Oracle Schema Only账户

概念

Schema Only Accounts是Oracle 18c的新安全功能，19c进一步增强。

19c的增强其实就是允许此账户有管理权限：Ability to Grant or Revoke Administrative Privileges to and from Schema-Only Accounts

A schema only account cannot log in to the database but can proxy in a single session proxy.

This type of account, designed for some Oracle-provided schemas along with some customer schemas, can be created without the specification of a password or an authentication type. It cannot be authenticated unless an authentication method is assigned by using the ALTER USER statement. A schema only account does not contain an entry in the DBA_USERS_WITH_DEFPWD data dictionary view.

Schema 账户是实现责权分离的重要手段，之前用户可以直接通过Schema账户或Proxy账户登录并修改Schema。这在审计时就出现了歧义，不能明确来源。而Schema Only账户不能直接登录，只能借由proxy账户登录。这就使得审计路径是唯一的。

实验

创建Schema Only账户，由于没有口令，其不能自动登录。

alter session set container=orclpdb1;
-- 不指定no authentication，效果一样
create user schema_owner no authentication quota unlimited on users;
grant create session, create table, create sequence, create view to schema_owner;
1
2
3
4

根据文档，用户的认证类型可以是EXTERNAL，GLOBAL，PASSWORD和NONE。
NONE表示没有认证手段，也就是Schema Only账户：

SELECT
    username,
    account_status,
    authentication_type
FROM
    dba_users
WHERE
    username = 'SCHEMA_OWNER';

       USERNAME    ACCOUNT_STATUS    AUTHENTICATION_TYPE
_______________ _________________ ______________________
SCHEMA_OWNER    OPEN              NONE
1
2
3
4
5
6
7
8
9
10
11
12

顺便说一下，IDENTIFIED GLOBALLY就是通过目录服务认证，如Microsoft AD, Oracle OID；而IDENTIFIED EXTERNALLY就是OS Authentication。

创建Proxy账户：

create user proxy_user identified by Welcome1;
grant create session to proxy_user;
alter user schema_owner grant connect through proxy_user;
1
2
3

通过Proxy账户连接Schema成功：

SQL> connect proxy_user[schema_owner]/Welcome1@orclpdb1
Connected.
1
2

参考

• Oracle Help Center: 3.5.1 About Schema Only Accounts
• Oracle Database Features
• Schema Only Accounts in Oracle Database 18c