Oracle Database 12c Security - 6. Real Application Security

RAS(Real Application Security)是12c的新特性，RAS的特点是全面(comprehensive)和透明。

传统的Web应用，要在不同连接间切换，并保证正确权限的成本太高，因此通常赋予所有权限，这导致过度赋权。

另外在Web应用中保留用户身份很难，有时就会不保留从而导致应用复杂性，易错和难以审计。

ACCOUNT MANAGEMENT IN ORACLE RAS

RAS的语法为：

<Principal> perform <operation> on <data> subject to <privilege>

其中Principal可以是application user 或 application role。

application user又分为：

Direct Login Application User (DLAU) account，可以连数据库，但不拥有对象，通常用于连接池。
Simple Application User (SAU) account，对应终端用户，不能连接数据库，无数据库权限。

Configuring DLAU Accounts

connect sys@sales as sysdba
grant xs_session_admin to sec_mgr;
connect sec_mgr@salesBEGINSYS.XS_PRINCIPAL.CREATE_USER(name=>'SH_DIRECT', schema=>'SH');
END;
/-- XSGUEST是预定义的账户，可用于lightweight RAS会话。
SELECT name,status,schema
FROM dba_xs_users
ORDER BY name;NAME                 STATUS   SCHEMA
-------------------- -------- --------------------
SH_DIRECT            ACTIVE   SH
XSGUEST              ACTIVE-- 设置口令
BEGINSYS.XS_PRINCIPAL.SET_PASSWORD(user => 'SH_DIRECT', password => 'welcome1', type => XS_PRINCIPAL.XS_SALTED_SHA1);
END;
/-- 设置profile
BEGINXS_PRINCIPAL.SET_PROFILE('SH_DIRECT','DEFAULT');
END;
/-- 赋予create session权限
BEGINXS_PRINCIPAL.GRANT_ROLES('SH_DIRECT', 'XSCONNECT');
END;
/

以XS用户登录：

CONNECT sh_direct/welcome1@salesSELECT SYS_CONTEXT('USERENV','SESSION_USER') SESSION_USER
, XS_SYS_CONTEXT('XS$SESSION','USERNAME') RAS_SESSION_USER
, SYS_CONTEXT('USERENV','CURRENT_SCHEMA') CURRENT_SCHEMA4  FROM DUAL;SESSION_USER    RAS_SESSION_USE CURRENT_SCHEMA
--------------- --------------- ---------------
XS$NULL         SH_DIRECT       SHSELECT * FROM session_privs;
SELECT * FROM session_roles;PRIVILEGE
----------------------------------------
CREATE SESSIONSQL>
ROLE
--------------------------------------------------------------------------------
XS_CONNECTSQL> select ora_invoking_user from dual;ORA_INVOKING_USER
--------------------------------------------------------------------------------
XS$NULL

Configuring Simple Application User Accounts

创建两个SAU用户，无对应的schema:

connect sec_mgr/welcome1@salesBEGINSYS.XS_PRINCIPAL.CREATE_USER(name   => 'MARY');SYS.XS_PRINCIPAL.CREATE_USER(name   => 'ANTHONY');
END;SELECT name, status, schema
FROM dba_xs_users
ORDER BY name;NAME                 STATUS   SCHEMA
-------------------- -------- --------------------
ANTHONY              ACTIVE
MARY                 ACTIVE
ORACLE11_USER        ACTIVE   SH
SH_DIRECT            ACTIVE   SH
XSGUEST              ACTIVE/

ORACLE RAS ROLES

和传统的对象赋权不同，RAS用户通过RAS Role赋权。

CREATE ROLE db_sh_read;
CREATE ROLE db_sh_write;GRANT SELECT
ON sh.sales_history
TO db_sh_read;
GRANT SELECT, INSERT, UPDATE, DELETE
ON sh.sales_history
TO db_sh_write;BEGINSYS.XS_PRINCIPAL.CREATE_ROLE(name   => 'XS_SH_READ', enabled => TRUE );SYS.XS_PRINCIPAL.CREATE_ROLE(name   => 'XS_SH_WRITE', enabled => TRUE );
END;
/GRANT db_sh_read TO xs_sh_read;
GRANT db_sh_write TO xs_sh_write;SELECT name, default_enabled
FROM dba_xs_roles
ORDER BY name;NAME                 DEF
-------------------- ---
XSBYPASS             NO
XSCACHEADMIN         YES
XSCONNECT            YES
XSDISPATCHER         YES
XSNAMESPACEADMIN     YES
XSPROVISIONER        YES
XSPUBLIC             YES
XSSESSIONADMIN       YES
XS_SH_READ           YES
XS_SH_WRITE          YES10 rows selected.BEGINSYS.XS_PRINCIPAL.GRANT_ROLES(grantee => 'MARY', role    => 'XS_SH_WRITE' );SYS.XS_PRINCIPAL.GRANT_ROLES(grantee => 'ANTHONY', role    => 'XS_SH_READ' );
END;
/SELECT grantee, granted_role
FROM dba_xs_role_grants
ORDER BY grantee, granted_role;GRANTEE              GRANTED_ROLE
-------------------- --------------------
ANTHONY              XSPUBLIC
ANTHONY              XS_SH_READ
MARY                 XSPUBLIC
MARY                 XS_SH_WRITE
ORACLE11_USER        XSPUBLIC
SH_DIRECT            XSCONNECT
SH_DIRECT            XSPUBLIC
XSCACHEADMIN         XS_CACHE_ADMIN
XSCONNECT            XS_CONNECT
XSDISPATCHER         XS_CACHE_ADMIN
XSDISPATCHER         XS_NAMESPACE_ADMIN
XSDISPATCHER         XS_SESSION_ADMIN
XSSESSIONADMIN       XS_SESSION_ADMIN
XS_SH_READ           DB_SH_READ
XS_SH_WRITE          DB_SH_WRITE15 rows selected.SELECT privilege
FROM dba_xs_aces
WHERE  principal = 'XSPUBLIC';PRIVILEGE
--------------------------------------------------------------------------------
ADMIN_NAMESPACE

Role Management Procedures in Package XS_PRINCIPAL

包括XS_PRINCIPAL.CREATE_ROLE 和 XS_PRINCIPAL.GRANT_ROLE，XS_PRINCIPAL.ENABLE_ROLES_BY_DEFAULT等。

Oracle 12c RAS引入了dynamic application role，并不能直接赋予用户或角色。而是在RAS lightweight sessions中启用。

Out-of-the-Box Roles in Oracle RAS

Oracle RAS最常用的实现是用Java。

LIGHTWEIGHT SESSIONS IN ORACLE RAS

Setting Privileges for Direct Login Application User Accounts

使用之前的SH_DIRECT 作为连接池用户，创建新用户SEC_DISPATCHER作为会话管理。

CONNECT sec_mgr/welcome1@sales-- create the DLAU account
BEGINSYS.XS_PRINCIPAL.CREATE_USER(name=>'SEC_DISPATCHER', schema=>'SEC_POL');
END;
/
-- set the password for the DLAU account
BEGINSYS.XS_PRINCIPAL.SET_PASSWORD(user => 'SEC_DISPATCHER', password => 'welcome1', type => XS_PRINCIPAL.XS_SALTED_SHA1);
END;
/
-- grant the role for session
-- and cache administration
BEGINSYS.XS_PRINCIPAL.GRANT_ROLES(grantee => 'SEC_DISPATCHER', role    => 'XSSESSIONADMIN' );
END;
/
BEGINSYS.XS_PRINCIPAL.GRANT_ROLES(grantee => 'SEC_DISPATCHER', role    => 'XSCACHEADMIN' );
END;
/SELECT grantee, granted_role
FROM dba_xs_role_grants
WHERE grantee = 'SEC_DISPATCHER'
ORDER BY grantee, granted_role;GRANTEE              GRANTED_ROLE
-------------------- --------------------
SEC_DISPATCHER       XSCACHEADMIN
SEC_DISPATCHER       XSPUBLIC
SEC_DISPATCHER       XSSESSIONADMIN

SEC_DISPATCHER只能创建lightweight session，和SH Schema没有关系。

Lightweight Session Management in Java

Namespaces in Oracle RAS

RAS namespace和application context类似，但前者只用于lightweight session，而后者用于整个数据库会话。

Server-Side Event Handling and Namespaces in Oracle RAS

Session Performance in Oracle RAS

Oracle RAS和Oracle Proxy Authentication功能类似，但功能更完善，性能更好。

PRIVILEGE MANAGEMENT AND DATA SECURITY IN ORACLE RAS

SQL> select * from sh.sales_history order by product;PRODUCT                        SALES_DAT   QUANTITY TOTAL_COST
------------------------------ --------- ---------- ----------
Cell Phone                     09-AUG-20          2        300
LCD TV                         11-AUG-20          7       3500
LCD TV                         11-JUL-20         23      12500
Plasma TV                      11-JUL-20          7      12000
Speakers                       11-APR-20          4        521
Stereo                         02-AUG-20          1        100
Walkman                        12-AUG-20          5        2507 rows selected.

Security Classes, Application Privileges, and ACLs

connect sec_mgr/welcome1@salesBEGINXS_SECURITY_CLASS.CREATE_SECURITY_CLASS(name => 'SH_SECURITY_CLASS', parent_list => XS$NAME_LIST('SYS.DML'), priv_list => XS$PRIVILEGE_LIST(XS$PRIVILEGE('ACCESS_TOTAL_COST')));
END;
/DECLAREl_access_control_entries XS$ACE_LIST := XS$ACE_LIST();
BEGINl_access_control_entries.EXTEND(1);-- Create an access control entry (ACE) for-- the XS_SH_WRITE application role-- to perform SELECT, UPDATE-- and view on the TOTAL_COST column.l_access_control_entries(1) := XS$ACE_TYPE(privilege_list => XS$NAME_LIST( 'SELECT','UPDATE','ACCESS_TOTAL_COST'), principal_name => 'XS_SH_WRITE');-- Create an ACL with this ACE and associate-- the ACL to the SH security class.XS_ACL.CREATE_ACL(name      => 'ACL_SH_WRITE', ace_list  => l_access_control_entries, sec_class => 'SH_SECURITY_CLASS');-- Create an access control entry (ACE) for-- the ZS_SH_READ application role-- to perform SELECT.l_access_control_entries(1) := XS$ACE_TYPE(privilege_list => XS$NAME_LIST('SELECT'), principal_name => 'XS_SH_READ');-- Create an ACL with this ACE and associate-- the ACL to the SH security class.XS_ACL.CREATE_ACL(name      => 'ACL_SH_READ', ace_list  => l_access_control_entries, sec_class => 'SH_SECURITY_CLASS');
END;
/

Data Security Policies

        l_realms XS$REALM_CONSTRAINT_LIST:= XS$REALM_CONSTRAINT_LIST();l_columns XS$COLUMN_CONSTRAINT_LIST:= XS$COLUMN_CONSTRAINT_LIST();
BEGINl_realms.EXTEND(2);-- Create a realm for the ACL ACL_SH_WRITE-- which is associated to the XS_SH_WRITE-- application role to see all rows-- in the Sales History.l_realms(1) := XS$REALM_CONSTRAINT_TYPE(realm    => '1 = 1', acl_list => XS$NAME_LIST('ACL_SH_WRITE'));-- Create a realm for the ACL ACL_SH_READ-- which is associated to the XS_SH_READ-- application role to see all only those-- Sales History rows where the-- products is not a TV.l_realms(2) := XS$REALM_CONSTRAINT_TYPE(realm => 'product NOT IN (''LCD TV'',''Plasma TV'')', acl_list => XS$NAME_LIST('ACL_SH_READ'));-- Create constraint on the TOTAL_COST-- column based on the ACCESS_TOTAL_COST privilege.l_columns.extend(1);l_columns(1) := XS$COLUMN_CONSTRAINT_TYPE(column_list => XS$LIST('TOTAL_COST'), privilege   => 'ACCESS_TOTAL_COST');XS_DATA_SECURITY.CREATE_POLICY(name                  => 'SH_DATA_SECURITY_POLICY', realm_constraint_list  => l_realms, column_constraint_list => l_columns);
END;
/BEGINXS_DATA_SECURITY.APPLY_OBJECT_POLICY(policy => 'SH_DATA_SECURITY_POLICY', schema => 'SH', object =>'SALES_HISTORY');
END;
/SET SERVEROUTPUT ON;
BEGINIF (XS_DIAG.VALIDATE_WORKSPACE()) THENDBMS_OUTPUT.PUT_LINE('All configurations are correct.');ELSEDBMS_OUTPUT.PUT_LINE('Some configurations are incorrect.');END IF;
END;
/SELECT *
FROM xs$validation_table
ORDER BY 1, 2, 3, 4;CODE
----------
DESCRIPTION
--------------------------------------------------------------------------------
OBJECT
--------------------------------------------------------------------------------
NOTE
---------------------------------------------------------------------------------1002
Reference does not exist
[Principal "SEC_DISPATCHER"]-->[Schema "SEC_POL"]

Protecting Namespaces with ACLs

BEGINXS_SECURITY_CLASS.CREATE_SECURITY_CLASS(name => 'SH_NAMESPACE_CLASS', parent_list => NULL, priv_list => XS$PRIVILEGE_LIST(XS$PRIVILEGE('MODIFY_NAMESPACE'), XS$PRIVILEGE('MODIFY_ATTRIBUTE')));
END;
/

AUDITING IN ORACLE RAS

Default Audit Policies for Oracle RAS

2个审计策略：

ORA_RAS_POLICY_MGMT
ORA_RAS_SESSION_MGMT

Reporting on Audit Events and Audit Policies in RAS

VALIDATING POLICIES AND TRACING IN ORACLE RAS

略。