Oracle 12.2 新特性：Lockdown Profile 的多租户权限控制

« Oracle 数据库 12.2新特性手册 - In-Memory 增强卷 | Blog首页 | Oracle 数据库 12.2新特性手册-Core Improvements内核卷 »

在Oracle Database 12.2 中引入了lockdown profile的新特性，可以用于限制PDB中的某些操作，增强某些操作的安全性。

PDB Lockdown Profiles to Restrict Operations on PDBs Starting with this release, in a multitenant environment, you can use PDB lockdown profiles to restrict functionality available to users in a given PDB.

PDB lockdown profiles enable you to restrict the access the user has to a set of features individually or in a group. This feature is designed to enhance security for situations in which identities are shared among PDBs.

以下通过一个简单的测试来看看这个特性的基本功能。首先在CDB下创建一个profile，这个Profile将对全局可用：

SQL> connect / as sysdba
Connected.
SQL> CREATE LOCKDOWN PROFILE enmotech;


Lockdown Profile created.

SQL> ALTER LOCKDOWN PROFILE enmotech DISABLE STATEMENT  = ('ALTER SYSTEM');

Lockdown Profile altered.

连接到PDB YHEM,在PDB级别启用lockdown profile :

SQL> connect sys/oracle@yhem as sysdba
Connected.
SQL> ALTER SYSTEM SET PDB_LOCKDOWN = enmotech;

System altered.

测试一下，可以看到所有的ALTER SYSTEM的操作都被禁用了：

SQL> alter system checkpoint;
alter system checkpoint
*
ERROR at line 1:
ORA-01031: insufficient privileges

SQL> alter system set optimizer_mode = first_rows_1;
alter system set optimizer_mode = first_rows_1
*
ERROR at line 1:
ORA-01031: insufficient privileges

LOCKDOWN PROFILE可以限制到非常细粒度的权限，比如以下限制仅仅限制用户执行ARCHIVE LOG和CHECKPOINT操作。

SQL> connect / as sysdba
Connected.

SQL> alter lockdown profile enmotech enable statement = ('ALTER SYSTEM')
  2  clause all except = ('ARCHIVE LOG', 'CHECKPOINT');

Lockdown Profile altered.

现在测试一下，可以看到在PDB上，限制精确的生效，CHECKPOINT操作不允许被执行：

SQL> connect system/oracle@yhem
Connected.
SQL> alter system set optimizer_mode = first_rows_1;

System altered.

SQL> alter system checkpoint;
alter system checkpoint
*
ERROR at line 1:
ORA-01031: insufficient privileges

除了特定的权限，还可以对某些数据库功能特点进行限制，比如调用和执行UTL_HTTP 和 UTL_TCP 包可能是高风险的，那么以下的PROFILE设置可以禁用这些特性：

SQL> alter lockdown profile enmotech
  2     disable feature = ('UTL_HTTP', 'UTL_TCP');
Lockdown profile altered.


SQL> conn system/oracle@yhem
Connected.
SQL> declare
  2    l_request   utl_http.req;
  3    l_response  utl_http.resp;
  4 begin
  5    l_request := utl_http.begin_request('http://www.enmotech.com');
  6    l_response := utl_http.get_response(l_request);
  7 end; 
  8/
declare
*
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-01031: insufficient privileges
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1127
ORA-06512: at line 5

参考链接：

https://docs.oracle.com/database/122/DBSEG/configuring-privilege-and-role-authorization.htm#DBSEG004

历史上的今天...
>> 2012-12-12文章:

Oracle云数据库初体验之二 - Application Express

>> 2008-12-12文章:

我家的小帅哥 - 爱夸张的盖小咪

>> 2006-12-12文章:

使用Perl连接Mysql数据库

eygle.com完成建站以来最大的一次迁移

>> 2005-12-12文章:

Oracle Diagnostics:Why sysdate is fixed?

How to maintain Oracle10g Recyclebin?

Definer and Invoker Rights

>> 2004-12-12文章:

天下无贼-那一滴金砂的缘起缘落

By eygle on 2016-12-12 09:04 | Comments (0) | Oracle12c/11g | 3228 |