oracle的restricted mode(受限模式)

概述

在查看oracle的v$instance视图中发现有logins列，我们可以看下contents中对此列的定义。

LOGINS  VARCHAR2(10)    Indicates whether the instance is in unrestricted
mode,allowing logins by all users (ALLOWED, or in
restricted mode, allowing logins by database
administrators only (RESTRICTED)

实例启动有两种模式，一种为allowed，一种为restricted模式。

Restricted Mode of Instance Startup

You can start an instance in restricted mode (or later alter an existing instance to be in restricted mode). This restricts connections to only those users who have been granted the RESTRICTED SESSION system privilege.

如果DBA将数据库的状态设置为restricted mode，那么只能是拥有restrict权限的用户（受限特权的用户），才能够连接到数据库进行操作。Restricted Mode（受限模式）通常用于数据库管理员在维护数据库的时候使用。Restricted Mode限制新的没有权限的用户登录进来，但是如果一个没有Restricted Mode权限的用户在设置Restricted Mode之前已经登录到了Oracle那么该用户仍然拥有操作数据库的权限，即Restricted Mode不妨碍已经登录进来的用户继续执行操作。

测试

实例的默认模式查看

SQL> select logins from v$instance;

LOGINS
----------
ALLOWED

创建测试用户

SQL> create user test identified by test;

User created.

SQL> grant connect,resource to test;

Grant succeeded.

使用test连接数据库

[oracle@acarsorcl-primary ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.4.0 Production on Thu Jul 14 19:06:18 2016

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> conn test/test
Connected.

将实例模式修改为restricted mode

SQL> alter system enable restricted session;

System altered.

SQL> select logins from v$instance;

LOGINS
----------
RESTRICTED

新创建连接使用test账号连接

[oracle@acarsorcl-primary ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.4.0 Production on Thu Jul 14 19:06:18 2016

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> conn test/test
ERROR:
ORA-01035: ORACLE only available to users with RESTRICTED SESSION privilege

Warning: You are no longer connected to ORACLE.

测试已经登录的test连接

SQL> conn test/test
Connected.

SQL> create table test(id number);

Table created.

SQL> insert into test values(1);

1 row created.

SQL> commit;

Commit complete.

将权限restricted session赋予用户test，再次尝试连接

SQL> grant restricted session to test;

Grant succeeded.

SQL> conn test/test
Connected.

通过以上测试，我们得知，如果想数据库设置为Restricted Mode，只有管理员（dba）以及有restricted session权限才可以连接用户。在修改为 Restricted Mode后，之前连接用户不受影响，新用户不能连接。