eygle.com   eygle.com
eygle.com eygle
eygle.com  
 

« Oracle 数据库 12.2新特性手册 - In-Memory 增强卷 | Blog首页 | Oracle 数据库 12.2新特性手册-Core Improvements内核卷 »

Oracle 12.2 新特性:Lockdown Profile 的多租户权限控制

122lockdown.jpg

在Oracle Database 12.2 中引入了lockdown profile的新特性,可以用于限制PDB中的某些操作,增强某些操作的安全性。

PDB Lockdown Profiles to Restrict Operations on PDBs Starting with this release, in a multitenant environment, you can use PDB lockdown profiles to restrict functionality available to users in a given PDB.

PDB lockdown profiles enable you to restrict the access the user has to a set of features individually or in a group. This feature is designed to enhance security for situations in which identities are shared among PDBs.

以下通过一个简单的测试来看看这个特性的基本功能。 首先在CDB下创建一个profile,这个Profile将对全局可用:

SQL> connect / as sysdba
Connected.
SQL> CREATE LOCKDOWN PROFILE enmotech;


Lockdown Profile created.

SQL> ALTER LOCKDOWN PROFILE enmotech DISABLE STATEMENT  = ('ALTER SYSTEM');

Lockdown Profile altered.


连接到PDB YHEM,在PDB级别启用lockdown profile :

SQL> connect sys/oracle@yhem as sysdba
Connected.
SQL> ALTER SYSTEM SET PDB_LOCKDOWN = enmotech;

System altered.


测试一下,可以看到所有的ALTER SYSTEM的操作都被禁用了:

SQL> alter system checkpoint;
alter system checkpoint
*
ERROR at line 1:
ORA-01031: insufficient privileges

SQL> alter system set optimizer_mode = first_rows_1;
alter system set optimizer_mode = first_rows_1
*
ERROR at line 1:
ORA-01031: insufficient privileges


LOCKDOWN PROFILE可以限制到非常细粒度的权限,比如以下限制仅仅限制用户执行ARCHIVE LOG和CHECKPOINT操作。

SQL> connect / as sysdba
Connected.

SQL> alter lockdown profile enmotech enable statement = ('ALTER SYSTEM')
  2  clause all except = ('ARCHIVE LOG', 'CHECKPOINT');

Lockdown Profile altered.


现在测试一下,可以看到在PDB上,限制精确的生效,CHECKPOINT操作不允许被执行:

SQL> connect system/oracle@yhem
Connected.
SQL> alter system set optimizer_mode = first_rows_1;

System altered.

SQL> alter system checkpoint;
alter system checkpoint
*
ERROR at line 1:
ORA-01031: insufficient privileges


除了特定的权限,还可以对某些数据库功能特点进行限制,比如调用和执行UTL_HTTP 和 UTL_TCP 包可能是高风险的,那么以下的PROFILE设置可以禁用这些特性:

SQL> alter lockdown profile enmotech
  2     disable feature = ('UTL_HTTP', 'UTL_TCP');
Lockdown profile altered.


SQL> conn system/oracle@yhem
Connected.
SQL> declare
  2    l_request   utl_http.req;
  3    l_response  utl_http.resp;
  4 begin
  5    l_request := utl_http.begin_request('http://www.enmotech.com');
  6    l_response := utl_http.get_response(l_request);
  7 end; 
  8/
declare
*
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-01031: insufficient privileges
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1127
ORA-06512: at line 5


参考链接:

https://docs.oracle.com/database/122/DBSEG/configuring-privilege-and-role-authorization.htm#DBSEG004


历史上的今天...
    >> 2012-12-12文章:
    >> 2008-12-12文章:
    >> 2006-12-12文章:
           使用Perl连接Mysql数据库
    >> 2005-12-12文章:
           Definer and Invoker Rights
    >> 2004-12-12文章:

无觅

By eygle on 2016-12-12 09:04 | Comments (0) | Oracle12c/11g | 3228 |


CopyRight © 2004~2020 云和恩墨,成就未来!, All rights reserved.
数据恢复·紧急救援·性能优化 云和恩墨 24x7 热线电话:400-600-8755 业务咨询:010-59007017-7040 or 7037 业务合作: marketing@enmotech.com