创建视图，报ORA-01720错误问题

视图创建的时候出现如下问题：

并且检查了视图中对象的授权情况：

这是一个函数，授予视图创建用户EXECUTE权限。

官方给出的解释：

#01720, 00000,"grant option does not exist for '%s.%s'" // *Cause:  A grant was being performed on a view or aview was being replaced //          and the grant option was not presentfor an underlying object. // *Action: Obtainthe grant option on all underlying objects of the view or //          revoke existing grants on the view.

MOS 文档解释的hen'很清楚

Post Upgrade To 11.2.0.4, "create or replace view" execution fails with "ORA-01720: Grant Option Does Not Exist" (Doc ID 1628033.1)

APPLIES TO:

Oracle Database - Enterprise Edition - Version 11.2.0.4 to 11.2.0.4 [Release 11.2]
Information in this document applies to any platform.

SYMPTOMS

After upgrading from 11.2.0.3 to 11.2.0.4, you encounter the following error while executing the "create or replace view" statement:

ORA-01720: grant option does not exist

Views were created before the upgrade and "CREATE OR REPLACE VIEW" had worked fine.

For example the following testcase will run without errors on version 11.2.0.3, while the last statement 'create or replace view testv as select * from u2.test' will fail on 11.2.0.4

connect / as sysdba
-- drop user u1 cascade;
-- drop user u2 cascade;
create user u1 identified by u1;
create user u2 identified by u2;
grant resource to u1;
grant resource to u2;
grant create session to u1;
grant create session to u2;
grant create view to u1;
connect u2/u2
create table u2.test(a number);
grant select on test to u1 with grant option;
connect u1/u1
create view testv as select * from u2.test;
grant select on testv to system;
connect u2/u2
revoke select on test from u1;
grant select on test to u1;
connect u1/u1
create or replace view testv as select * from u2.test;

The result in version 11.2.0.4 (and higher) will be:

create or replace view testv as select * from u2.test
                                                 *
ERROR at line 1:
ORA-01720: grant option does not exist for 'U2.TEST

 '

CHANGES

Upgrade to 11.2.0.4 from a previous version.

CAUSE

The observed behavior is correct. You will get this ORA-1720 error when REPLACING a view that selects from some other user's tables and both of the following conditions are true: 
 
- you have already granted select or other privileges on the VIEW to some other user 
- the view owner does not have the GRANT option on the tables being selected from (or view owner may have some privilege with grant option but not others)

Development has explained it as follows:
 
The code was changed in 11.2.0.4 so that create view behavior is similar to grant. If you try to make a GRANT on an existing view and the view owner does not have the grant option, then ORA-1720 is the expected result (even in 11.2.0.3). In 11.2.0.4, we have simply made CREATE VIEW consistent with the GRANT behavior, i.e. if an incompatible grant exists, then the new view definition must not be allowed (even with FORCE). In other words, we do not allow incompatible grants to coexist with the view definition and so an error must be thrown. The behavior in release 11.2.0.3 (and earlier) was incorrect; the new behavior in 11.2.0.4 is intentional and correct. 

SOLUTION

To avoid this issue, you can do either of the following: 
 
1. Remove all grants on the view before REPLACING the view. This will ensure that no incompatible grants exist. 
2. Drop and recreate the view. Dropping the view will automatically remove all grants.

To detect views with this condition you can use the following statement, however be aware it only detects first level dependencies:

select unique d.owner, d.name "view" from
dba_dependencies d, dba_tab_privs pv, dba_tab_privs pd
where
-- there are dependencies outside the schema of the view owner
d.TYPE = 'VIEW' and d.REFERENCED_OWNER <> d.owner
-- there are grants issued on the view
and pv.TABLE_NAME = d.name
and d.owner = pv.owner
and pv.privilege in ('SELECT','INSERT','UPDATE')
-- dependent objects have not been granted with admin option
and pd.TABLE_NAME = d.REFERENCED_NAME
and pd.GRANTABLE = 'NO'
-- exlude grants to roles
and pv.grantee <> 'PUBLIC'
and pd.grantee <> 'PUBLIC'
and pv.grantee not in (select role from dba_roles)
and pd.grantee not in (select role from dba_roles)
-- exclude public owned objects
and d.REFERENCED_OWNER <> 'PUBLIC'

When used with the testcase at the top of this document, the offending view can be singled out:

SQL> @view_check

OWNER                          view
------------------------------ ------------------------------

U1                             TESTV

 

我出现的问题就是该view授予其他用户查询，因而在创建视图的时候需要有查询对象的with grant option;