2008-6-2 18:34
luocb1980
DB2v8.2 权限管理问题
db2权限管理是不是有问题?请看我的例子:
1.create a user test in CC
2. run the below command:
db2 => grant connect on database to user test
DB20000I SQL 命令成功完成。
3. The user test can log on db
db2 => connect to db user test using test
数据库连接信息
数据库服务器 = DB2/NT 8.2.0
SQL 授权标识 = TEST
本地数据库别名 = DB
4. revoke the connect privilege from test
db2 => revoke connect on database from user luocb
DB20000I SQL 命令成功完成。
5. The user test can log on db again.
db2 => connect to db user test using test
数据库连接信息
数据库服务器 = DB2/NT 8.2.0
SQL 授权标识 = TEST
本地数据库别名 = DB
为什么revoke connect 权限后,test用户还能connect to db???请高手帮忙解答一下
db2权限管理是不是有问题?请看我的例子:
1.create a user test in CC
2. run the below command:
db2 => grant connect on database to user test
DB20000I SQL 命令成功完成。
3. The user test can log on db
db2 => connect to db user test using test
数据库连接信息
数据库服务器 = DB2/NT 8.2.0
SQL 授权标识 = TEST
本地数据库别名 = DB
4. revoke the connect privilege from test
db2 => revoke connect on database from user luocb
DB20000I SQL 命令成功完成。
5. The user test can log on db again.
db2 => connect to db user test using test
数据库连接信息
数据库服务器 = DB2/NT 8.2.0
SQL 授权标识 = TEST
本地数据库别名 = DB
为什么revoke connect 权限后,test用户还能connect to db???请高手帮忙解答一下
2008-6-2 21:17
whiterain
要revoke from public才行。
2008-6-2 21:23
luocb1980
还是不行啊,revoke connect on database from public执行后,这个用户还是能connect啊
2008-6-3 07:35
unixnewbie
db2 "select grantee from syscat.dbauth where connectauth='Y'"
Make sure user 'TEST' neither in the list, nor belongs to any group in the list.
Make sure user 'TEST' neither in the list, nor belongs to any group in the list.
2008-6-3 10:17
luocb1980
To:unixnewbie
Thanks for your reply, I check the group follow yours, the 'TEST' user is belong to TEST group, so I revoke the connect from TEST group, but after that, the TEST user can connect to db.
db2 => select grantee from syscat.dbauth where connectauth='Y'
GRANTEE
-------------------------------------------------------------------------------------
-------------------------------------------
SYSTEM
ERIC
LISA
SUPPORT_388945A0
TEST
PUBLIC
6 条记录已选择。
db2 => revoke connect on database from luocb
DB20000I SQL 命令成功完成。
db2 => select grantee from syscat.dbauth where connectauth='Y'
GRANTEE
-------------------------------------------------------------------------------------
-------------------------------------------
SYSTEM
ERIC
LISA
SUPPORT_388945A0
PUBLIC
5 条记录已选择。
db2 =>
Thanks for your reply, I check the group follow yours, the 'TEST' user is belong to TEST group, so I revoke the connect from TEST group, but after that, the TEST user can connect to db.
db2 => select grantee from syscat.dbauth where connectauth='Y'
GRANTEE
-------------------------------------------------------------------------------------
-------------------------------------------
SYSTEM
ERIC
LISA
SUPPORT_388945A0
TEST
PUBLIC
6 条记录已选择。
db2 => revoke connect on database from luocb
DB20000I SQL 命令成功完成。
db2 => select grantee from syscat.dbauth where connectauth='Y'
GRANTEE
-------------------------------------------------------------------------------------
-------------------------------------------
SYSTEM
ERIC
LISA
SUPPORT_388945A0
PUBLIC
5 条记录已选择。
db2 =>
2008-6-3 10:19
luocb1980
How can I get the user belong to which group?
2008-6-3 19:20
unixnewbie
[quote]原帖由 [i]luocb1980[/i] 于 3/6/2008 12:17 发表 [url=http://www.itpub.net/redirect.php?goto=findpost&pid=10555549&ptid=998625][img]http://www.itpub.net/images/common/back.gif[/img][/url]
To:unixnewbie
Thanks for your reply, I check the group follow yours, the 'TEST' user is belong to TEST group, so I revoke the connect from TEST group, but after that, the TEST user can connect to db.
db2 => select grantee from syscat.dbauth where connectauth='Y'
GRANTEE
-------------------------------------------------------------------------------------
-------------------------------------------
SYSTEM
ERIC
LISA
SUPPORT_388945A0
TEST
PUBLIC
6 条记录已选择。
db2 => revoke connect on database from luocb
DB20000I SQL 命令成功完成。
db2 => select grantee from syscat.dbauth where connectauth='Y'
GRANTEE
-------------------------------------------------------------------------------------
-------------------------------------------
SYSTEM
ERIC
LISA
SUPPORT_388945A0
PUBLIC
5 条记录已选择。
db2 => [/quote]
你上面的结果里不是还有PUBLIC么。有PUBLIC在就是说所有用户都可以Connect。
To:unixnewbie
Thanks for your reply, I check the group follow yours, the 'TEST' user is belong to TEST group, so I revoke the connect from TEST group, but after that, the TEST user can connect to db.
db2 => select grantee from syscat.dbauth where connectauth='Y'
GRANTEE
-------------------------------------------------------------------------------------
-------------------------------------------
SYSTEM
ERIC
LISA
SUPPORT_388945A0
TEST
PUBLIC
6 条记录已选择。
db2 => revoke connect on database from luocb
DB20000I SQL 命令成功完成。
db2 => select grantee from syscat.dbauth where connectauth='Y'
GRANTEE
-------------------------------------------------------------------------------------
-------------------------------------------
SYSTEM
ERIC
LISA
SUPPORT_388945A0
PUBLIC
5 条记录已选择。
db2 => [/quote]
你上面的结果里不是还有PUBLIC么。有PUBLIC在就是说所有用户都可以Connect。
2008-6-3 19:24
unixnewbie
[quote]原帖由 [i]luocb1980[/i] 于 3/6/2008 12:19 发表 [url=http://www.itpub.net/redirect.php?goto=findpost&pid=10555587&ptid=998625][img]http://www.itpub.net/images/common/back.gif[/img][/url]
How can I get the user belong to which group? [/quote]
在系统层面设置user属于哪个group。
How can I get the user belong to which group? [/quote]
在系统层面设置user属于哪个group。
2008-6-4 10:23
luocb1980
在系统层面这个user属于test组的
2008-6-4 10:28
luocb1980
db2 => select grantee from syscat.dbauth where connectauth='Y'
GRANTEE
-------------------------------------------------------------------------------------
-------------------------------------------
SYSTEM
ERIC
LISA
SUPPORT_388945A0
PUBLIC
FTTEST
这个命令执行后已经没有test组了啊,但是属于这个组的用户还是能connect todatabase
GRANTEE
-------------------------------------------------------------------------------------
-------------------------------------------
SYSTEM
ERIC
LISA
SUPPORT_388945A0
PUBLIC
FTTEST
这个命令执行后已经没有test组了啊,但是属于这个组的用户还是能connect todatabase
2008-6-4 11:37
unixnewbie
In DB2, 'PUBLIC' is a virtual group. Every user belongs to 'PUBLIC'. So whenever PUBLIC is still on the list of connectauth, every one can connect to the database.
You should revoke connect privilige from 'PUBLIC'.
[[i] 本帖最后由 unixnewbie 于 2008-6-6 14:10 编辑 [/i]]
You should revoke connect privilige from 'PUBLIC'.
[[i] 本帖最后由 unixnewbie 于 2008-6-6 14:10 编辑 [/i]]
2008-6-5 15:31
luocb1980
Hi, Unixnewbie, Thanks for your help.
But after I revoke the connect from public, but the user can connect to database, too.
1. Login in database use db2admin
2. Revoke the connect from public
db2 => connect to adb1 user db2admin using db2admin
数据库连接信息
数据库服务器 = DB2/NT 8.2.0
SQL 授权标识 = DB2ADMIN
本地数据库别名 = ADB1
db2 => revoke connect on database from public
DB20000I SQL 命令成功完成。
db2 =>
3. Use the user adb who belong to public group
db2 => connect to adb1 user adb using adb
数据库连接信息
数据库服务器 = DB2/NT 8.2.0
SQL 授权标识 = ADB
本地数据库别名 = ADB1
db2 =>
Did you verify it? If you can succeed in testing, please give me a detailed steps. Thank you very much
But after I revoke the connect from public, but the user can connect to database, too.
1. Login in database use db2admin
2. Revoke the connect from public
db2 => connect to adb1 user db2admin using db2admin
数据库连接信息
数据库服务器 = DB2/NT 8.2.0
SQL 授权标识 = DB2ADMIN
本地数据库别名 = ADB1
db2 => revoke connect on database from public
DB20000I SQL 命令成功完成。
db2 =>
3. Use the user adb who belong to public group
db2 => connect to adb1 user adb using adb
数据库连接信息
数据库服务器 = DB2/NT 8.2.0
SQL 授权标识 = ADB
本地数据库别名 = ADB1
db2 =>
Did you verify it? If you can succeed in testing, please give me a detailed steps. Thank you very much
2008-6-6 12:09
unixnewbie
[quote]原帖由 [i]luocb1980[/i] 于 5/6/2008 17:31 发表 [url=http://www.itpub.net/redirect.php?goto=findpost&pid=10579933&ptid=998625][img]http://www.itpub.net/images/common/back.gif[/img][/url]
Hi, Unixnewbie, Thanks for your help.
But after I revoke the connect from public, but the user can connect to database, too.
1. Login in database use db2admin
2. Revoke the connect from public
db2 => connect to adb1 user db2admin using db2admin
数据库连接信息
数据库服务器 = DB2/NT 8.2.0
SQL 授权标识 = DB2ADMIN
本地数据库别名 = ADB1
db2 => revoke connect on database from public
DB20000I SQL 命令成功完成。
db2 =>
3. Use the user adb who belong to public group
db2 => connect to adb1 user adb using adb
数据库连接信息
数据库服务器 = DB2/NT 8.2.0
SQL 授权标识 = ADB
本地数据库别名 = ADB1
db2 =>
Did you verify it? If you can succeed in testing, please give me a detailed steps. Thank you very much [/quote]
Afert 'db2 connect to adb1 user adb using adb', issue:
'db2 get AUTHORIZATIONS'
paste your output here.
Hi, Unixnewbie, Thanks for your help.
But after I revoke the connect from public, but the user can connect to database, too.
1. Login in database use db2admin
2. Revoke the connect from public
db2 => connect to adb1 user db2admin using db2admin
数据库连接信息
数据库服务器 = DB2/NT 8.2.0
SQL 授权标识 = DB2ADMIN
本地数据库别名 = ADB1
db2 => revoke connect on database from public
DB20000I SQL 命令成功完成。
db2 =>
3. Use the user adb who belong to public group
db2 => connect to adb1 user adb using adb
数据库连接信息
数据库服务器 = DB2/NT 8.2.0
SQL 授权标识 = ADB
本地数据库别名 = ADB1
db2 =>
Did you verify it? If you can succeed in testing, please give me a detailed steps. Thank you very much [/quote]
Afert 'db2 connect to adb1 user adb using adb', issue:
'db2 get AUTHORIZATIONS'
paste your output here.
2008-7-3 22:39
lovelyman_gold
有好的三方工具,极简便
页: [1]
查看完整版本: DB2v8.2 权限管理问题
Powered by ITPUB论坛