细粒度权限控制 linux,FGAC(细粒度访问控制)/VPD
FGAC/VPD可以從安全方面限制用戶在行級(jí)別的訪問(wèn)權(quán)限,對(duì)于安全性考慮的應(yīng)用有很大幫助。
另外,在一些特別特殊的情況下,可以通過(guò)它改寫用戶SQL的謂詞(where condition)。
這里step by step做一個(gè)例子,以供以后參考。
SQL> show user
USER is "HR"
SQL> create table testfgac as select * from dba_tables;
Table created.
1.建立一個(gè)context用來(lái)保存希望保存的屬性。
SQL>grant administer database trigger,create any trigger,create session,resource,create any procedure to hr
這里用USERNAME來(lái)代表當(dāng)前用戶是否是定義的“DB_OWNER”
SQL> create context syscontext using context_package;
Context created.
SQL> create or replace procedure context_package
( username in varchar2)
as
begin
dbms_session.set_context (
'SYSCONTEXT',
'USERNAME',
username
);
end;
Procedure created.
2.在sys用戶下建立一個(gè)login trigger,如果當(dāng)前用戶是'hr',那么設(shè)立它的username是hr.SQL> create or replace trigger context_trig
after logon on database
declare
username varchar2(50);
begin
select decode(sys_context('USERENV','SESSION_USER'),'HR',
'DB_OWNER','NOT_DB_OWNER')
into username from dual;
context_package(username);
exception
when NO_DATA_FOUND then
null;
when OTHERS then
raise;
end;
Trigger created.
3.查看login trigger生效沒(méi)有SQL>? show user
USER is "SYS"
SQL>? select sys_context('SYSCONTEXT','username') myrole from dual;
MYROLE
--------------------
NOT_DB_OWNER
SQL> conn hr/hr
Connected.
SQL>? select sys_context('SYSCONTEXT','username') myrole from dual;
MYROLE
--------------------
DB_OWNER
4.最重要的一步,建立一個(gè)function用來(lái)作為返回你想修改的謂詞。本例a是對(duì)hr用戶返回空謂詞,對(duì)其它用戶返回'LAST_ANALYZED<=sysdate-1';本例b是對(duì)用戶返回owner='session_user'串。
a,SQL>? create or replace function return_secure
(my_owner in varchar2,
my_obj in varchar2)
return varchar2
as
ret varchar2(2000);
begin
select decode(sys_context('SYSCONTEXT','username'),'DB_OWNER',null,'LAST_ANALYZED<=sysdate-1') into ret from dual;
return ret;
end;
Function created.
b,SQL>? create or replace function return_sec
(my_owner in varchar2,
my_obj in varchar2)
return varchar2
as
ret varchar2(2000);
begin
select 'owner='||chr(39)||sys_context('USERENV','SESSION_USER')||chr(39) into ret from dual;
return ret;
end;
Function created.
5.在sys用戶下,加上policy,對(duì)dml語(yǔ)句和select都生效SQL>? begin
dbms_rls.add_policy (
OBJECT_SCHEMA => 'HR',
object_name => 'TESTFGAC',
policy_name => 'my_p',
policy_function => 'RETURN_SECURE',
statement_types => 'INSERT, UPDATE, DELETE, SELECT',
update_check??? => TRUE
);
end;
/
PL/SQL procedure successfully completed.
SQL>? begin
dbms_rls.drop_policy (
OBJECT_SCHEMA => 'HR',
object_name => 'TESTFGAC',
policy_name => 'my_p');
end;
/
begin
dbms_rls.add_policy (
OBJECT_SCHEMA => 'HR',
object_name => 'TESTFGAC',
policy_name => 'my_p',
policy_function => 'RETURN_SEC',
statement_types => 'INSERT, UPDATE, DELETE, SELECT',
update_check??? => TRUE
);
end;
/
6.測(cè)試SQL> conn hr/hr
Connected.
SQL> select sys_context('SYSCONTEXT','username') username from dual;
USERNAME
------------------------
DB_OWNER
SQL> select count(*) from HR.TESTFGAC;
COUNT(*)
----------
1043
SQL> conn scott/tiger
Connected.
SQL> select count(*) from hr.TESTFGAC;
COUNT(*)
----------
934
創(chuàng)作挑戰(zhàn)賽新人創(chuàng)作獎(jiǎng)勵(lì)來(lái)咯,堅(jiān)持創(chuàng)作打卡瓜分現(xiàn)金大獎(jiǎng)總結(jié)
以上是生活随笔為你收集整理的细粒度权限控制 linux,FGAC(细粒度访问控制)/VPD的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: web文本阅读平台
- 下一篇: 设置硬盘休眠linux,linux笔记本