用户权限管理 - 用户管理命令（Oracle 模式） - 《OceanBase v2.2.30 官方教程》

白名单管理
权限控制

下述为 Oracle 模式下用户管理语法树：

create_user_stmt:
    CREATE USER [IF NOT EXISTS] user_name [IDENTIFIED BY 'password'];
alter_user_stmt:
      ALTER USER user_name ACCOUNT {LOCK | UNLOCK};
    | ALTER USER user_name IDENTIFIED BY 'password';
    | SET PASSWORD [FOR user_name] = PASSWORD('password');
drop_user_stmt:
    DROP USER user_name_list [cascade];
user_name_list:
    user_name [, user_name ...]
password:
    STR_VALUE

下述为用户权限管理语句的语法：

grant_stmt:
    GRANT privilege_type_list ON privilege_level TO user_option_list [WITH GRANT OPTION];
revoke_stmt:
    REVOKE privilege_type_list ON privilege_level FROM user_name_list;
show_grants_stmt:
    SHOW GRANTS [FOR user_name];
privilege_type_list:
    {ALL [PRIVILEGES] | privilege_type [, privilege_type ...]}
privilege_type:
      ALTER
    | CREATE
    | CREATE USER
    | CREATE VIEW
    | DELETE
    | DROP
    | GRANT OPTION
    | INDEX
    | INSERT
    | PROCESS
    | SELECT
    | SHOW DATABASES
    | SHOW VIEW
    | SUPER
    | UPDATE
    | USAGE
privilege_level:
      *
    | *.*
    | database_name.*
    | database_name.table_name
    | table_name
user_option_list:
    user_option [, user_option ...]
user_option:
    user_name [IDENTIFIED BY 'password']
password:
    STR_VALUE
user_name_list:
    user_name [, user_name ...]

白名单管理

ob_tcp_invited_nodes参数是租户全局的白名单限制参数。运行下述语句查看该参数以确认白名单：

obclient> SHOW VARIABLES LIKE 'ob_tcp_invited_nodes';
+----------------------+-------+
| Variable_name        | Value |
+----------------------+-------+
| ob_tcp_invited_nodes | %     |
+----------------------+-------+

权限控制

Lock 用户操作：

obclient> ALTER USER demo ACCOUNT LOCK ;Query OK, 0 rows affected (0.02 sec)obclient -udemo@demo0_111 -P2881 -h10.10.10.1 -ptttobclient: [Warning] Using a password on the command line interface can be insecure.ERROR 3118 (HY000): User locked

Unlock 用户操作：

obclient> ALTER USER demo ACCOUNT UNLOCK ;Query OK, 0 rows affected (0.02 sec)obclient -udemo@demo0_111 -P2881 -h10.10.10.1   -ptttobclient: [Warning] Using a password on the command line interface can be insecure.Welcome to the OceanBase monitor.  Commands end with ; or \g.Your OceanBase connection id is 3221894166Server version: 5.7.25Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.obclient>

权限授予操作：

obclient> GRANT SELECT ON demo.*  TO demo;

权限摘除操作：

obclient> REVOKE SELECT ON demo.* FROM demo;Query OK, 0 rows affected (0.03 sec)obclient -udemo@demo0_111 -P2881 -h11.166.87.1   -ptttobclient: [Warning] Using a password on the command line interface can be insecure.ERROR 1044 (42000): Access denied for user 'DEMO'@'%' to database 'DEMO'