Oracle Database 12c Security - 6. Real Application Security
RAS(Real Application Security)是12c的新特性,RAS的特点是全面(comprehensive)和透明。
传统的Web应用,要在不同连接间切换,并保证正确权限的成本太高,因此通常赋予所有权限,这导致过度赋权。
另外在Web应用中保留用户身份很难,有时就会不保留从而导致应用复杂性,易错和难以审计。
ACCOUNT MANAGEMENT IN ORACLE RAS
RAS的语法为:
<Principal> perform <operation> on <data> subject to <privilege>
其中Principal可以是application user 或 application role。
application user又分为:
- Direct Login Application User (DLAU) account,可以连数据库,但不拥有对象,通常用于连接池。
- Simple Application User (SAU) account,对应终端用户,不能连接数据库,无数据库权限。
Configuring DLAU Accounts
connect sys@sales as sysdba
grant xs_session_admin to sec_mgr;
connect sec_mgr@salesBEGINSYS.XS_PRINCIPAL.CREATE_USER(name=>'SH_DIRECT', schema=>'SH');
END;
/-- XSGUEST是预定义的账户,可用于lightweight RAS会话。
SELECT name,status,schema
FROM dba_xs_users
ORDER BY name;NAME STATUS SCHEMA
-------------------- -------- --------------------
SH_DIRECT ACTIVE SH
XSGUEST ACTIVE-- 设置口令
BEGINSYS.XS_PRINCIPAL.SET_PASSWORD(user => 'SH_DIRECT', password => 'welcome1', type => XS_PRINCIPAL.XS_SALTED_SHA1);
END;
/-- 设置profile
BEGINXS_PRINCIPAL.SET_PROFILE('SH_DIRECT','DEFAULT');
END;
/-- 赋予create session权限
BEGINXS_PRINCIPAL.GRANT_ROLES('SH_DIRECT', 'XSCONNECT');
END;
/
以XS用户登录:
CONNECT sh_direct/welcome1@salesSELECT SYS_CONTEXT('USERENV','SESSION_USER') SESSION_USER
, XS_SYS_CONTEXT('XS$SESSION','USERNAME') RAS_SESSION_USER
, SYS_CONTEXT('USERENV','CURRENT_SCHEMA') CURRENT_SCHEMA4 FROM DUAL;SESSION_USER RAS_SESSION_USE CURRENT_SCHEMA
--------------- --------------- ---------------
XS$NULL SH_DIRECT SHSELECT * FROM session_privs;
SELECT * FROM session_roles;PRIVILEGE
----------------------------------------
CREATE SESSIONSQL>
ROLE
--------------------------------------------------------------------------------
XS_CONNECTSQL> select ora_invoking_user from dual;ORA_INVOKING_USER
--------------------------------------------------------------------------------
XS$NULL
Configuring Simple Application User Accounts
创建两个SAU用户,无对应的schema:
connect sec_mgr/welcome1@salesBEGINSYS.XS_PRINCIPAL.CREATE_USER(name => 'MARY');SYS.XS_PRINCIPAL.CREATE_USER(name => 'ANTHONY');
END;SELECT name, status, schema
FROM dba_xs_users
ORDER BY name;NAME STATUS SCHEMA
-------------------- -------- --------------------
ANTHONY ACTIVE
MARY ACTIVE
ORACLE11_USER ACTIVE SH
SH_DIRECT ACTIVE SH
XSGUEST ACTIVE/
ORACLE RAS ROLES
和传统的对象赋权不同,RAS用户通过RAS Role赋权。
CREATE ROLE db_sh_read;
CREATE ROLE db_sh_write;GRANT SELECT
ON sh.sales_history
TO db_sh_read;
GRANT SELECT, INSERT, UPDATE, DELETE
ON sh.sales_history
TO db_sh_write;BEGINSYS.XS_PRINCIPAL.CREATE_ROLE(name => 'XS_SH_READ', enabled => TRUE );SYS.XS_PRINCIPAL.CREATE_ROLE(name => 'XS_SH_WRITE', enabled => TRUE );
END;
/GRANT db_sh_read TO xs_sh_read;
GRANT db_sh_write TO xs_sh_write;SELECT name, default_enabled
FROM dba_xs_roles
ORDER BY name;NAME DEF
-------------------- ---
XSBYPASS NO
XSCACHEADMIN YES
XSCONNECT YES
XSDISPATCHER YES
XSNAMESPACEADMIN YES
XSPROVISIONER YES
XSPUBLIC YES
XSSESSIONADMIN YES
XS_SH_READ YES
XS_SH_WRITE YES10 rows selected.BEGINSYS.XS_PRINCIPAL.GRANT_ROLES(grantee => 'MARY', role => 'XS_SH_WRITE' );SYS.XS_PRINCIPAL.GRANT_ROLES(grantee => 'ANTHONY', role => 'XS_SH_READ' );
END;
/SELECT grantee, granted_role
FROM dba_xs_role_grants
ORDER BY grantee, granted_role;GRANTEE GRANTED_ROLE
-------------------- --------------------
ANTHONY XSPUBLIC
ANTHONY XS_SH_READ
MARY XSPUBLIC
MARY XS_SH_WRITE
ORACLE11_USER XSPUBLIC
SH_DIRECT XSCONNECT
SH_DIRECT XSPUBLIC
XSCACHEADMIN XS_CACHE_ADMIN
XSCONNECT XS_CONNECT
XSDISPATCHER XS_CACHE_ADMIN
XSDISPATCHER XS_NAMESPACE_ADMIN
XSDISPATCHER XS_SESSION_ADMIN
XSSESSIONADMIN XS_SESSION_ADMIN
XS_SH_READ DB_SH_READ
XS_SH_WRITE DB_SH_WRITE15 rows selected.SELECT privilege
FROM dba_xs_aces
WHERE principal = 'XSPUBLIC';PRIVILEGE
--------------------------------------------------------------------------------
ADMIN_NAMESPACE
Role Management Procedures in Package XS_PRINCIPAL
包括XS_PRINCIPAL.CREATE_ROLE 和 XS_PRINCIPAL.GRANT_ROLE,XS_PRINCIPAL.ENABLE_ROLES_BY_DEFAULT等。
Oracle 12c RAS引入了dynamic application role,并不能直接赋予用户或角色。而是在RAS lightweight sessions中启用。
Out-of-the-Box Roles in Oracle RAS
Oracle RAS最常用的实现是用Java。
LIGHTWEIGHT SESSIONS IN ORACLE RAS
Setting Privileges for Direct Login Application User Accounts
使用之前的SH_DIRECT 作为连接池用户,创建新用户SEC_DISPATCHER作为会话管理。
CONNECT sec_mgr/welcome1@sales-- create the DLAU account
BEGINSYS.XS_PRINCIPAL.CREATE_USER(name=>'SEC_DISPATCHER', schema=>'SEC_POL');
END;
/
-- set the password for the DLAU account
BEGINSYS.XS_PRINCIPAL.SET_PASSWORD(user => 'SEC_DISPATCHER', password => 'welcome1', type => XS_PRINCIPAL.XS_SALTED_SHA1);
END;
/
-- grant the role for session
-- and cache administration
BEGINSYS.XS_PRINCIPAL.GRANT_ROLES(grantee => 'SEC_DISPATCHER', role => 'XSSESSIONADMIN' );
END;
/
BEGINSYS.XS_PRINCIPAL.GRANT_ROLES(grantee => 'SEC_DISPATCHER', role => 'XSCACHEADMIN' );
END;
/SELECT grantee, granted_role
FROM dba_xs_role_grants
WHERE grantee = 'SEC_DISPATCHER'
ORDER BY grantee, granted_role;GRANTEE GRANTED_ROLE
-------------------- --------------------
SEC_DISPATCHER XSCACHEADMIN
SEC_DISPATCHER XSPUBLIC
SEC_DISPATCHER XSSESSIONADMIN
SEC_DISPATCHER只能创建lightweight session,和SH Schema没有关系。
Lightweight Session Management in Java
Namespaces in Oracle RAS
RAS namespace和application context类似,但前者只用于lightweight session,而后者用于整个数据库会话。
Server-Side Event Handling and Namespaces in Oracle RAS
Session Performance in Oracle RAS
Oracle RAS和Oracle Proxy Authentication功能类似,但功能更完善,性能更好。
PRIVILEGE MANAGEMENT AND DATA SECURITY IN ORACLE RAS
SQL> select * from sh.sales_history order by product;PRODUCT SALES_DAT QUANTITY TOTAL_COST
------------------------------ --------- ---------- ----------
Cell Phone 09-AUG-20 2 300
LCD TV 11-AUG-20 7 3500
LCD TV 11-JUL-20 23 12500
Plasma TV 11-JUL-20 7 12000
Speakers 11-APR-20 4 521
Stereo 02-AUG-20 1 100
Walkman 12-AUG-20 5 2507 rows selected.
Security Classes, Application Privileges, and ACLs
connect sec_mgr/welcome1@salesBEGINXS_SECURITY_CLASS.CREATE_SECURITY_CLASS(name => 'SH_SECURITY_CLASS', parent_list => XS$NAME_LIST('SYS.DML'), priv_list => XS$PRIVILEGE_LIST(XS$PRIVILEGE('ACCESS_TOTAL_COST')));
END;
/DECLAREl_access_control_entries XS$ACE_LIST := XS$ACE_LIST();
BEGINl_access_control_entries.EXTEND(1);-- Create an access control entry (ACE) for-- the XS_SH_WRITE application role-- to perform SELECT, UPDATE-- and view on the TOTAL_COST column.l_access_control_entries(1) := XS$ACE_TYPE(privilege_list => XS$NAME_LIST( 'SELECT','UPDATE','ACCESS_TOTAL_COST'), principal_name => 'XS_SH_WRITE');-- Create an ACL with this ACE and associate-- the ACL to the SH security class.XS_ACL.CREATE_ACL(name => 'ACL_SH_WRITE', ace_list => l_access_control_entries, sec_class => 'SH_SECURITY_CLASS');-- Create an access control entry (ACE) for-- the ZS_SH_READ application role-- to perform SELECT.l_access_control_entries(1) := XS$ACE_TYPE(privilege_list => XS$NAME_LIST('SELECT'), principal_name => 'XS_SH_READ');-- Create an ACL with this ACE and associate-- the ACL to the SH security class.XS_ACL.CREATE_ACL(name => 'ACL_SH_READ', ace_list => l_access_control_entries, sec_class => 'SH_SECURITY_CLASS');
END;
/
Data Security Policies
l_realms XS$REALM_CONSTRAINT_LIST:= XS$REALM_CONSTRAINT_LIST();l_columns XS$COLUMN_CONSTRAINT_LIST:= XS$COLUMN_CONSTRAINT_LIST();
BEGINl_realms.EXTEND(2);-- Create a realm for the ACL ACL_SH_WRITE-- which is associated to the XS_SH_WRITE-- application role to see all rows-- in the Sales History.l_realms(1) := XS$REALM_CONSTRAINT_TYPE(realm => '1 = 1', acl_list => XS$NAME_LIST('ACL_SH_WRITE'));-- Create a realm for the ACL ACL_SH_READ-- which is associated to the XS_SH_READ-- application role to see all only those-- Sales History rows where the-- products is not a TV.l_realms(2) := XS$REALM_CONSTRAINT_TYPE(realm => 'product NOT IN (''LCD TV'',''Plasma TV'')', acl_list => XS$NAME_LIST('ACL_SH_READ'));-- Create constraint on the TOTAL_COST-- column based on the ACCESS_TOTAL_COST privilege.l_columns.extend(1);l_columns(1) := XS$COLUMN_CONSTRAINT_TYPE(column_list => XS$LIST('TOTAL_COST'), privilege => 'ACCESS_TOTAL_COST');XS_DATA_SECURITY.CREATE_POLICY(name => 'SH_DATA_SECURITY_POLICY', realm_constraint_list => l_realms, column_constraint_list => l_columns);
END;
/BEGINXS_DATA_SECURITY.APPLY_OBJECT_POLICY(policy => 'SH_DATA_SECURITY_POLICY', schema => 'SH', object =>'SALES_HISTORY');
END;
/SET SERVEROUTPUT ON;
BEGINIF (XS_DIAG.VALIDATE_WORKSPACE()) THENDBMS_OUTPUT.PUT_LINE('All configurations are correct.');ELSEDBMS_OUTPUT.PUT_LINE('Some configurations are incorrect.');END IF;
END;
/SELECT *
FROM xs$validation_table
ORDER BY 1, 2, 3, 4;CODE
----------
DESCRIPTION
--------------------------------------------------------------------------------
OBJECT
--------------------------------------------------------------------------------
NOTE
---------------------------------------------------------------------------------1002
Reference does not exist
[Principal "SEC_DISPATCHER"]-->[Schema "SEC_POL"]
Protecting Namespaces with ACLs
BEGINXS_SECURITY_CLASS.CREATE_SECURITY_CLASS(name => 'SH_NAMESPACE_CLASS', parent_list => NULL, priv_list => XS$PRIVILEGE_LIST(XS$PRIVILEGE('MODIFY_NAMESPACE'), XS$PRIVILEGE('MODIFY_ATTRIBUTE')));
END;
/
AUDITING IN ORACLE RAS
Default Audit Policies for Oracle RAS
2个审计策略:
- ORA_RAS_POLICY_MGMT
- ORA_RAS_SESSION_MGMT
Reporting on Audit Events and Audit Policies in RAS
VALIDATING POLICIES AND TRACING IN ORACLE RAS
略。
Oracle Database 12c Security - 6. Real Application Security相关推荐
- Oracle Database 12c Security - 12. Audit for Accountability
Oracle Unified Audit Trail (OUA)是12c新增功能. THE SECURITY CYCLE 审计使安全更完整,审计是事后行为,不能预防. 访问控制并不能保证非授权访问,人 ...
- Oracle Database 12c Security - 13. An Applied Approach to Multitenancy and Cloud Security
有时,不必要的安全措施会导向更不安全.例如,增加口令强度导致用户不得不将口令记录,并存放在不安全的地方. 安全象洋葱,一层又一层. SYSTEM BASELINE AND CONFIGURATION ...
- 【OH】Deprecated and Desupported Features for Oracle Database 12c
连接地址:http://docs.oracle.com/database/121/UPGRD/deprecated.htm#UPGRD60000 8Deprecated and Desupported ...
- 5和6 objbc oracle_《Oracle Database 12c完全参考手册(第7版)(试读版)》
图书目录: 第Ⅰ部分 数据库核心概念 第1章 Oracle Database 12c架构选件 3 1.1 数据库和实例 4 1.2 数据库技术 5 1.2.1 存储数据 6 1.2.2 数据保护 7 ...
- Oracle Database 12C 学习之多租户(连载四)
使用克隆现存PDB的方式创建新的PDB:这里有两种情况,一种为使用本地PDB,另外一种为使用远程PDB.二者并无太大差异.只是第二种需要使用DBLINK而已. 克隆本地方式: SYS@ora12g&g ...
- WebLogic 12c与Oracle Database 12c的集成
Oracle database 12c增加了很多新的特性,如果能够让WebLogic 12c的JDBC发挥出这些特性,无疑会使系统更强大. 关于WebLogic 12c与Oracle Database ...
- oracle12c如何存档图片,Oracle Database 12c实用教程
第1章 数据库技术基础 1 1.1 数据库基本概念 1 1.2 数据模型 3 1.2.1概念模型 3 1.2.2结构模型 5 1.3 数据库的设计步骤 9 1.4 习题 10 第2章 Oracle D ...
- Oracle Database 12c 新特性:RAC Cluster Hub Node 和 Leaf Node
Oracle Database 12c 新特性:RAC Cluster Hub Node 和 Leaf Node 在 Oracle Database 12c 的 Cluster 中引入了很多新特性和新 ...
- oracle12.2 redo 进程,【Oracle Database 12c新特性】TTnn TMON新的redo传输后台进程
在Oracle 11g中 Data Guard的redo传输工作主要由以下3组后台进程实现: ARCi (FAL – archived redo shipping, ping, local only ...
- 《OCA认证考试指南(1Z0-061):Oracle Database 12c SQL基础》
2019独角兽企业重金招聘Python工程师标准>>> <OCA认证考试指南(1Z0-061):Oracle Database 12c SQL基础> 旨在帮助读者备战Or ...
最新文章
- R将dataframe数据保存为csv文件
- 谈谈秒杀系统的落地方案
- ios 学习常用网站
- Ubuntu开启telnet服务
- 鸟哥的 Linux 私房菜7 -- 首次开机关机与基本指令执行
- 件工程项目开发最全文档模板_一文带你了解微信小程序社区和小程序开发
- jdk8 bug_JDK Bug系统浪费时间
- Visual Studio生成汇编列表文件(listing file)
- 【IEEE出版】计算机多主题征稿,ICBASE 2020诚邀您投稿参会!
- 网盘用户分享独播剧链接 百度未及时封禁一审被判赔偿百万余元
- freebsd linux性能,为什么有人会选择FreeBSD而不是Linux?[关闭]
- WPF自定义窗体仿新毒霸关闭特效(只能在自定义窗体中正常使用)
- 干货 | 利用SPSS进行高级统计分析第四期
- 区间直觉模糊集相似度及matlab应用
- lisp 角平分线_最佳Visual LISP及VBA for AutoCAD2000程序123例
- 云计算和python哪个好就业_盘点linux云计算就业方向
- html水晶按钮图片,css 如何实现一个水晶按钮的效果呢?
- java数字货币转化_将数字货币金额转换为大写格式
- office的笔记本:OneNote使用技巧
- 标注与注记的区别和联系
热门文章
- 用python编写nao机器人舞蹈_python控制nao机器人身体动作实例详解
- Podman 保姆级使用教程,太顶了!
- 申宝股票-市场指数窄幅震荡整理
- 安全测试三部曲之APPScan介绍
- UVa12099书架
- 基于偏置比例导引的任意指定攻击角度控制导引律(matlab源代码+原理)
- Avro技术应用_5. 利用 Camus 来将 Avro 数据从 Kafka 拷贝到 HDFS -- 待完善
- 为MCU在Qt上运行Doom
- 基于5G+MEC的电站行业专网部署方案研究
- 类别(Category)的作用(三)---添加非正式协议