ORA-01031: insufficient privileges 19c跨用户视图查询 with grant option

问题概述

某客户从11.2.0.1 升级迁移到19.16 版本后,应用反应部分查询功能无法使用报无权限,数据库中增加了ORA-01031: insufficient privileges 跟踪event进行分析

问题复现

创建三个测试用户

create user test1 identified by oracle123;
create user test2 identified by oracle123;
create user test3 identified by oracle123;

分别给最小权限

grant connect to test1;
grant connect to test2;
grant connect to test3;
grant create view to test1;
grant create view to test2;
grant create view to test3;
grant create table to test1;
grant create table to test2;
grant create table to test3;
alter user test1 quota unlimited on users;
alter user test2 quota unlimited on users;
alter user test3 quota unlimited on users;

首先使用test3 登录数据库创建test3 表

sqlplus  test3/oracle123@172.13.13.119:1521/pdb 
SQL> create table test3 (id number,name varchar(10));
Table created.
SQL> insert into test3 values(1,'wsb');
1 row created.
SQL> commit;

使用test2登录数据库创建v_test2 视图该视图依赖test3用户下面的表,需要给test2用户查询该表权限。

sqlplus  test2/oracle123@172.13.13.119:1521/pdb  
create view v_test2 as select * from test3.test3;

给test2 授权

SQL> grant select on test3.test3 to test2;
Grant succeeded.
SQL> create view v_test2 as select * from test3.test3;
View created.
SQL> select  * from v_test2;

        ID NAME
---------- --------------------
         1 wsb

使用test1用户登录数据库进行测试

sqlplus  test1/oracle123@172.13.13.119:1521/pdb   

SQL*Plus: Release 19.0.0.0.0 - Production on Wed May 17 10:30:49 2023
Version 19.16.0.0.0

Copyright (c) 1982, 2022, Oracle.  All rights reserved.

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.16.0.0.0

SQL> select  * from test2.v_test2;
select  * from test2.v_test2
                     *
ERROR at line 1:
ORA-00942: table or view does not exist

由于还没给视图权限所以无法进行查询

使用dba用户给权限test1

SQL> grant select on test2.v_test2  to test1;

Grant succeeded.

SQL>

再次使用test1 用户进行查询

SQL> select  * from test2.v_test2;
select  * from test2.v_test2
                     *
ERROR at line 1:
ORA-01031: insufficient privileges

依然报错
把test3.test3表的查询权限给到test1用户

SQL> grant select on test3.test3 to  test1;

Grant succeeded.

再次查询依然报错

SQL> select  * from test2.v_test2;
select  * from test2.v_test2
                     *
ERROR at line 1:
ORA-01031: insufficient privileges

SQL> select * from test3.test3;

        ID NAME
---------- --------------------
         1 wsb

直接查询表正常

解决方案

由于test2.v_test2 视图是依赖于test3.test3 表所以test2用户针对该表需要有with grant option 权限 赋予该权限后正常

SQL> grant select on test3.test3 to test2 with grant option;
Grant succeeded.
其实不需要单独授权test3.test3 给test1 用户
revoke select on test3.test3 from test1;
最终test2的权限如下
GRANTEE                        OWNER                          TABLE_NAME                     PRIVILEGE                                                                        GRANTA
------------------------------ ------------------------------ ------------------------------ -------------------------------------------------------------------------------- ------
TEST2                          TEST3                          TEST3                          SELECT                                                                           YES
TEST1                          TEST2                          V_TEST2                        SELECT                                                                           NO

参考文档

To grant SELECT on a view to another user, either you must own all of the objects underlying the view or you must have been granted the SELECT object privilege WITH GRANT OPTION on all of those underlying objects. This is true even if the grantee already has SELECT privileges on those underlying objects.