CON_NAME

------------------------------

CDB$ROOT

SQL> grant dba to c##guijian01;

 

Grant succeeded.

 

SQL> conn c##guijian01/guijian@pdba

ERROR:

ORA-01045: user C##GUIJIAN01 lacks CREATE SESSION privilege; logon denied

 

 

Warning: You are no longer connected to ORACLE.

SQL> conn  /as sysdba

Connected.

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> grant dba to c##guijian01 container=all;

 

Grant succeeded.

 

SQL> conn c##guijian01/guijian@pdba

Connected.

1.4 对象管理测试

对象管理测试中,我们简单测试在共有账号的数据对象的CDB和PDB下的不同。

1、在CDB下创建对象,在PDB下查看:

SQL> conn c##cdb/cdb

Connected.

SQL> show con_name

 

CON_NAME

------------------------------

CDB$ROOT

SQL> create table cdb as select * from dba_users;

 

Table created.

 

SQL> commit;

 

Commit complete.

 

SQL>

可以看到,在CDB下的共有账号创建的对象在PDB下是看不到的。

2、在PDB下的共有账号创建对象,在CDB下查看:

SQL> show con_name

 

CON_NAME

------------------------------

PDBA

SQL> show user

USER is "C##CDB"

SQL> select object_name from user_objects;

 

no rows selected

 

SQL> create table cdb as select * from dba_users;

 

Table created.

可以看出,针对同一个共有账号在PDB下创建的账号在CDB是看不到的,此外我们还注意到一个细节,针对同一个共有账号,在PDB和CDB下创建的共有账号因在CDB和PDB下被赋予了不同的含义,故在CDB下创建的对象和在PDB下创建的对象是可以同名的,反之也成立。

结论:

1、 如果在PDB中已经存在一个用户或者角色,则在CDB中不能创建相同的账号或者角色名。

2、 同样在CDB中创建账号后不能在PDB中出现同名的账号,因CDB中的账号对所有的PDB都是有效的。

3、 在CDB中创建的账号将会在全部的PDB中出现,但是在CDB中的授权,如非特别指定的话,并不能传递到PDB中。

4、 针对同一个共有账号在PDB下创建的账号在CDB是看不到的。针对同一个共有账号,在PDB和CDB下创建的共有账号因在CDB和PDB下被赋予了不同的含义,故在CDB下创建的对象和在PDB下创建的对象是可以同名的,反之也成立。

 

 

###sample 2

 

创建CDB通用用户

必须登录或切换到CDB容器,用户名必须以C##或者c##开头,其中CONTAINER=ALL选项有无均可:

CONNECT SYSTEM
Enter password: password
Connected.

CREATE USER c##hr_admin
IDENTIFIED BY password
DEFAULT TABLESPACE data_ts
QUOTA 100M ON test_ts
QUOTA 500K ON data_ts
TEMPORARY TABLESPACE temp_ts
CONTAINER = ALL;

GRANT SET CONTAINER, CREATE SESSION TO c##hr_admin
CONTAINER = ALL;
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
说明,表空间、配额等需根据实际情况调整,下同。

如用户名未以C##或者c##开头,则会报错:ORA-65096: 公用用户名或角色名无效。

如果不想以C##或者c##开头,可先执行以下语句再创建用户(以下划线开头的参数为Oracle内部参数,存在风险,不推荐使用):

alter session set "_oracle_script" = true;
1.
创建Application通用用户

必须登录/切换到app容器,如下:

alter session set container=sales_app;

CREATE USER app_admin
IDENTIFIED BY password
DEFAULT TABLESPACE data_ts
QUOTA 100M ON temp_ts
QUOTA 500K ON data_ts
TEMPORARY TABLESPACE temp_ts
CONTAINER = ALL;

GRANT SET CONTAINER, CREATE SESSION TO app_admin CONTAINER = ALL;
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
创建本地用户

必须登录或切换到PDB容器,其中CONTAINER=CURRENT选项有无均可:

复制
CONNECT SYSTEM@orclpdb
Enter password: password
Connected.

CREATE USER jason
IDENTIFIED BY password
DEFAULT TABLESPACE data_ts
QUOTA 100M ON test_ts
QUOTA 500K ON data_ts
TEMPORARY TABLESPACE temp_ts
PROFILE hr_profile
CONTAINER = CURRENT;

GRANT DBA TO jason;
-----------------------------------
©著作权归作者所有:来自51CTO博客作者川川Jason的原创作品,请联系作者获取转载授权,否则将追究法律责任
Oracle 12c/21c创建用户和CDB/PDB常用语句
https://blog.51cto.com/itrunner/4645726

posted @ 2016-12-09 10:14  feiyun8616  阅读(8332)  评论(0编辑  收藏  举报