Virtual Private Database (VPD) with Oracle
2009-10-06 23:33
423 查看
refer:http://www.adp-gmbh.ch/ora/security/vpd/
VirtualPrivateDatabaseisalsoknownasfinegraindaccesscontrol(FGAC).Itallowstodefinewhichrowsusersmayhaveaccessto.
Fillinginsometrulyconfidentialsecrets:
Foranyemployee,itmustbepossibletoseeallsecretsofhisdepartment,butnosecretofanotherdepartment.
InordertomakethathappenwithOracle,weneedtocreateapackage,atrigger,andsetapolicy.
First,thepackageiscreated.
Thenthetriggerisdefined.Thistriggerfireswheneversomeonelogontothedatabase.Itfindstheuser'sdepartementid(dep_id)andcallsset_dep_idinthepackage.
Finally,thepolicyisdefined.Thepolicystateswhichprocedureisusedtoaddawhereclauseparttothewhereclauseifsomeoneexecutesaselectstatement.
Totestthesetup,someusersarecreated.
Thenecessaryprivilegesaregranted.
Apublicsynonymiscreated.
Frank(belongingtoR+D)executesaquery....
Peter(belongingtoSales)executesaquery....
VirtualPrivateDatabaseisalsoknownasfinegraindaccesscontrol(FGAC).Itallowstodefinewhichrowsusersmayhaveaccessto.
Asimpleexample
Inthisexample,itisassumedthatacompanyconsistsofdifferentdepartments(witheachhavinganentryinthedepartmentstable).Anemployeebelongstoexactlyondepartment.Adepartmentcanhavesecretsthatgointothedepartment_secretstable.createtabledepartment( dep_idintprimarykey, namevarchar2(30) ); createtableemployee( dep_id referencesdepartment, namevarchar2(30) ); createtabledepartment_secrets( dep_id referencesdepartment, secretvarchar2(30) );
Fillinginsometrulyconfidentialsecrets:
insertintodepartmentvalues(1,'ResearchandDevelopment'); insertintodepartmentvalues(2,'Sales'); insertintodepartmentvalues(3,'HumanResources'); insertintoemployeevalues(2,'Peter'); insertintoemployeevalues(3,'Julia'); insertintoemployeevalues(3,'Sandy'); insertintoemployeevalues(1,'Frank'); insertintoemployeevalues(2,'Eric'); insertintoemployeevalues(1,'Joel'); insertintodepartment_secretsvalues(1,'R+DSecret#1'); insertintodepartment_secretsvalues(1,'R+DSecret#2'); insertintodepartment_secretsvalues(2,'SalesSecret#1'); insertintodepartment_secretsvalues(2,'SalesSecret#2'); insertintodepartment_secretsvalues(3,'HRSecret#1'); insertintodepartment_secretsvalues(3,'HRSecret#2');
Foranyemployee,itmustbepossibletoseeallsecretsofhisdepartment,butnosecretofanotherdepartment.
InordertomakethathappenwithOracle,weneedtocreateapackage,a
First,thepackageiscreated.
createorreplacepackagepck_vpd as p_dep_iddepartment.dep_id%type; procedureset_dep_id(v_dep_iddepartment.dep_id%type); functionpredicate(obj_schemavarchar2,obj_namevarchar2)returnvarchar2; endpck_vpd; / createorreplacepackagebodypck_vpdas procedureset_dep_id(v_dep_iddepartment.dep_id%type)is begin p_dep_id:=v_dep_id; endset_dep_id; functionpredicate(obj_schemavarchar2,obj_namevarchar2)returnvarchar2is begin return'dep_id='||p_dep_id; endpredicate; endpck_vpd; /
Thenthetriggerisdefined.Thistriggerfireswheneversomeonelogontothedatabase.Itfindstheuser'sdepartementid(dep_id)andcallsset_dep_idinthepackage.
createorreplacetriggertrg_vpd afterlogonondatabase declare v_dep_iddepartment.dep_id%type; begin selectdep_idintov_dep_id fromemployeewhereupper(name)= user; pck_vpd.set_dep_id(v_dep_id); end; /
Finally,thepolicyisdefined.Thepolicystateswhichprocedureisusedtoaddawhereclauseparttothewhereclauseifsomeoneexecutesaselectstatement.
begindbms_rls.add_policy( user, 'department_secrets', 'choosablepolicyname', user, 'pck_vpd.predicate', 'select,update,delete'); end; /
Totestthesetup,someusersarecreated.
createuserfrankidentifiedbyfrankdefaulttablespaceuserstemporarytablespacetemp; createuserpeteridentifiedbypeterdefaulttablespaceuserstemporarytablespacetemp; createuserjuliaidentifiedbyjuliadefaulttablespaceuserstemporarytablespacetemp;
Thenecessary
grantallondepartment_secretstofrank; grantallondepartment_secretstopeter; grantallondepartment_secretstojulia; grantcreatesessiontofrank; grantcreatesessiontopeter; grantcreatesessiontojulia;
Apublicsynonymiscreated.
createpublicsynonymdepartment_secretsfordepartment_secrets;
Frank(belongingtoR+D)executesaquery....
connectfrank/frank; select*fromdepartment_secrets;
DEP_IDSECRET ---------------------------------------- 1R+DSecret#1 1R+DSecret#2
Peter(belongingtoSales)executesaquery....
connectpeter/peter; select*fromdepartment_secrets;
DEP_IDSECRET ---------------------------------------- 2SalesSecret#1 2SalesSecret#2
------------------------------------------------------------------------------- --FileName:vpd2.sql ------------------------------------------------------------------------------- --Maintainer:PeteFinnigan(http://www.petefinnigan.com) --Copyright:Copyright(C)2009PeteFinnigan.comLimited.Allrights --reserved.Allregisteredtrademarksarethepropertyoftheir --respectiveownersandareherebyacknowledged. ------------------------------------------------------------------------------- --Usage:Thescriptprovidedhereisavailablefree.Youcandoanything --youwantwithitcommercialornoncommercialaslongasthe --copyrightandthisnoticearenotremovedoreditedinanyway. --Thescriptscannotbeposted/published/hostedorwhatever --anywhereelseexceptatwww.petefinnigan.com/vpd2.sql -------------------------------------------------------------------------------- prompt[*]connectasSYS pause connectsys/oracle1assysdba prompt[*]Dropthetestuser dropuserpxfcascade; prompt[*]Recreatethetestuser createuserpxfidentifiedbypxfdefaulttablespaceuserstemporarytablespacetemp; grantcreatesessiontopxf; grantcreateanycontexttopxf; grantcreatetabletopxf; grantunlimitedtablespacetopxf; grantcreateproceduretopxf; grantexecuteondbms_rlstopxf; grantexecuteondbms_sessiontopxf; createtablepxf.empasselect*fromscott.emp; prompt[*]NowconnectasPXF pause connectpxf/pxf prompt[*]Selectfromthesampletable-shouldbe15rows pause select*fromemp; Prompt[*]LeteveryoneseethetableandconnectasSCOTTandselectagain prompt[*]shouldstillbe15rows grantselectonpxf.emptopublic; connectscott/tiger select*frompxf.emp; prompt[*]connectasPXFagainandsetupasimpleVPD prompt[*]thatrestrictsaccesstodept10 pause connectpxf/pxf createorreplacefunctionpredicate(pv_schemainvarchar2,pv_objectinvarchar2) returnvarchar2 as begin return'deptno!=''10'''; end; / begin dbms_rls.add_policy( object_schema=>'PXF', object_name=>'EMP', policy_name=>'PXFTEST', policy_function=>'PREDICATE'); end; / prompt[*]FinallyconnectasSCOTTandseeifheisblockedfromseeingthedata prompt[*]shouldnowbe12rows! pause connectscott/tiger select*frompxf.emp; prompt[*] pause shouser prompt[*]setuptraceanddumpthepredicate pause altersessionsetsql_trace=true; altersessionsetevents'10730tracenamecontextforever'; prompt[*]Dumpthedatafromtheemptable select*frompxf.emp; prompt[*]Turntraceoff altersessionsetevents'10730tracenamecontextoff'; altersessionsetsql_trace=false; prompt[*]Letslookatthetracefile pause prompt[*] pause prompt[*]Viewthepredicate pause selectobject_owner,object_name,policy_name, pf_owner,pf_owner,function fromall_policies; setserveroutputonsize1000000 declare predicvarchar2(1000); begin dbms_output.put_line('Thepredicateis:'||pxf.predicate('PXF','EMP')); end; / prompt[*]Ihaveseenthistypeofdesign: prompt[*]wherethepredicatefunctionsareexecutablebyall pause connectpxf/pxf grantexecuteonpredicatetopublic; connectscott/tiger setserveroutputonsize1000000 declare predicvarchar2(1000); begin dbms_output.put_line('Thepredicateis:'||pxf.predicate('PXF','EMP')); end; / prompt[*]Accessthedatadirectly pause --------------------------------------------------------- --changethefilenumberandblocknumbertosuityour --databasenotmine. --------------------------------------------------------- selectdistinctdbms_rowid.rowid_block_number(rowid)blk, dbms_rowid.rowid_relative_fno(rowid)fno frompxf.emp; selectfile_namefromdba_data_files wherefile_id=4; altersystemdumpdatafile4block444; prompt[*]Letstryagainasmonitor pause connectmonitor/monitor selectdistinctdbms_rowid.rowid_block_number(rowid)blk, dbms_rowid.rowid_relative_fno(rowid)fno frompxf.emp; selectfile_namefromdba_data_files wherefile_id=4; altersystemdumpdatafile4block444;
相关文章推荐
- Virtual Private Databases (VPD)
- VPD(Virtual Private Database) 简单演示
- ORACLE Virtual Private Database(VPD)
- 使用Oracle VPD(Virtual Private Database)限制用户获取数据的范围
- Oracle Virtual Private Database(VPD)初体验
- Oracle Virtual Private Database(VPD) 初体验
- 184 You are in the process of creating a Virtual Private Catalog (VPC) in your Oracle Database 11g d
- ORACLE 的Virtual Private Database的全新体验
- 在ORACLE数据库上创建vpd(Virtual Private Databases)安全策略的实战记录
- EnterpriseDB’s Virtual Private Database vs oracle’s DBMS_RLS
- 在ORACLE数据库上创建VPD(Virtual Private Databases)安全策略的实战记录
- Virtual Columns in Oracle Database 11g
- 对private内存、virtual内存的一些讲解
- QSqlDatabasePrivate::addDatabase: duplicate connection name 'qt_sql_default_connection', old connect
- Configuring vCenter Server Virtual Appliance to use an Oracle database
- QSqlDatabasePrivate::addDatabase: duplicate connection name 'qt_sql_default_connection', old connect
- QSqlDatabasePrivate::removeDatabase: connection 'qt_sql_default_connection' is still in use
- VPS 虚拟私有主机 Virtual Private Server