0
点赞
收藏
分享

微信扫一扫

列出所有非系统用户的系统、对象权限以及所拥有的角色

脚本目标:列出所有非系统用户的系统、对象权限以及所拥有的角色.

1、脚本内容
[oracle@hisdb1 scripts]$ vi user_priv.sh
#!/bin/bash
MT_HOME="/home/oracle/monitor"
DB_SID=`ps -ef | grep ora_pmon | grep -v grep | awk -F'_' '{print $3}'`
export ORACLE_SID=$DB_SID
pdbs="$MT_HOME/tmp/pdbs.txt"
sin_non_sysuser="$MT_HOME/tmp/sin_non_sysuser.txt"
pdb_non_sysuser="$MT_HOME/tmp/pdb_non_sysuser.txt"
sys_privs="$MT_HOME/tmp/sys_privs.txt"
tab_privs="$MT_HOME/tmp/tab_privs.txt"
user_role="$MT_HOME/tmp/user_role.txt"
db_11g_user="$MT_HOME/tmp/db_11g_user.txt"
total_user="$MT_HOME/tmp/total_user.txt"
total_user_privs="$MT_HOME/tmp/total_user_privs.txt"
tmp_pdb_non_sysuser="$MT_HOME/tmp/tmp_pdb_non_sysuser.txt"
test -d /home/oralce/monitor/tmp || mkdir -p /home/oracle/monitor/tmp

sqlplus -S / as sysdba <<EOF > $pdbs
set linesize 190 pagesize 0;
set feedback off;
set verify off;
show pdbs
EOF
pdbname=`cat $pdbs | awk '{print $2}'`

function sin_19c_db_user() {
sqlplus -S / as sysdba <<EOF > $sin_non_sysuser
set linesize 190 pagesize 0;
set feedback off;
set verify off;
col username for a30;
select username,account_status from dba_users;
EOF
}

function pdb_19c_db_user() {
test -f $pdb_non_sysuser && > $pdb_non_sysuser
for i in `echo $pdbname`
do
echo "PDB $i's non-sysusers:" >> $pdb_non_sysuser
echo "USERNAME                       ACCOUNT_STATUS" >> $pdb_non_sysuser
sqlplus -S / as sysdba <<EOF >> $pdb_non_sysuser
set linesize 190 pagesize 0;
set feedback off;
set verify off;
col username for a30;
alter session set container=$i;
select username,account_status from dba_users;
EOF
echo "" >> $pdb_non_sysuser
done
}

function sys_privs() {
if [[ $# -eq 2 ]]; then
  user_name=$1
  pdb_name=$2
else
  user_name=$1
  pdb_name=''
fi
if [[ "x$pdb_name" = "x" ]]; then
echo "$user_name sys privileges." > $sys_privs
echo "GRANTEE                   PRIVILEGE" >> $sys_privs
sqlplus -S / as sysdba <<EOF >> $sys_privs
set linesize 190 pagesize 0;
set feedback off;
set verify off;
col privilege for a35;
col grantee for a25;
select grantee,privilege from dba_sys_privs where grantee='${user_name}';
EOF
echo "" >> $sys_privs
else
echo "$user_name sys privileges." > $sys_privs
echo "GRANTEE                   PRIVILEGE" >> $sys_privs
sqlplus -S / as sysdba <<EOF >> $sys_privs
set linesize 190 pagesize 0;
set feedback off;
set verify off;
col privilege for a35;
col grantee for a25;
alter session set container=$pdb_name;
select grantee,privilege from dba_sys_privs where grantee='${user_name}';
EOF
echo "" >> $sys_privs
fi
}

function tab_privs() {
if [[ $# -eq 2 ]]; then
  user_name=$1
  pdb_name=$2
else
  user_name=$1
  pdb_name=''
fi
if [[ "x$pdb_name" = "x" ]]; then
echo "$user_name tab privileges." > $tab_privs
echo "GRANTEE                   OWNER           TABLE_NAME                          PRIVILEGE" >> $tab_privs
sqlplus -S / as sysdba <<EOF >> $tab_privs
set linesize 190 pagesize 0;
set feedback off;
set verify off;
col privilege for a35;
col table_name for a35;
col grantee for a25;
col owner for a15;
select grantee,owner,table_name,privilege from dba_tab_privs where grantee='${user_name}';
EOF
echo "" >> $tab_privs
else
echo "$user_name tab privileges." > $tab_privs
echo "GRANTEE                   OWNER           TABLE_NAME                          PRIVILEGE" >> $tab_privs
sqlplus -S / as sysdba <<EOF >> $tab_privs
set linesize 190 pagesize 0;
set feedback off;
set verify off;
col privilege for a35;
col table_name for a35;
col grantee for a25;
col owner for a15;
alter session set container=$pdb_name;
select grantee,owner,table_name,privilege from dba_tab_privs where grantee='${user_name}';
EOF
echo "" >> $tab_privs
fi
}

function user_role() {
if [[ $# -eq 2 ]]; then
  user_name=$1
  pdb_name=$2
else
  user_name=$1
  pdb_name=''
fi
if [[ "x$pdb_name" = "x" ]]; then
echo "$user_name role privileges." > $user_role
echo "GRANTEE                   GRANTED_ROLE" >> $user_role
sqlplus -S / as sysdba <<EOF >> $user_role
set linesize 190 pagesize 0;
set feedback off;
set verify off;
col grantee for a25;
col granted_role for a25;
select grantee,granted_role from dba_role_privs where grantee='${user_name}';
EOF
echo "" >> $user_role
else
echo "$user_name role privileges." > $user_role
echo "GRANTEE                   GRANTED_ROLE" >> $user_role
sqlplus -S / as sysdba <<EOF >> $user_role
set linesize 190 pagesize 0;
set feedback off;
set verify off;
col grantee for a25;
col granted_role for a25;
alter session set container=$pdb_name;
select grantee,granted_role from dba_role_privs where grantee='${user_name}';
EOF
echo "" >> $user_role
fi
}

function single_11g_db_user() {
sqlplus -S / as sysdba <<EOF >$db_11g_user
set linesize 190 pagesize 0;
set feedback off;
set verify off;
col username for a30;
select username,account_status from dba_users;
EOF
}

jud_pdb=`cat $pdbs | grep -iw "PDB$SEED" | wc -l`
if [[ $jud_pdb -eq 1 ]];then
sin_19c_db_user 
pdb_19c_db_user
echo -e "\033[31mThe following is the status of all non-sysusers.\033[0m" > $total_user
echo "CDB's non-sysusers:" >> $total_user
echo "USERNAME                       ACCOUNT_STATUS" >> $total_user
cat $sin_non_sysuser >> $total_user
echo "" >> $total_user 
cat $pdb_non_sysuser | grep -viE "C##" >> $total_user
cat $total_user

#List total privileges detail of cdb non-sysusers.
if cat $sin_non_sysuser | awk '{print $1}' | wc -l >/dev/null; then
cdb_user=`cat $sin_non_sysuser | awk '{print $1}'`
test -f $total_user_privs && >$total_user_privs
for i in `echo $cdb_user`
do
echo -e "\033[31mThe following is the CDB's non-sysusers $i total privileges.\033[0m" >> $total_user_privs
   sys_privs "$i"
   cat $sys_privs >> $total_user_privs
   tab_privs "$i"
   cat $tab_privs >> $total_user_privs
   user_role "$i" 
   cat $user_role >> $total_user_privs
done
fi

#List total privileges detail of pdb non-sysusers.
for j in `echo $pdbname`
do
echo -e "\033[31mThe following is the PDB $j's non-sysusers total privileges.\033[0m" >> $total_user_privs
sqlplus -S / as sysdba <<EOF > $tmp_pdb_non_sysuser
set linesize 190 pagesize 0;
set feedback off;
set verify off;
col username for a20;
alter session set container=$j;
select username from dba_users where username not like 'C##%';
EOF
   for m in `cat $tmp_pdb_non_sysuser`
   do
     sys_privs "$m" "$j"
	 cat $sys_privs >> $total_user_privs
     tab_privs "$m" "$j"
	 cat $tab_privs >> $total_user_privs
     user_role "$m" "$j"   
     cat $user_role >> $total_user_privs 
   done
done
cat $total_user_privs
fi

jud_11g_db=`cat $pdbs | grep -iw "SP2-0158" | wc -l`
if [[ $jud_11g_db -eq 1 ]];then
single_11g_db_user
echo -e "\033[31mThe following is the status of 11g all non-sysusers.\033[0m" > $total_user
echo "USERNAME                       ACCOUNT_STATUS" >> $total_user
cat $db_11g_user >> $total_user
echo "" >> $total_user 
cat $total_user

    #List total privileges detail of 11g non-sysusers.
    if cat $db_11g_user | awk '{print $1}' | wc -l >/dev/null; then
    db_user=`cat $db_11g_user | awk '{print $1}'`
    test -f $total_user_privs && >$total_user_privs
    for k in `echo $db_user`
    do
    echo -e "\033[31mThe following is non-sysusers $k total privileges.\033[0m" >> $total_user_privs
       sys_privs "$k"
       cat $sys_privs >> $total_user_privs
       tab_privs "$k"
       cat $tab_privs >> $total_user_privs
       user_role "$k" 
       cat $user_role >> $total_user_privs
    done
    fi
cat $total_user_privs
fi

if [[ $jud_11g_db -eq 0 ]] && [[ $jud_pdb -eq 0 ]];then
sin_19c_db_user
echo -e "\033[31mThe following is the status of all non-sysusers in non-cdb circumstances.\033[0m" > $total_user
echo "USERNAME                       ACCOUNT_STATUS" >> $total_user
cat $sin_non_sysuser >> $total_user
echo "" >> $total_user 
cat $total_user

    #List total privileges detail of non-sysusers in non-cdb circumstances.
    if cat $sin_non_sysuser | awk '{print $1}' | wc -l >/dev/null; then
    db_user=`cat $sin_non_sysuser | awk '{print $1}'`
    test -f $total_user_privs && >$total_user_privs
    for n in `echo $db_user`
    do
    echo -e "\033[31mThe following is non-sysusers $n total privileges.\033[0m" >> $total_user_privs
       sys_privs "$n"
       cat $sys_privs >> $total_user_privs
       tab_privs "$n"
       cat $tab_privs >> $total_user_privs
       user_role "$n" 
       cat $user_role >> $total_user_privs
    done
    fi
cat $total_user_privs
fi

exit 0

2、脚本测试
2.1、多租户环境测试
The following is the status of all non-sysusers.
CDB's non-sysusers:
USERNAME             ACCOUNT_STATUS
C##LEO               OPEN

PDB PDB$SEED's non-sysusers:
USERNAME             ACCOUNT_STATUS

PDB TMISPDB's non-sysusers:
USERNAME             ACCOUNT_STATUS
PDBADMIN             OPEN
LEO                  OPEN

PDB ORCLPDB's non-sysusers:
USERNAME             ACCOUNT_STATUS
LEO                  OPEN
ALINA                OPEN

PDB HEALPDB's non-sysusers:
USERNAME             ACCOUNT_STATUS
LEO                  OPEN

The following is the CDB's non-sysusers C##LEO total privileges.
C##LEO sys privileges.
GRANTEE                   PRIVILEGE

C##LEO tab privileges.
GRANTEE                   OWNER           TABLE_NAME                PRIVILEGE

C##LEO role privileges.
GRANTEE                   GRANTED_ROLE

The following is the PDB PDB$SEED's non-sysusers total privileges.
The following is the PDB TMISPDB's non-sysusers total privileges.
PDBADMIN sys privileges.
GRANTEE                   PRIVILEGE

PDBADMIN tab privileges.
GRANTEE                   OWNER           TABLE_NAME                PRIVILEGE

PDBADMIN role privileges.
GRANTEE                   GRANTED_ROLE
PDBADMIN                  PDB_DBA

LEO sys privileges.
GRANTEE                   PRIVILEGE
LEO                       UNLIMITED TABLESPACE

LEO tab privileges.
GRANTEE                   OWNER           TABLE_NAME                PRIVILEGE

LEO role privileges.
GRANTEE                   GRANTED_ROLE
LEO                       DBA

The following is the PDB ORCLPDB's non-sysusers total privileges.
LEO sys privileges.
GRANTEE                   PRIVILEGE

LEO tab privileges.
GRANTEE                   OWNER           TABLE_NAME                PRIVILEGE
LEO                       ALINA           TEST                      SELECT

LEO role privileges.
GRANTEE                   GRANTED_ROLE
LEO                       PDB_DBA
LEO                       RESOURCE
LEO                       CONNECT

ALINA sys privileges.
GRANTEE                   PRIVILEGE
ALINA                     CREATE TABLE
ALINA                     UNLIMITED TABLESPACE

ALINA tab privileges.
GRANTEE                   OWNER           TABLE_NAME                PRIVILEGE

ALINA role privileges.
GRANTEE                   GRANTED_ROLE
ALINA                     RESOURCE
ALINA                     CONNECT
ALINA                     DBA

The following is the PDB HEALPDB's non-sysusers total privileges.
LEO sys privileges.
GRANTEE                   PRIVILEGE

LEO tab privileges.
GRANTEE                   OWNER           TABLE_NAME                PRIVILEGE

LEO role privileges.
GRANTEE                   GRANTED_ROLE
LEO                       PDB_DBA

2.2、非多租户测试
The following is the status of 11g all non-sysusers.
USERNAME             ACCOUNT_STATUS
LEO                  OPEN
GOLDENGATE           OPEN
TEST01               OPEN

The following is non-sysusers LEO total privileges.
LEO sys privileges.
GRANTEE                   PRIVILEGE
LEO                       UNLIMITED TABLESPACE

LEO tab privileges.
GRANTEE                   OWNER           TABLE_NAME                PRIVILEGE

LEO role privileges.
GRANTEE                   GRANTED_ROLE
LEO                       DBA

The following is non-sysusers GOLDENGATE total privileges.
GOLDENGATE sys privileges.
GRANTEE                   PRIVILEGE
GOLDENGATE                UNLIMITED TABLESPACE

GOLDENGATE tab privileges.
GRANTEE                   OWNER           TABLE_NAME                PRIVILEGE

GOLDENGATE role privileges.
GRANTEE                   GRANTED_ROLE
GOLDENGATE                DBA

The following is non-sysusers TEST01 total privileges.
TEST01 sys privileges.
GRANTEE                   PRIVILEGE
TEST01                    UNLIMITED TABLESPACE

TEST01 tab privileges.
GRANTEE                   OWNER           TABLE_NAME                PRIVILEGE

TEST01 role privileges.
GRANTEE                   GRANTED_ROLE
TEST01                    DBA

举报

相关推荐

0 条评论