Oracle VPD是Oracle advance security的一部分,其中的Column level VPD可以隔离应用访问某列数据。Column level VPD有2种模式。
- Default behavior: restricts the number of rows returned by a query.
- Masking behavior: returns all rows, but returns NULL values for the columns that contain sensitive information.
(其實based on user,return 1=1 or 1=2 也可以卡住???)
例子如下function oracle.sal_fucntion会返回 return “1=2″; 建立VPD policy,限制所有应用用户不能够查询emp表上的salary信息。
execute dbms_rls.add_policy (object_schema => ‘scott’,
object_name => ‘emp’,
policy_name => ‘my_policy’,
function_schema => ‘oracle’,
policy_function => ‘sal_function’,
sec_relevant_cols=>’salary’,
sec_relevant_cols_opt=>dbms_rls.ALL_ROWS);
–
SYS@ SQL> conn scott/tiger且在emp上建立的view,在 SQL parse的时候也会被基础表上的VPD policy约束。
Connected.
SCOTT@ SQL> select * from emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
———- ———- ——— ———- ————— ———- ———- ———-
7369 SMITH CLERK 7902 17-DEC-80 20
7499 ALLEN SALESMAN 7698 20-FEB-81 300 30
7521 WARD SALESMAN 7698 22-FEB-81 500 30
7566 JONES MANAGER 7839 02-APR-81 20
7654 MARTIN SALESMAN 7698 28-SEP-81 1400 30
7698 BLAKE MANAGER 7839 01-MAY-81 30
7782 CLARK MANAGER 7839 09-JUN-81 10
7788 SCOTT ANALYST 7566 19-APR-87 20
7839 KING PRESIDENT 17-NOV-81 10
7844 TURNER SALESMAN 7698 08-SEP-81 0 30
7876 ADAMS CLERK 7788 23-MAY-87 20
7900 JAMES CLERK 7698 03-DEC-81 30
7902 FORD ANALYST 7566 03-DEC-81 20
7934 MILLER CLERK 7782 23-JAN-82 10
14 rows selected.
SCOTT@: SQL> select text from user_views where view_name=’EMP_SEC’;通过使用 10060 和 10730 event,可以发现Oracle在SQL层次将查询进行了重写。
TEXT
——————————————————————————–
select “EMPNO”,”ENAME”,”JOB”,”MGR”,”HIREDATE”,”SAL”,”COMM”,”DEPTNO” from scott.emp
SCOTT@: SQL> select * from scott.emp_sec where rownum<=3;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
———- ———- ——— ———- ————— ———-
7369 SMITH CLERK 7902 17-DEC-80 20
7499 ALLEN SALESMAN 7698 20-FEB-81 300 30
7521 WARD SALESMAN 7698 22-FEB-81 500 30
Logon user : ORACLE改写成了CASE形式。
Table/View : SCOTT.EMP
Policy name : my_policy
Policy function: ORACLE.sal_function
RLS view :
SELECT “EMPNO”,”ENAME”,”JOB”,”MGR”,”HIREDATE”, CASE WHEN (1 = 2) THEN “SAL” ELSE NULL END “SAL”,”COMM”,”DEPTNO” FROM “SCOTT”.”EMP” “EMP”
但是VPD不能够限制SYS用户;SYS用户仍然能够看到Salary的信息。不过结合Oracle其它的安全方案(如TDE),将VPD恰当的应用在服务器端,可以解决一些安全问题,因为它对客户端是完全透明的。
以下為另一篇相關文章
http://ksadba.wordpress.com/2009/04/22/virtual-private-database-vpd-column-masking-simple-example/
Exclude Some Users from Policy
Users who need to see all the data without any masking need to be granted “exempt access policy”Notes:
- Dropping a table that has a policy will drop the policy but not the function policy.
- Renaming the table will NOT drop the policy or disable it. The policy will remain active.
- Export/Import will also export/import the policy along with the table, but will not export/import the function policy.
- When exporting a table under a policy, make sure the user exporting the table has “exempt access policy” grant, otherwise, the column under the policy will always be null and column data will be lost.
Some Important Views
dba_policiesv$vpd_policy
沒有留言:
張貼留言