VPD(Virtual Private Database)
VPD可以直接在表,视图和同义词上实施安全策略,提供行或列级别的安全性
VPD可应用于SELECT, INSERT, UPDATE, INDEX和DELETE命令
VPD是在SQL访问受VPD保护的对象时,SQL被动态地修改加入限制where条件
- 创建用户并授权
conn sys/oracle as sysdba
grant create session to adams identified by john7;
grant create session to burlington identified by newj2;
grant create session to practice identified by practice;
grant resource to practice;
grant create any context, create public synonym to practice;
grant create any procedure to practice;
grant unlimited tablespace to practice;
grant execute on dbms_rls to practice;
connect practice/practice
create table stock_account(account number(10), account_longname varchar2(50));
insert into stock_account values (1234,'ADAMS');
insert into stock_account values (7777,'BURLINGTON');
create table stock_trx( account number(10), symbol varchar2(20), price number(6,2), quantity number(6), trx_flag varchar2(1));
insert into stock_trx values(1234,'ADSP',31.75, 100, 'b');
insert into stock_trx values(7777,'ADSP',31.50,300,'s');
insert into stock_trx values(1234,'ADSP',31.55, 100,'b');
insert into stock_trx values(7777,'OCKS',21.75, 1000, 'b');
commit;
- 创建应用上下文
connect practice/practice
create context practice using practice.context_package;
create or replace package context_package as
procedure set_context;
end;
/
create or replace package body context_package is
procedure set_context is
v_user varchar2(30);
v_id number;
begin
dbms_session.set_context('PRACTICE','SETUP','TRUE');
v_user := sys_context('USERENV','SESSION_USER');
begin
select account into v_id from stock_account where account_longname = v_user;
dbms_session.set_context('PRACTICE','USER_ID',v_id);
exception
when no_data_found then
dbms_session.set_context('PRACTICE','USER_ID',0);
end;
dbms_session.set_context('PRACTICE','SETUP','FALSE');
end set_context;
end context_package;
/
grant execute on practice.context_package to public;
create public synonym context_package for practice.context_package;
- 创建登录触发器
conn sys/oracle as sysdba
create or replace trigger practice.set_security_context
after logon on database
begin
practice.context_package.set_context;
end;
/
测试:
conn adams/john7
select sys_context('USERENV','SESSION_USER') username, sys_context('PRACTICE','USER_ID') id from dual;
- 创建安全策略
connect practice/practice
create or replace package security_package as
function stock_trx_insert_security(owner varchar2, objname varchar2)
return varchar2;
function stock_trx_select_security(owner varchar2, objname varchar2)
return varchar2;
end security_package;
/
create or replace package body security_package is
function stock_trx_select_security(owner varchar2, objname varchar2)
return varchar2 is
predicate varchar2(2000);
begin
predicate := '1=2';
if (sys_context('USERENV','SESSION_USER') = 'PRACTICE') then
predicate := null;
else
predicate := 'account = sys_context(''PRACTICE'',''USER_ID'')';
end if;
return predicate;
end stock_trx_select_security;
function stock_trx_insert_security(owner varchar2, objname varchar2)
return varchar2 is
predicate varchar2(2000);
begin
predicate := '1=2';
if (sys_context('USERENV','SESSION_USER') = 'PRACTICE') then
predicate := null;
else
predicate := 'account = sys_context(''PRACTICE'',''USER_ID'')';
end if;
return predicate;
end stock_trx_insert_security;
end security_package;
/
grant execute on practice.security_package to public;
create public synonym security_package for practice.security_package;
- 将安全策略应用于表
begin
dbms_rls.add_policy('PRACTICE','STOCK_TRX','STOCK_TRX_INSERT_POLICY','PRACTICE','SECURITY_PACKAGE.STOCK_TRX_INSERT_SECURITY','INSERT',TRUE); dbms_rls.add_policy('PRACTICE','STOCK_TRX','STOCK_TRX_SELECT_POLICY','PRACTICE','SECURITY_PACKAGE.STOCK_TRX_SELECT_SECURITY','SELECT');
end;
/
- 测试VPD
conn practice/practice
grant all on stock_trx to public;
connect adams/john7
select * from practice.stock_trx;
ACCOUNT SYMBOL PRICE QUANTITY T
---------- -------------------- ---------- ---------- -
1234 ADSP 31.75 100 b
1234 ADSP 31.55 100 b
insert into practice.stock_trx values(7777,'ADSP',31.5, 100, 'B');
ORA-28115: policy with check option violation
connect burlington/newj2
select * from practice.stock_trx;
ACCOUNT SYMBOL PRICE QUANTITY T
---------- -------------------- ---------- ---------- -
7777 ADSP 31.5 300 s
7777 OCKS 21.75 1000 b
connect scott/tiger
select * from practice.stock_trx;
no rows selected
- 使用列级别限制
connect practice/practice
begin
dbms_rls.add_policy
(object_schema=>'PRACTICE',
object_name=>'STOCK_TRX',
policy_name=>'STOCK_TRX_SELECT_POLICY2',
function_schema=>'PRACTICE',
policy_function=>'SECURITY_PACKAGE.STOCK_TRX_SELECT_SECURITY',
sec_relevant_cols=>'Price');
end;
/
列屏蔽只是查询时不显示列,不用于DML,因此屏蔽列必须支持显示NULL值
- 如何禁用VPD
按上面反向操作即可,使用DBMS_RLS.DROP_POLICY,删除触发器,选择性删除其它程序包:
exec dbms_rls.drop_policy('PRACTICE','STOCK_TRX','STOCK_TRX_INSERT_POLICY');
exec dbms_rls.drop_policy('PRACTICE','STOCK_TRX','STOCK_TRX_SELECT_POLICY');
drop trigger practice.set_security_context;
- 使用策略组
可以将相同表的策略添加到策略组中,在策略组中启用策略
默认所有表策略均属于sys_default策略组中,它不能删除
添加策略组:
desc dbms_rls
PROCEDURE CREATE_POLICY_GROUP
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_GROUP VARCHAR2 IN
PROCEDURE ADD_GROUPED_POLICY
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_GROUP VARCHAR2 IN DEFAULT
POLICY_NAME VARCHAR2 IN
FUNCTION_SCHEMA VARCHAR2 IN DEFAULT
POLICY_FUNCTION VARCHAR2 IN
STATEMENT_TYPES VARCHAR2 IN DEFAULT
UPDATE_CHECK BOOLEAN IN DEFAULT
ENABLE BOOLEAN IN DEFAULT
STATIC_POLICY BOOLEAN IN DEFAULT
POLICY_TYPE BINARY_INTEGER IN DEFAULT
LONG_PREDICATE BOOLEAN IN DEFAULT
SEC_RELEVANT_COLS VARCHAR2 IN DEFAULT
SEC_RELEVANT_COLS_OPT BINARY_INTEGER IN DEFAULT
使用时在下面步骤指定:
exec dbms_session.set_context('PRACTICE','SETUP','policy_group');
VPD(Virtual Private Database)相关推荐
- 【VPD】使用Oracle VPD(Virtual Private Database)限制用户获取数据的范围
VPD全称Virtual Private Database,这个技术提供了对数据库信息的细粒度访问控制.关于VPD的更多描述性信息可通过Oracle官方文档获得:http://download.ora ...
- mysql实现vpd_VPD(Virtual Private Database) 简单演示
VPD :Virtual Private Database , 是一种限制对数据库信息细粒度的访问控制技术.实现的关键在于:RLS(Row Level Security) 行级权限控制,通过 ORAC ...
- mysql实现vpd_Oracle Virtual Private Database(VPD) 初体验
注:本文为原创,作为学习交流使用,转载请标明作者及出处,作者保留追究法律责任的权力. Lumen Su 前几周初略学习了Oracle的VPD技,做了几个试验,也在EBS系统上测试了一下.总结如下,有些 ...
- VPLS(Virtual Private LAN Service)
VPLS(Virtual Private LAN Service) VPLS即Virtual Private LAN Services(虚拟专用LAN业务),是一种在MPLS网络上提供类似LAN的一种 ...
- boost::contract模块实现virtual private protected的测试程序
boost::contract模块实现virtual private protected的测试程序 实现功能 C++实现代码 实现功能 boost::contract模块实现virtual priva ...
- 虚拟专用网(Virtual Private Network)
虚拟专用网(Virtual Private Network) 假如一个公司的两个场所需要通信,那么每个场所至少需要有一个路由器和全球唯一的IP地址,当场所A中的X主机向B场所的Y主机发送信息时,主机X ...
- 虚拟私有云(Virtual Private Cloud,VPC)
虚拟私有云(Virtual Private Cloud,VPC) https://support.huaweicloud.com/vpc/index.html 虚拟私有云(Virtual Privat ...
- 企业路由器配置L2TP 站点到站点模式Virtual Private Network指南_3(外网访问内网资源)
应用场景: 企业路由器提供多类VPN功能.其中L2TP VPN可以实现企业站点之间搭建安全的数据传输通道,将接入Internet的企业分支机构与总部网络通过安全隧道互联,实现资源.信息共享. 资源说 ...
- mysql公有库和私有库_带有公有和私有子网的 VPC (NAT) - Amazon Virtual Private Cloud
带有公有和私有子网的 VPC (NAT) 这个场景的配置包括一个有公有子网和私有子网的 Virtual Private Cloud (VPC).如果您希望运行面向公众的 Web 应用程序,并同时保留不 ...
最新文章
- OSPF-lsa-types
- jQuery --- 实现 checkbox 样式的单选框
- 从java中的hibernate看Ado.net 与NHibernate的关系
- android子view获取父布局,Android获取布局父ID(Android get layout parent id)
- python3spark文本分类_如何用Spark深度集成Tensorflow实现文本分类?
- java instantiation,Instantiation of List (Java)
- 英伟达数据中心业务营收不断创下新高,已连续9个财季保持增长
- C++socket编程(五):5.2 tcp编程总结
- TypeScript 热度超 C 与 Python、Go 开发收入高、运维吃香,调查了 65000 名开发者有这些发现!...
- c语言头文件 数学函数,头文件cmath中常用函数
- 投影查询(2020-3-13)
- AutoCAD二次开发(.Net)之加载某种线型(LineType)
- mysql execute 存储过程_Mysql存储过程调用
- Spartan-6 FPGA 如何使用ISE下载程序
- 华为linux输入法,华为默认手机输入法原来还能这么玩??涨知识了
- U-Boot中ubi和ubifs命令的使用
- 【转帖】PSP ISO文件LBA保护分析 by Elysion
- CocosCreator微信小游戏开发 之 开放数据域设置微信好友排行榜布局自适应高度和宽度
- 场景分析法设计测试用例
- 孤独是灵魂的而缺口,享受孤独是一种灵修