Oracle LiveLabs实验:DB Security - Oracle Label Security (OLS)
概述
此实验申请地址在这里,时间为30分钟。
本实验也是DB Security Advanced研讨会的的第7个实验,即Lab 7。
实验帮助在这里。
本实验使了Oracle数据库19.13及Oracle Enterprise Manager 13.5。
Introduction
本研讨会介绍了 Oracle Label Security (OLS) 的各种特性和功能。 它使用户有机会学习如何配置这些功能以保护其敏感数据,帮助跟踪允诺,并根据《通用数据保护条例》等法规要求强制限制处理。
Task 1: Simple CRM Application
不同的应用有不同的用途:
- 用户应用
- 应用程序:用户设置其偏好以同意营销、处理数据或要求被遗忘
- 用户标签:NCNST::DP ;数据库用户:APPPREFERENCE
- 电子邮件营销
- 应用程序:只能访问已同意处理其数据且专门用于电子邮件营销的用户
- 用户标签:CONS::EMAIL;数据库用户:APPMKT
- 商业智能
- 应用程序:可以访问所有同意处理其数据的用户
- 用户标签:CONS::DP;数据库用户:APPBI
- 匿名者
- 批处理匿名用户记录并将数据标签设置为 ANON::
- 用户标签:FORGET::;数据库用户:APPFORGET
虽然我们提供脚本以自动化方式从头到尾执行整个实验室,但强烈建议您一个一个打开并一个一个复制/执行代码块。这样,您将更好地理解本练习的构建块。如果您决定逐个执行脚本,您可以随时查看日志文件 (.out) 以了解详细信息
进入实验目录:
sudo su - oracle
cd $DBSEC_LABS/label-security
首先设置标签安全环境,输出为ols_setup_env.out:
./ols_setup_env.sh
以上脚本:
- 创建 C##OSCAR_OLS 用户(CDB中)、创建表、加载数据、创建将用于展示不同场景的用户(PDB中),它还配置和启用 OLS
- 调用 load_crm_customer_data.sql 脚本以在 APPCRM 模式中创建表 CRM_CUSTOMER 并插入 391 行
接下来,您将创建标签安全策略。 策略由级别、组和/或分区组成。 政策的唯一强制性组成部分是至少有一个级别:
./ols_create_policy.sh
输出为:
==============================================================================Create the Label Security policy "OLS_DEMO_GDPR"...
==============================================================================CON_NAME
------------------------------
PDB1
USER is "C##OSCAR_OLS"-------------------------------------------. STEP 1: CREATE OLS POLICY (OLS_DEMO_GDPR)-------------------------------------------PL/SQL procedure successfully completed.-------------------------------------------. STEP 2: CREATE LEVELS10 - CONSENT (CNST)20 - ANONYMIZED (ANON)30 - FORGET (FRGT)40 - NOCONSENT (NCNST)-------------------------------------------... Create CONSENT levelPL/SQL procedure successfully completed.... Create ANONYMIZED levelPL/SQL procedure successfully completed.... Create FORGET levelPL/SQL procedure successfully completed.... Create NOCONSENT levelPL/SQL procedure successfully completed.---------------------------------------------------------. STEP 3: CREATE GROUPSHere we used a hierarchy of groups to controlwhich data can be processed (based on given consent):1000 - DATA_PROCESSING (DT_PROD)1100 - CAMPAIGN_MGMT (CAMP_MGMT)1110 - EMAIL1120 - POST_MAIL1130 - WEB_ADS1200 - ANALYTICS1210 - RECOMMENDATION_ENGINE (REC_ENGINE)1300 - THIRDPARTY1310 - CONTACT_DETAILS (CONTACT_DET)1320 - PREFERENCE_DETAILS (PREF_DETAILS)1330 - PURCHASE_HIST (PURCH_HIST)---------------------------------------------------------... Create DATA_PROCESSING groupPL/SQL procedure successfully completed.... ... Create CAMPAIGN_MGMT groupPL/SQL procedure successfully completed.... ... ... Create EMAIL groupPL/SQL procedure successfully completed.... ... ... Create POST_MAIL groupPL/SQL procedure successfully completed.... ... ... Create ONLINE_ADS groupPL/SQL procedure successfully completed.... ... Create ANALYTICS groupPL/SQL procedure successfully completed.... ... ... Create REC_ENGINE groupPL/SQL procedure successfully completed.... ... Create THIRDPARTY groupPL/SQL procedure successfully completed.... ... ... Create CONTACT_DETAILS groupPL/SQL procedure successfully completed.... ... ... Create PREFERENCE_DETAILS groupPL/SQL procedure successfully completed.... ... ... Create PURCHASE_HIST groupPL/SQL procedure successfully completed.------------------------------------------------------------. STEP 4: CREATE LABELSThe label is automatically designated as a valid data labelThis functionality limits the labels that can be assigned to dataIf a user widthraws consent the row label will have that compartment removedAllowed Labels (Trim down/add to suite the use cases):CNST:: 500FORGET:: 700ANON:: 800NOCONSENT:: 999---------CNST::DT_PROC 1000CNST::CAMP_MGMT 1100CNST::EMAIL 1110CNST::POST_MAIL 1120CNST::WEB_ADS 1130CNST::EMAIL,POST_MAIL 1140CNST::EMAIL,ANALYTICS 1145CNST::EMAIL,WEB_ADS 1150CNST::CAMP_MGMT,ANALYTICS,THIRDPARTY 1160CNST::CAMP_MGMT,ANALYTICS 1170CNST::CAMP_MGMT,THIRDPARTY 1180CNST::ANALYTICS,THIRDPARTY 1190CNST::POST_MAIL,WEB_ADS 1195---------CNST::ANALYTICS 1200CNST::REC_ENGINE 1210---------CNST::THIRDPARTY 1300CNST::CONTACT_DETAILS 1310CNST::PREF_DETAILS 1320CNST::PURCH_HIST 1330CNST::CONTACT_DETAILS,PREF_DETAILS 1340CNST::CONTACT_DETAILS,PURCH_HIST 1350CNST::PREF_DETAILS,PURCH_HIST 1360------------------------------------------------------------...
. STEP 5: ASSING LEVELS TO USERSUsers | Levels---------------------|------------------------------------------------APPPREFERENCE | Can process all data| . Level Min (CNST) and Level Max (NCNST)| . Group (DT_PROC)---------------------|------------------------------------------------APPFORGET | Can process data marked as to be forgotten| . Level Min (ANON) and Level Max (FRGT)---------------------|------------------------------------------------APPMKT | Can process data belonging to group EMAIL only| . Level Min (CNST) and Level Max (CNST)| . Group (EMAIL)---------------------|------------------------------------------------APPBI | Can process data belonging to group ANALYTICS| . Level Min (ANON) and Level Max (ANON)| . Group (ANALYTICS)---------------------|------------------------------------------------APP3RD | Can process data belonging to group THIRDPARTY| . Level Min (CNST) and Level Max (CNST)| . Group (THIRDPARTY)------------------------------------------------------------------------... Set Levels for APPPREFERENCEPL/SQL procedure successfully completed.... ... prompt Set Group for APPPREFERENCEPL/SQL procedure successfully completed.... Set Level for APPFORGETPL/SQL procedure successfully completed.... Set Level for APPMKTPL/SQL procedure successfully completed.... ... Set Group for APPMKTPL/SQL procedure successfully completed.... Set Level for APPBIPL/SQL procedure successfully completed.... ... Set Group for APPBIPL/SQL procedure successfully completed.... Set Level for APP3RDPL/SQL procedure successfully completed.... ... Set Group for APP3RDPL/SQL procedure successfully completed.----------------------------------------------------. STEP 6: APPLY THE OLS POLICY----------------------------------------------------PL/SQL procedure successfully completed.
此脚本将创建策略(级别、组和标签),为用户设置级别和组,并将策略应用于 APPCRM.CRM_CUSTOMER 表。对于每个步骤,您可以查看您执行的脚本的输出(例如“more ols_create_policy.out”)。
然后,我们必须标记数据……我们使用我们创建的策略并应用一个级别,一个或多个分区(可选),一个或多个组(可选)。
输出如下:
==============================================================================Label the data...
==============================================================================CON_NAME
------------------------------
PDB1
USER is "SYS"-- . ANON - Already anonymized: 10 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','ANON')
where customerid between 51 and 60;10 rows updated.-- . CNST::ANALYTICS - Consented to be processed for analytics: 200 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','CNST::ANALYTICS')
where customerid between 66 and 265;200 rows updated.. CNST::EMAIL - Consented to be processed for email: 123 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','CNST::EMAIL')
where customerid between 266 and 388;123 rows updated.. CNST::EMAIL,ANALYTICS - Consented to be processed for email and bi: 3 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','CNST::EMAIL,ANALYTICS')
where customerid >= 389;3 rows updated.-- . FRGT - Asked to be forgotten: 5 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','FRGT')
where customerid between 61 and 65;5 rows updated.-- . NCNST - Did not consent or revoked consent: 50 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET GDPR_COL = CHAR_TO_LABEL('OLS_DEMO_GDPR','NCNST')
where customerid between 1 and 50;50 rows updated.Commit complete.. Show the count per Label
SQL>
SELECT LABEL_TO_CHAR (GDPR_COL) label, count(*) countFROM APPCRM.CRM_CUSTOMERGROUP BY GDPR_COLORDER BY label;LABEL COUNT
-------------------------------------------------- --------
ANON 10
CNST::ANALYTICS 200
CNST::EMAIL 123
CNST::EMAIL,ANALYTICS 3
FRGT 5
NCNST 506 rows selected.
其中,CHAR_TO_LABEL的第1个参数为policy name,第二个参数为label。
此脚本更新数据标签以创建将在场景中使用的各种标签。在现实世界的场景中,建议创建一个标签函数,该函数将根据其他现有表数据(其他列)分配标签。对于每个步骤,您可以查看您执行的脚本的输出(例如“more ols_label_data.out”)
然后我们将看到标签安全性的作用,用不同的用户查看同一张表:
$ $ ./ols_label_sec_in_action.sh==============================================================================Connects as different apps would be connecting to see records that they would be able to process...
==============================================================================. Marketing App would only show 126 records
(Can process data labeled: CNST::EMAIL and CNST::ANALYTICS, EMAIL)COUNT(*)
----------126. BI App would only show 213 records
(Can process data labeled: ANON, CNST::ANALYTICS, CNST::ANALYTICS, EMAIL)COUNT(*)
----------213. FORGET App would only show 15 records
(Can process data labeled: FRGT and ANON)COUNT(*)
----------15. APPPREFERENCE App can be used to set consent
(Can process ALL records - 391)COUNT(*)
----------391. What labels are currently in session?LABEL
------------------------------------------------------------------------------------------------------------------------------------------------------------------
NCNST::DT_PROC,CAMP_MGMT,EMAIL,POST_MAIL,WEB_ADS,ANALYTICS,REC_ENGINE,THIRDPARTY,CONTACT_DET,PREF_DETAILS,PURCH_HIST. What is the session row label?SA_SESSION.ROW_LABEL('OLS_DEMO_GDPR')
------------------------------------------------------------------------------------------------------------------------------------------------------------------
CNST::DT_PROC
每个应用程序只会看到他们能够处理的记录。例如。 AppMKT(用于向客户发送电子邮件的应用程序)只能查看标记为 CNST::EMAIL 的记录; AppBI 将能够查看标记为 ANON 和 CNST::ANALYTICS 的记录(标记为 CNST 级别的行,以及 Group Analytics 的一部分——也适用于 CNST::ANALYTICS、EMAIL)。
现在,我们将 UserID(100) 的状态更改为被遗忘。
$ ./ols_to_be_forgotten.sh==============================================================================Change users status to be forgotten...
==============================================================================CON_NAME
------------------------------
PDB1
USER is "APPFORGET". Create the procedure "PROCESS_DATA" to process requests to be forgotten for anonymization purposesProcedure created.. These would be the records to be anonimized
... User Session Label = FRGT
... ... Processing Data for User_ID (61): Rob Kempt (rob.kempt@aabz.com)
... ... Processing Data for User_ID (62): Elaine Moncure (elaine.moncure@aab0.com)
... ... Processing Data for User_ID (63): Joshua Disano (joshua.disano@aab1.com)
... ... Processing Data for User_ID (64): Lai Kurtich (lai.kurtich@aab2.com)
... ... Processing Data for User_ID (65): Lucas Summerill (lucas.summerill@aab3.com)
... Customers Processed = 5PL/SQL procedure successfully completed.. Create the procedure "FORGET_ME" to forget customersProcedure created.. How many records are currently marked "FRGT"LABEL COUNT
------------------------- -------
ANON 10
CNST::ANALYTICS 200
CNST::EMAIL 123
CNST::EMAIL,ANALYTICS 3
FRGT 5
NCNST 506 rows selected.. The User ID "100" asked to be forgotten
$ exec forget_me(100)PL/SQL procedure successfully completed.. Now, let's check how many records are marked "FRGT"LABEL COUNT
------------------------- -------
ANON 10
CNST::ANALYTICS 199
CNST::EMAIL 123
CNST::EMAIL,ANALYTICS 3
FRGT 6
NCNST 506 rows selected.. These would be the records to be anonimized
... User Session Label = FRGT
... ... Processing Data for User_ID (61): Rob Kempt (rob.kempt@aabz.com)
... ... Processing Data for User_ID (62): Elaine Moncure (elaine.moncure@aab0.com)
... ... Processing Data for User_ID (63): Joshua Disano (joshua.disano@aab1.com)
... ... Processing Data for User_ID (64): Lai Kurtich (lai.kurtich@aab2.com)
... ... Processing Data for User_ID (65): Lucas Summerill (lucas.summerill@aab3.com)
... ... Processing Data for User_ID (100): Verlie Ashland (verlie.ashland@aac2.com)
... Customers Processed = 6PL/SQL procedure successfully completed.
注意:
- 此脚本模拟一个应用程序,该应用程序将处理标记为被遗忘的记录
- 它创建一个存储过程来显示标记为被遗忘的记录(标记为 FRGT:
Oracle LiveLabs实验:DB Security - Oracle Label Security (OLS)相关推荐
- Oracle LiveLabs实验:Manage and Monitor Autonomous Database
概述 本研讨会中的实验将引导您完成开始使用 Oracle 自治数据库的所有步骤. 首先,您将创建一个 Oracle 自治数据库实例. 然后,您将练习使用自治数据库工具和 API 从不同位置以不同格式加 ...
- Oracle Livelabs实验: Setting Up Active Data Guard For On-Premises
本文是Oracle LiveLabs实验:Setting Up Active Data Guard For On-Premises 的过程记录. 实验步骤请参考这里. 因为是利用你自己的OCI云环境搭 ...
- Oracle LiveLabs实验:DB Security - Key Vault
概述 此实验关于Oracle Key Vault. 此实验申请地址在这里,时间为55分钟. 实验帮助在这里. 实验生成需要15分钟左右,最终会生成2个虚机,以下为我的专属配置: 129.146.74. ...
- Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall
概述 此实验关于Oracle AVDF(Audit Vault and DB Firewall). 此实验申请地址在这里,时间为150分钟. 实验帮助在这里. 本实验使用的AVDF版本为Oracle ...
- Oracle LiveLabs实验: Pluggables, Clones and Containers: Oracle Multitenant Fundamentals Workshop
本文为Oracle LiveLabs中实验Pluggables, Clones and Containers: Oracle Multitenant Fundamentals Workshop的过程记 ...
- Oracle LiveLabs实验:Configure network environment for Oracle Database 21c
概述 此实验申请地址在这里. 实验帮助在这里. 此实验预估完成时间65分钟. 这个实验其实并不需要特别的实验环境,任意找一个安装好的数据库都行. 简介 本研讨会重点介绍 Oracle Database ...
- Oracle LiveLabs实验:Load and Analyze Your Data with Autonomous Database
概述 本研讨会中的实验将引导您完成开始使用 Oracle 自治数据库的所有步骤. 首先,您将创建一个 Oracle 自治数据库实例. 然后,您将练习使用自治数据库工具和 API 从不同位置以不同格式加 ...
- Oracle LiveLabs实验:DB Security - Native Network Encryption (NNE)
概述 此实验申请地址在这里,时间为2小时. 实验帮助在这里. 本实验使用的数据库为19c. 简介 在此小型实验中,您将学习如何使用 Oracle 本地网络加密 (NNE - Native Networ ...
- oracle数据库环境实验报告,《Oracle数据库》实验报告二
<<Oracle数据库>实验报告二>由会员分享,可在线阅读,更多相关<<Oracle数据库>实验报告二(5页珍藏版)>请在金锄头文库上搜索. 1.第 1 ...
最新文章
- 读文献先读图——主成分分析 PCA 图
- 漫画:什么是 “并查集” ?
- Jenkins: 执行 PowerShell 命令
- ubuntu12.04 升级 automake
- 阿里研究院潘永花:大数据将成为新的煤和石油
- yolov3损失函数改进_YOLOv3论文解析
- ROS----龟界三角恋
- 借助 OpenGL* ES 2.0 实现动态分辨率渲染
- Selenium爬虫 -- 图片视频的src绝对地址链接分析
- 在vs2008中编译(调试)eMule0.50a以及veryCD版的easyMule
- 《业务测试》手机号码格式
- CSS-设置表格样式
- 解决Mac笔记本电脑自带录屏软件没有声音问题
- access 有效性规则和有效性文本
- 对区块链钱包的简单认识
- 阿姨说女婿只要程序员,IT男在婚恋市场真吃香吗?妹子有话要说
- 数据结构3_160805无头单向不循环
- chromedriver下载与安装方法
- 中国网络教育行业市场需求及十四五发展新挑战研究报告2021-2027年
- 基于asp.net在线手机销售系统
热门文章
- Oracle LiveLabs实验:Manage and Monitor Autonomous Database