DB2认证重点笔记

0.注意,9.7之后(包括9.7)与9.7之前的版本在下面的内容中有很多的不同之处。

1.权限
参考:Database fundamentals > Security > DB2 security model > Authorization, privileges, and object ownership
实例级别的权限:

SYSADM -for users managing the instance as a whole
SYSCTRL -for users administering a database manager instance
SYSMAINT -for users maintaining databases within an instance
SYSMON -for users monitoring the instance and its databases

注意:
A user with a higher-level authority also has the abilities given by the lower level authorities

数据库级别额权限:
SECADM – for users managing security within a database –注意,数据库中至少必须有一个user拥有SECADM权限!!!
DBADM – for users administering a database
ACCESSCTRL – for users who need to grant and revoke authorities and privileges (except for SECADM, DBADM, ACCESSCTRL, and DATAACCESS authority, SECADM authority is required to grant and revoke these authorities)
DATAACCESS – for users who need to access data
SQLADM – for users who monitor and tune SQL queries
WLMADM – for users who manage workloads
EXPLAIN – for users who need to explain query plans (EXPLAIN authority does not give access to the data itself)

注意:
数据库级别的话不一定高的就包含低的的所有权限,这一点和实例级别的不同。具体有哪些权限建议看Infocenter里给出的图。
从Infocenter里的图中可以看到,只有SECADM才拥有REVOKE/GRANT All Privilege的特权。实例级别是没有REVOKE/GRANT特权的(Tablespace的还是有的)。

2.查看权限的方法
查看某个用户具有的权限:
db2 “SELECT substr(AUTHORITY,1,32) as Authority, D_USER, D_GROUP, D_PUBLIC, ROLE_USER, ROLE_GROUP, ROLE_PUBLIC, D_ROLE FROM TABLE (SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID (‘ALICE’, ‘U’) ) AS T ORDER BY AUTHORITY”

查看和table有关的权限:
db2 “select substr(grantor,1,16) as grantor,GRANTORTYPE,substr(grantee,1,16) as grantee,GRANTEETYPE,substr(TABSCHEMA,1,16) as tabschema,substr(tabname,1,16) as tabname,controlauth,ALTERAUTH,DELETEAUTH,INDEXAUTH,INSERTAUTH,REFAUTH,SELECTAUTH,UPDATEAUTH from syscat.tabauth”

查看和schema有关的权限:
db2 “select substr(grantor,1,16) as grantor,GRANTORTYPE,substr(grantee,1,16) as grantee,GRANTEETYPE,substr(schemaname,1,16) as schemaname, alterinauth,CREATEINAUTH,DROPINAUTH from syscat.SCHEMAAUTH”

查看具有权限的所有用户:
db2 select “substr(grantor,1,16) as grantor,grantortype,substr(grantee,1,16) as grantee,granteetype,BINDADDAUTH,CONNECTAUTH,CREATETABAUTH,DBADMAUTH,EXTERNALROUTINEAUTH,IMPLSCHEMAAUTH,IMPLSCHEMAAUTH,NOFENCEAUTH,QUIESCECONNECTAUTH,LIBRARYADMAUTH,SECURITYADMAUTH,SQLADMAUTH,WLMADMAUTH,EXPLAINAUTH,DATAACCESSAUTH,ACCESSCTRLAUTH,CREATESECUREAUTH from syscat.dbauth”

db2 select “substr(grantor,1,16) as grantor,grantortype,substr(grantee,1,16) as grantee,granteetype,DBADMAUTH,SECURITYADMAUTH,SQLADMAUTH from syscat.dbauth”

查看SECADM的用户:
C:\Users\Administrator>db2 select substr(grantee,1,16),securityadmauth from syscat.dbauth

查看和role的关系:
db2 “SELECT substr(GRANTOR,1,16) as Grantor, GRANTORTYPE, substr(GRANTEE,1,16) as grantee, GRANTEETYPE, substr(ROLENAME,1,16) as rolename, CREATE_TIME, ADMIN FROM TABLE (SYSPROC.AUTH_LIST_ROLES_FOR_AUTHID (‘DB2INST1’, ‘U’) ) AS T”

通过这个可以看到某个对象所管理的权限(包括User/Group/Role):
db2 “SELECT substr(AUTHID,1,16) as AUTHID,AUTHIDTYPE, PRIVILEGE,GRANTABLE, substr(OBJECTNAME,1,16) as OBJECTNAME, substr(OBJECTSCHEMA,1,16) as OBJECTSCHEMA, substr(OBJECTTYPE,1,16) as OBJECTTYPE FROM SYSIBMADM.PRIVILEGES”

查看OWNER关系:
db2 “SELECT SUBSTR(OWNER,1,10) AS OWNER, OWNERTYPE,SUBSTR(OBJECTNAME,1,30) AS OBJECTNAME,SUBSTR(OBJECTSCHEMA,1,10) AS OBJECTSCHEMA, OBJECTTYPE FROM SYSIBMADM.OBJECTOWNERS”

3.SECADM权限的获得
貌似只有DB的创建者才有。在这之后可以把这个特权授予其它人,但是呢,系统中必须得有一个人拥有这个权限。

4.生产系统权限管理
4.0 注意:
对于权限:
GRANT/REVOKE的时候,先根据需要,给需要对应权限的用户赋权!然后,再从PUBLIC中REVOKE对应的权限!这一步很重要,不然的化PUBLIC的权限直接被拿的化这个用户可能就没权限了!

4.1 先查看系统中目前拥有的用户有哪些:
[db2inst1@DB2_105 ~]$ db2 “SELECT distinct substr(AUTHID,1,16) as AUTHID,AUTHIDTYPE FROM SYSIBMADM.PRIVILEGES”

AUTHID AUTHIDTYPE
—————- ———-
DB2INST1 U
PUBLIC G
SYSDEBUG R
SYSTS_ADM R
SYSTS_MGR R

或者用这个:
db2 select “substr(grantor,1,16) as grantor,grantortype,substr(grantee,1,16) as grantee,granteetype,BINDADDAUTH,CONNECTAUTH,CREATETABAUTH,DBADMAUTH,EXTERNALROUTINEAUTH,IMPLSCHEMAAUTH,IMPLSCHEMAAUTH,NOFENCEAUTH,QUIESCECONNECTAUTH,LIBRARYADMAUTH,SECURITYADMAUTH,SQLADMAUTH,WLMADMAUTH,EXPLAINAUTH,DATAACCESSAUTH,ACCESSCTRLAUTH,CREATESECUREAUTH from syscat.dbauth”

4.2 对于每个用户,更具需求,看下其那些权限是需要的,哪些是不需要的:
比如,对于DB2INST1,我们看下它有哪些权限:
[db2inst1@DB2_105 ~]$ db2 “SELECT substr(AUTHORITY,1,32) as Authority, D_USER, D_GROUP, D_PUBLIC, ROLE_USER, ROLE_GROUP, ROLE_PUBLIC, D_ROLE FROM TABLE (SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID (‘PUBLIC’, ‘G’) ) AS T ORDER BY AUTHORITY”

AUTHORITY D_USER D_GROUP D_PUBLIC ROLE_USER ROLE_GROUP ROLE_PUBLIC D_ROLE
——————————– —— ——- ——– ——— ———- ———– ——
ACCESSCTRL Y N N N N N *
BINDADD N N Y N N N *
CONNECT N N Y N N N *
CREATETAB N N Y N N N *
CREATE_EXTERNAL_ROUTINE N N N N N N *
CREATE_NOT_FENCED_ROUTINE N N N N N N *
CREATE_SECURE_OBJECT N N N N N N *
DATAACCESS Y N N N N N *
DBADM Y N N N N N *
EXPLAIN N N N N N N *
IMPLICIT_SCHEMA N N Y N N N *
LOAD N N N N N N *
QUIESCE_CONNECT N N N N N N *
SECADM Y N N N N N *
SQLADM N N N N N N *
SYSADM * N * * * * *
SYSCTRL * N * * * * *
SYSMAINT * N * * * * *
SYSMON * N * * * * *
WLMADM N N N N N N *

我们的目的是让其成为一个普通用户,所以SECADM肯定是不能有的。所以revoke掉它(这里可能需要先把SECADM给别人,因为系统中必须至少有一个user有这个权限)
A机:[db2inst1@DB2_105 ~]$ db2 grant secadm on database to user db2inst2
B机:[db2inst2@DB2_105 ~]$ db2 revoke secadm on database from user db2inst1

依照这个类推。对于PUBLIC也要做这一步。

4.3 对每个用户,查看一下这个系统的其它权限,如ROLE、LBAC等
db2 “SELECT substr(GRANTOR,1,16) as Grantor, GRANTORTYPE, substr(GRANTEE,1,16) as grantee, GRANTEETYPE, substr(ROLENAME,1,16) as rolename, CREATE_TIME, ADMIN FROM TABLE (SYSPROC.AUTH_LIST_ROLES_FOR_AUTHID (‘DB2INST1’, ‘U’) ) AS T”

4.4 开始处理特权。用这个东东来看下特权的相关信息:
[db2inst1@DB2_105 ~]$ db2 “SELECT distinct substr(OBJECTTYPE,1,16) as OBJECTTYPE FROM SYSIBMADM.PRIVILEGES”

OBJECTTYPE
—————-
DB2 PACKAGE
FUNCTION
GLOBAL VARIABLE
INDEX
MATERIALIZED QUE
MODULE
PROCEDURE
SCHEMA
SEQUENCE
TABLE
TABLESPACE
VIEW
WORKLOAD
XML OBJECT

对于每个用户,分别执行对应的grant或revoke语句。注意,createtab对于temp表有时候是需要的,而temp表在这个上面是找不到的。

5.权限调整脚本
table:
db2 -x “SELECT ‘GRANT SELECT ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type <> ‘V’ and type <> ‘N’ and type <> ‘W'”
db2 -x “SELECT ‘GRANT UPDATE ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type <> ‘V’ and type <> ‘N’ and type <> ‘W'”
db2 -x “SELECT ‘GRANT DELETE ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type <> ‘V’ and type <> ‘N’ and type <> ‘W'”
db2 -x “SELECT ‘GRANT INSERT ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type <> ‘V’ and type <> ‘N’ and type <> ‘W'”
db2 -x “SELECT ‘GRANT INDEX ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type <> ‘V’ and type <> ‘N’ and type <> ‘W'”
db2 -x “SELECT ‘GRANT REFERENCES ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type <> ‘V’ and type <> ‘N’ and type <> ‘W'”
db2 -x “SELECT ‘REVOKE CONTROL ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ FROM USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type <> ‘V’ and type <> ‘N’ and type <> ‘W'”
db2 -x “SELECT ‘REVOKE ALTER ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ FROM USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type <> ‘V’ and type <> ‘N’ and type <> ‘W'”

db2 -x “SELECT ‘TRANSFER OWNERSHIP OF TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER DB2ADMIN PRESERVE PRIVILEGES@’ from syscat.tables where tabschema=’INFODMS’ and type <> ‘V’ and type <> ‘N’ and type <> ‘W'”

view:
db2 -x “SELECT ‘GRANT SELECT ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and (type = ‘V’ or type = ‘W’)”
db2 -x “SELECT ‘GRANT UPDATE ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and (type = ‘V’ or type = ‘W’)”
db2 -x “SELECT ‘GRANT INSERT ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and (type = ‘V’ or type = ‘W’)”
db2 -x “SELECT ‘GRANT DELETE ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and (type = ‘V’ or type = ‘W’)”
db2 -x “SELECT ‘REVOKE CONTROL ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ FROM USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and (type = ‘V’ or type = ‘W’)”

db2 -x “SELECT ‘TRANSFER OWNERSHIP OF VIEW ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER DB2ADMIN PRESERVE PRIVILEGES@’ from syscat.tables where tabschema=’CGCSLDMS’ and (type = ‘V’ or type = ‘W’)”

db2 package:
db2 -x “SELECT ‘GRANT BIND ON PACKAGE ‘ || LTRIM(RTRIM(PKGSCHEMA)) || ‘.’ || LTRIM(RTRIM(PKGNAME)) || ‘ TO USER INFODMS@’ from syscat.PACKAGES where PKGSCHEMA=’INFODMS'”
db2 -x “SELECT ‘GRANT EXECUTE ON PACKAGE ‘ || LTRIM(RTRIM(PKGSCHEMA)) || ‘.’ || LTRIM(RTRIM(PKGNAME)) || ‘ TO USER INFODMS@’ from syscat.PACKAGES where PKGSCHEMA=’INFODMS'”
db2 -x “SELECT ‘REVOKE CONTROL ON PACKAGE ‘ || LTRIM(RTRIM(PKGSCHEMA)) || ‘.’ || LTRIM(RTRIM(PKGNAME)) || ‘ FROM USER INFODMS@’ from syscat.PACKAGES where PKGSCHEMA=’INFODMS'”

db2 schema:
db2 -x “SELECT ‘REVOKE CREATEIN ON SCHEMA ‘ || LTRIM(RTRIM(SCHEMANAME)) || ‘ FROM PUBLIC@’ from SYSCAT.SCHEMATA”

tablespaces:
db2 -x “select ‘GRANT USE OF TABLESPACE ‘ || ltrim(rtrim(tbspace)) || ‘ TO USER INFODMS@’ from syscat.tablespaces”

nickname:
db2 -x “SELECT ‘GRANT SELECT ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type = ‘N'”
db2 -x “SELECT ‘GRANT UPDATE ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type = ‘N'”
db2 -x “SELECT ‘GRANT DELETE ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type = ‘N'”
db2 -x “SELECT ‘GRANT INSERT ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type = ‘N'”
db2 -x “SELECT ‘GRANT INDEX ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type = ‘N'”
db2 -x “SELECT ‘GRANT REFERENCES ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ TO USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type = ‘N'”
db2 -x “SELECT ‘REVOKE CONTROL ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ FROM USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type = ‘N'”
db2 -x “SELECT ‘REVOKE ALTER ON TABLE ‘ || ltrim(rtrim(tabschema)) || ‘.’ || ltrim(rtrim(tabname)) || ‘ FROM USER INFODMS@’ from syscat.tables where tabschema=’INFODMS’ and type = ‘N'”

6.修改owner
db2 transfer ownership of table infodms.sms_send to user infodms preserve privileges

7.db2 audit
首先,这玩意是独立的,有自己的配置文件和进程,启动的时候也是独立启动的,甚至在实例停的时候还活着。数据库级别的audit好像和实例级别的没关系,实例级别的db2audit停止了也能正常监控审计信息。实例级别的相关监控选项设置为none也能正常收集数据库级别的信息。

默认实例或数据库的活动审计日志都在C:\ProgramData\IBM\DB2\DB2COPY1\DB2\security\auditdata下面。也就是说在实例下面。
可以用
db2audit describe 来查看当前的审计组件的配置(实例层面)。
db2audit start/db2audit stop起停audit(实例层面,和数据库层面的无关)

配置实例级别的监控内容:
C:\>db2audit configure scope audit status both,objmaint status both,secmaint status both, sysadmin status both
配置数据库级别的监控内容:
C:\>db2 connect to auditdb
C:\>db2 create audit policy testpolicy categories audit status both,objmaint status both,secmaint status both,sysadmin status both error type normal
C:\>db2 audit database using policy testpolicy

将活动的审计日志归档到指定目录(归档后,原来的活动的审计日志重新从0开始,归档出来的审计日志可以进行以后的extract,或者是直接删除):
这里对数据库进行一次审计日志的归档:
C:\>db2audit archive database auditdb node 0 to C:\archivelogs\

节点 AUD 归档或临时日志文件
消息
——– ——– —————————————————
0 AUD0000I db2audit.db.AUDITDB.log.0.20131203142612

AUD0000I 操作已成功。
将归档的审计日志进行抽取,可以直接抽取为文件进行查阅,或者抽取到del文件中load入表进行查看。
1.抽取到文件C:\auditdb_auditlog.txt直接查看:
C:\>db2audit extract file C:\auditdb_auditlog.txt category objmaint status success from path C:\archivelogs\ files db2audit.db.AUDITDB.log.0.20131203142612
2.先抽取到DEL文件,然后导入表中进行查看:
生成DEL文件:
C:\>db2 create bufferpool bp_8k pagesize 8k
DB20000I SQL 命令成功完成。

C:\>db2 create tablespace tbs_8k pagesize 8k bufferpool bp_8k
DB20000I SQL 命令成功完成。

C:\>db2 -tvf “C:\Program Files\IBM\SQLLIB\MISC\db2audit.ddl”

然后对数据抽取到DEL文件中,这个时候C盘下会的生成很多东东,默认的话都是status=success的:
C:\>db2audit extract delasc delimiter @ to C:\ from path C:\archivelogs\ files db2audit.db.AUDITDB.log.0.20131203142612
然后将想要的东东直接导入到刚刚生成的audit的表中:
C:\>db2 load from objmaint.del of del modified by CHARDEL@ lobsinfile insert into administrator.objmaint
然后就可以查看了,比如:
C:\>db2 select event,objname from objmaint

移除Database层面的audit policy:
C:\>db2 audit database remove policy
C:\>db2 drop audit policy testpolicy

查看database层面是否有audit policy:
C:\>db2 select count(*) from syscat.audituse
C:\>db2 select count(*) from syscat.auditpolicies、

实例级别有个配置参数可以用于配置和性能相关的东东AUDIT_BUF_SZ,如果设置为0,则有一条记录就写一次,否则在buf满了后再写。对于后者可能会丢失数据,但是对性能有较大提高。

8.windows的db2admns和db2users
在windows里边,如果在安装db2的时候选择了操作系统安全性,那么DB2的一些文件的属性会的被设置为只有特定用户可以访问、修改。特定用户默认指的是db2admns和db2users组里的用户(也就是DB2文件的访问权限给了这两个组)。如果安装的时候没有用操作系统安全性,后来想启动这个,或者说想修改默认的组,那么可以使用db2extsec /users mydom\db2users /admins mydom\db2admns /oldadmins db2admns /oldusers db2users /file c:\mylist.lst这样的命令去修改。注意:db2extsec reset的时候,务必慎重。与其reset,不如重装DB2!

用db2extsec打开操作系统安全性后,用户需要注销然后重新登录。

9.Windows 域帐号问题(记住,一般是两步:1.验证密码 2.验证所属的组)
windows认证用户的时候,是下面的顺序(DB2_GRP_LOOKUP未设置):
1.先在本机验证用户的用户名密码是否正确(前提是给出的connect的用户名是XXX,而不是DOMAIN\XXX格式,否则直接进入2进行认证),如果用户不存在,则转入2。如果本地验证失败,则失败
2.在DC上认证当前的域中的用户名和密码,如果不正确,如果用户不存在,则转入3。如果验证失败,则失败
3.在可信域中认证用户名和密码,如果不正确或不存在,那么就失败了

windows的认证,如果不看组,那么就看对应的用户名(该用户名不包括域前缀,也就是是XXX,而不是DOMAIN\XXX)

DB2_GRP_LOOKUP变量:
如果注册了这个变量,那么DB2在查找用户所在的组的时候,只会的在本机查找,也就是说如果该用户(域用户)如果不是local group中的用户或嵌套在local group中的global group中的用户的时候,那么查找就失败了。
如果DB2_GRP_LOOKUP=的话,好像有问题,不能查找到域中的组。

db2set -g DB2_GRP_LOOKUP=,TOKEN –万能的,local、domain的组都去查
db2set -g DB2_GRP_LOOKUP=LOCAL,TOKENLOCAL –只查local的组
db2set -g DB2_GRP_LOOKUP=DOMAIN,TOKENDOMAIN –只查domain的组

查看DB2认为的用户所属于的组(如果查看的是当前帐号需要重新connect一下,不然会从cache中取。同时如果想取到所有的组,需要指定db2set -g DB2_GRP_LOOKUP=,TOKEN然后重启实例):
db2 SELECT * FROM TABLE (SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID (‘DBA’)) AS T

如果存在User Access Control,那么需要用Administrator执行管理命令(哪怕你是Administrator也要这样做)。如果同时还加入了OS安全扩展,那么一些管理命令的用户需要属于DB2ADMNS组。管理命令指的是:
It requires SYSADM, SYSCTRL or SYSMAINT authority
It modifies registry keys under the HKLM branch in the registry
It writes to the directories under the Program Files directory

Access Token:
每个用户在登录认证的时候系统会的验证一下你的身份,如果验证通过,系统就会生成access token。之后你产生的进程或线程都使用该access token的副本。在认证的时候,如果无法和DC取得联系,会的使用cache。

access token里还有group的信息,主要是:local groups and various domain groups (global groups, domain local groups, and universal groups)

grant/revoke的时候不能用DOMAIN\XXX的格式,因此只是依靠XXX来判定某个用户所属的组。这个时候的关键就在于查找该用户所在组的顺序以及DB2_GRP_LOOKUP变量

#############################
一个说明查找流程的例子(abc存在于本地和域中,域中的abc属于域组abcgrp,本地的abc不属于任何组。Administrator.t表对abcgrp授权了select):
用户abc直接登录的时候,现在local搜索,搜索到了就结束了,所以这个时候其得到的只是本地组:
C:\Users\Administrator>db2 connect to sample user abc using P@ssw0rd

数据库连接信息

数据库服务器 = DB2/NT64 9.7.4
SQL 授权标识 = ABC
本地数据库别名 = SAMPLE

C:\Users\Administrator>db2 select * from administrator.t
SQL0551N “ABC” 不具有对对象 “ADMINISTRATOR.T” 执行操作 “SELECT”
的必需权限或特权。 SQLSTATE=42501

用户hh\abc直接登录的时候,现在domain搜索,搜索到了就结束了,所以这个时候其得到的domain组:
C:\Users\Administrator>db2 connect to sample user hh\abc using P@ssw0rd

数据库连接信息

数据库服务器 = DB2/NT64 9.7.4
SQL 授权标识 = ABC
本地数据库别名 = SAMPLE

C:\Users\Administrator>db2 select * from administrator.t

ID
———–

0 条记录已选择。

这个时候把本地的abc删除,因此查找的时候现在本地找,没有找到abc,于是去域里边找,找到了:
C:\Users\Administrator>db2 connect to sample user abc using P@ssw0rd

数据库连接信息

数据库服务器 = DB2/NT64 9.7.4
SQL 授权标识 = ABC
本地数据库别名 = SAMPLE

C:\Users\Administrator>db2 select * from administrator.t

ID
———–

0 条记录已选择。
########################

发表评论

电子邮件地址不会被公开。 必填项已用*标注

*