ITPub博客

首页 > Linux操作系统 > Linux操作系统 > 细粒度访问控制-VPD

细粒度访问控制-VPD

原创 Linux操作系统 作者:hjianping 时间:2011-04-26 19:50:40 0 删除 编辑

1、创建测试环境
conn sys/password as sysdba
create user HJP identified by password default tablespace users temporary tablespace temp;
create user JDS identified by password default tablespace users temporary tablespace temp;
create user BBK identified by password default tablespace users temporary tablespace temp;
create user ZYM identified by password default tablespace users temporary tablespace temp;
grant connect,resource to HJP;
grant connect,resource to JDS;
grant connect,resource to BBK;
grant connect,resource to ZYM;

create user huang identified by password default tablespace users temporary tablespace temp;
grant connect to huang;
grant resource to huang;
grant execute on dbms_rls to huang;
--grant create any trigger to huang;
--grant ADMINISTER database trigger to huang;
--grant create session to huang with admin option;
commit;

conn scott/password
insert into emp(empno,ename,sal,deptno) values(8000,'HJP',5000,20);
insert into emp(empno,ename,sal,deptno) values(8001,'JDS',5000,30);
insert into emp(empno,ename,sal,deptno) values(8002,'BBK',5000,40);
insert into emp(empno,ename,sal,deptno) values(8003,'ZYM',5000,10);
commit;

create table people as select ename username,job,sal salary,deptno from emp;
grant select,update,insert,delete on scott.people to huang;
grant select,update,insert,delete on scott.people to HJP;
grant select,update,insert,delete on scott.people to JDS;
grant select,update,insert,delete on scott.people to BBK;
grant select,update,insert,delete on scott.people to ZYM;
commit;


2、创建数据表和应用上下文
conn huang/password
create table lookup_user as select username,deptno from scott.people;
create context people_ctx using huang.people_ctx_mgr;
--drop context people_ctx;

*************************************************************************************
create or replace package people_ctx_mgr
as
 procedure set_deptno;
 procedure clear_deptno;
end;
/
*************************************************************************************
create or replace package body people_ctx_mgr
as
procedure set_deptno
as
 l_deptno number;
begin
 select deptno into l_deptno from lookup_user
  where username=sys_context('userenv','session_user');
 dbms_session.set_context
  (namespace => 'people_ctx',attribute => 'deptno',value => l_deptno);
end set_deptno;
procedure clear_deptno
as
begin
 dbms_session.clear_context
  (namespace => 'people_ctx',attribute => 'deptno');
end clear_deptno;
end people_ctx_mgr;
/
*************************************************************************************
--drop package people_ctx_mgr;


3、创建登录触发器
conn sys/password as sysdba
********************************************
create or replace trigger set_user_deptno
 after logon on database
begin
 huang.people_ctx_mgr.set_deptno;
end;
/
********************************************
--drop trigger set_user_deptno;


4、测试应用上下文
conn scott/password 
select sys_context('people_ctx','deptno') deptno from dual; 


5、创建策略函数dept_only
conn huang/password
******************************************************************
create or replace function dept_only
 (p_schema in varchar2 default null,
  p_object in varchar2 default null)
  return varchar2
as
begin
 return 'deptno = sys_context(''people_ctx'',''deptno'')';
 --return 'deptno = '||sys_context('people_ctx','deptno');
 --返回值,需要重新分析SQL语句
exception
 when others then
  return '1=0';
end;
/
******************************************************************
--drop function dept_only;


6、查询策略函数
select dept_only from dual;


7、创建插入、更新策略people_iu
conn huang/password
*******************************************************
begin
 dbms_rls.add_policy
  (object_schema => 'SCOTT',
   object_name => 'people',
   policy_name => 'people_iu',
   function_schema => 'huang',
   policy_function => 'dept_only',
   statement_types => 'insert,update',
   update_check => TRUE);
end;
/
*******************************************************


8、删除策略people_iu
/*********************************************
begin
 dbms_rls.drop_policy
  (object_schema => 'SCOTT',
   object_name => 'people',
   policy_name => 'people_iu');
end;
/
*********************************************/


9、创建策略函数user_only
conn huang/password
***********************************************************************
create or replace function user_only
 (p_schema in varchar2 default null,
  p_object in varchar2 default null)
  return varchar2
as
begin
 return 'username = sys_context(''userenv'',''session_user'')';
exception
 when others then
  return '1=0';
end;
/
***********************************************************************
--drop function user_only;


10、创建删除策略people_del
conn huang/password
*************************************************
begin
 dbms_rls.add_policy
  (object_schema => 'SCOTT',
   object_name => 'people',
   policy_name => 'people_del',
   function_schema => 'huang',
   policy_function => 'user_only',
   statement_types => 'delete');
end;
/
*************************************************


11、删除策略people_del
/**********************************************
begin
 dbms_rls.drop_policy
  (object_schema => 'SCOTT',
   object_name => 'people',
   policy_name => 'people_del');
end;
/
**********************************************/


12、查询策略
select * from dba_policies;
select * from v$vpd_policy(v$sql);


13、RLS策略的免除访问,对数据库的备份和恢复非常必要
grant exempt access policy to system;
--revoke exempt access policy from system;


14、审核免除访问策略
audit exempt access policy by access;
******************************************************************************************
begin
 for i in (select * from dba_audit_trail) loop
  dbms_output.put_line('---------------------------------------');
  dbms_output.put_line('Who: '|| i.username);
  dbms_output.put_line('What: '||i.action_name||' on '||i.owner||'.'||i.obj_name);
  dbms_output.put_line('When: '||to_char(i.timestamp,'yyyy-mm-dd HH24:MI'));
  dbms_output.put_line('How: '||i.sql_text);
  dbms_output.put_line('Using: '||i.priv_used);
 end loop;
end;
/
******************************************************************************************

 


列敏感的VPD

创建列敏感的策略(当salary列被查询时激活VPD策略,仅返回符合salary列的行)
**************************************************
begin
 dbms_rls.add_policy
  (object_schema => 'SCOTT',
   object_name => 'people',
   policy_name => 'people_sal',
   function_schema => 'huang',
   policy_function => 'user_only',
   statement_types => 'select',
   sec_relevant_cols => 'SALARY');
end;
/
**************************************************

使用sec_relevant_cols_opt返回所有的行,不符合salary列的返回null,仅适用于选择语句
**************************************************************
begin
 dbms_rls.add_policy
  (object_schema => 'SCOTT',
   object_name => 'people',
   policy_name => 'people_sal',
   function_schema => 'huang',
   policy_function => 'user_only',
   statement_types => 'select',
   sec_relevant_cols => 'SALARY',
   sec_relevant_cols_opt => dbms_rls.all_rows);
end;
/
**************************************************************

 


1、建立应用上下文
conn sys/password as sysdba;
create or replace context empenv using scott.set_deptno;

2、设置应用上下文属性
create or replace procedure set_deptno
is
 id number;
begin
 if sys_context('userenv','session_user')='HJP' then
  dbms_session.set_context('empenv','deptno',10);
 end if;
 if sys_context('userenv','session_user')='JDS' then
  dbms_session.set_context('empenv','deptno',20);
 end if;
end;
/

3、建立登陆触发器
conn sys/password as sysdba;
create or replace trigger login_trig after logon on database call scott.set_deptno
/

4、建立策略函数
create or replace function emp_policy(p1 varchar2,p2 varchar2) return varchar2
is
 d_predicate varchar2(2000);
begin
 if user not in ('SCOTT') then
  d_predicate:='deptno=sys_context(''empenv'',''deptno'')';
  return d_predicate;
 end if;
 return '1=1';
end;
/

5、增加策略
conn sys/password as sysdba;
exec dbms_rls.add_policy('scott','emp','emp_policy','scott','emp_policy','select,update,delete')

exec dbms_rls.drop_policy('scott','emp','emp_policy') --删除策略

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/17012874/viewspace-693804/,如需转载,请注明出处,否则将追究法律责任。

下一篇: merge into
请登录后发表评论 登录
全部评论

注册时间:2011-04-24

  • 博文量
    80
  • 访问量
    75417