ANBOB™

前段时间在谈到数据库客户关注点时，香港的同事说感觉客户非常注重的是安全而非什么分布式，前段同事写过一篇MySQL中容易泄露数据库用户密码的地方，如shell、SQL的历史记录、主从复制等，当然也包括部署的一些数据库脚本，如逻辑导出，Oracle也不例外，好多用户在用户密码复杂度上很苛刻，但如在数据库中部署的如RMAN、EXPDP等脚本还是明文的密码那就比较不规范，下面针对这类shell如何不显示密码。

–env 19.3 导到PDB1中的某张表

1， External password file
这个我翻了翻笔记10年前在北京自学时在Oralce 10g测试地2篇《wallet,外部存储用户名密码,createEntry与createCredential区别(一)》， 这里在19c简单试一下，发现19c 还有个小bug。

— 密码 [非必须]

SQL> alter user system identified by oracle_1234 container=all;
User altered.

— 创建钱包

mkstore -wrl $ORACLE_HOME/network/admin -create <<WRL
wrl_xxxxxxxx
wrl_xxxxxxxx
WRL

— 配置TNSNAMES 增加到tnsnames.ora

cdb1pdb1 =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = oel7db1)(PORT = 1521))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = pdb1)
    )
  )

— 装钱 加用户为SYSTEM

$ mkstore -wrl $ORACLE_HOME/network/admin -createCredential cdb1pdb1 SYSTEM <<CREATE
oracle_1234
oracle_1234
wrl_xxxxxxxx
CREATE

— 列出用户

$ mkstore -wrl $ORACLE_HOME/network/admin -listCredential

— 如果配置错误，删除用户

$ mkstore -wrl $ORACLE_HOME/network/admin -deleteCredential cdb1pdb1  

— 如果后面修改了密码，需要修改

$mkstore -wrl $ORACLE_HOME/network/admin  -modifyCredential cdb1pdb1 SYSTEM oracle_1234

— 配置SQLnet.ora

cat >> $ORACLE_HOME/network/admin/sqlnet.ora <<'CAT'
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY="$ORACLE_HOME/network/admin")))
SQLNET.WALLET_OVERRIDE=TRUE
CAT

— 登录测试

[oracle@oel7db1 admin]$ sqlplus /@cdb1pdb1
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Nov 14 19:27:15 2022
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle.  All rights reserved.
Last Successful login time: Mon Nov 14 2022 19:22:07 +08:00
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

USERNAME             INST_NAME            HOST_NAME                  I# SID   SERIAL#  VERSION    STARTED  SPID       OPID  CPID            SADDR            PADDR
-------------------- -------------------- ------------------------- --- ----- -------- ---------- -------- ---------- ----- --------------- ---------------- ----------------
SYSTEM               PDB1-anbob19c        oel7db1                     1 35    22844    19.0.0.0.0 20221114 8497       54    8495            00000000780D5CF8 0000000078D14028

SQL> 

— 导出

[oracle@oel7db1 admin]$ expdp /@cdb1pdb1 directory=datapump tables=anbob.t1

Export: Release 19.0.0.0.0 - Production on Mon Nov 14 19:30:09 2022
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle and/or its affiliates.  All rights reserved.
Password:

Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Starting "SYSTEM"."SYS_EXPORT_TABLE_02":  /********@cdb1pdb1 directory=datapump tables=anbob.t1
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Processing object type TABLE_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS
Processing object type TABLE_EXPORT/TABLE/STATISTICS/MARKER
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "ANBOB"."T1"                                84.07 MB  611120 rows
Master table "SYSTEM"."SYS_EXPORT_TABLE_02" successfully loaded/unloaded
******************************************************************************

Note:
这里还提示输入密码，但是回车忽略又可以继续。这是19c的一个小bug 28707931，到19.7 RU中包含.只需要简单的修改脚本就可以解决。

[oracle@oel7db1 ~]$ expdp /@cdb1pdb1 directory=datapump tables=anbob.t1 </dev/null

Export: Release 19.0.0.0.0 - Production on Mon Nov 14 19:32:24 2022
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle and/or its affiliates.  All rights reserved.
Password:

Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Starting "SYSTEM"."SYS_EXPORT_TABLE_02":  /********@cdb1pdb1 directory=datapump tables=anbob.t1
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Processing object type TABLE_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS
Processing object type TABLE_EXPORT/TABLE/STATISTICS/MARKER
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "ANBOB"."T1"                                84.07 MB  611120 rows
Master table "SYSTEM"."SYS_EXPORT_TABLE_02" successfully loaded/unloaded
******************************************************************************
Dump file set for SYSTEM.SYS_EXPORT_TABLE_02 is:
  /home/oracle/expdat.dmp

Note:
这里增加个/dev/null输入就可以避免交互。

2， OS 认证 AS SYSDBA
如果你懒的配置钱包，可以使用sysdba OS认证，但是对于多租户环境默认登陆是CDB$ROOT, 可以配合环境变量 ORACLE_PDB_SID切换PDB.

[oracle@oel7db1 ~]$ export ORACLE_PDB_SID=pdb1

[oracle@oel7db1 ~]$ expdp '"/ as sysdba"' directory=datapump tables=anbob.t1 </dev/null

Export: Release 19.0.0.0.0 - Production on Mon Nov 14 19:36:07 2022
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle and/or its affiliates.  All rights reserved.
Password:

Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Starting "SYS"."SYS_EXPORT_TABLE_01":  "/******** AS SYSDBA" directory=datapump tables=anbob.t1
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Processing object type TABLE_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS
Processing object type TABLE_EXPORT/TABLE/STATISTICS/MARKER
Processing object type TABLE_EXPORT/TABLE/TABLE
. . exported "ANBOB"."T1"                                84.07 MB  611120 rows
Master table "SYS"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded

Note:
用双引号括起/ as sysdba，同样如果有上面的密码提示的小bug，也可以使用上面的小技巧绕过。

打赏

微信扫一扫，打赏作者吧～