Should Invoker Rights be used?

590 views

Published on

How can you ensure users use only their data and not someone elses. How can you do this with minimal effort? How can you get rid of multiple codebases. How can you (partially) protect yourself against SQL Injection.
In this session we explore the use of the different authentication models in the Oracle database. When do you use the Definer Rights model and when could, or should, you use the Invoker Rights model?

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
590
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Should Invoker Rights be used?

  1. 1. Patrick.Barel@AMIS.nl technology.amis.nl blog.bar-solutions.com
  2. 2. About me… • Patrick Barel • Working with Oracle since 1997 • Working with PL/SQL since 1999 • Playing with APEX since 2003 (mod_plsql) • ACE since 2011 • OCA since December 20th 2012
  3. 3. Read me… http://blog.bar-solutions.com http://technology.amis.nl http://allthingsoracle.com
  4. 4. Download me… Plugins for PL/SQL Developer http://bar-solutions.com Plugins for Apex http://apex-plugin.com
  5. 5. Watch me…
  6. 6. Patrick.Barel@GMail.com Contact me… @patch72 patrick@bar-solutions.com Patrick.Barel@AMIS.nl Patrick.Barel@GMail.com 3029156 40338721 Patrick Barel
  7. 7. Steven Feuerstein Masterclass Anti-Pattern PL/SQL Programming + Oracle Database 12c New PL/SQL Features 12/13 December. AMIS, Nieuwegein • Steven will present examples of "bad code" (anti-patterns) and features of PL/SQL that address them. • Students working in pairs then use their laptops to fix the anti-patterns. • Steven then walks entire class through optimal solutions.
  8. 8. Definer Rights Model Invoker Rights Model Prior to Oracle8i, whenever you executed a stored program, it ran under the privileges of the account in which the program was defined. This is called the … With Oracle8i, you can now decide at compilation time whether your program or package will execute in the definer's schema (the default) or the schema of the invoker of the code. This is called the … Definer Rights vs Invoker Rights
  9. 9. Patrick Mitchell Code Invoke R e f Relations Relations Definer Rights
  10. 10. Patrick Mitchell Code Invoke Relations Relations Invoker Rights
  11. 11. Allows you to centralize access to and control of underlying data structures. Uses roles and doesn’t rely on directly-granted privileges. But it can be a source of confusion and architectural problems. Note: Oracle built-in packages have long had the capability of running under the invoker's authority. Invoker Rights
  12. 12. What’s wrong with Definer Rights Deployment & maintenance Must install module in all schemas where needed In some databases, each user has own copy of table(s), requiring copy of stored module Security No declarative way to restrict privileges on certain modules in a package -- it's all or nothing, unless you write code in the package to essentially recreate roles programmatically. Difficult to audit privileges Sure would be nice to have a choice...and now you do!
  13. 13. Deployment & maintenance Must install module in all schemas where needed In some databases, each user has own copy of table(s), requiring copy of stored module Security No declarative way to restrict privileges on certain modules in a package -- it's all or nothing, unless you write code in the package to essentially recreate roles programmatically. Difficult to audit privileges Sure would be nice to have a choice...and now you do! What’s wrong with Definer Rights
  14. 14. CREATE [ OR REPLACE ] <module type> [ AUTHID { DEFINER | CURRENT_USER } ] AS ... Invoker Rights For top level modules: For modules with separate spec and body, AUTHID goes only in spec, and must be at the package level. Holds true for packages and object types.
  15. 15. Emp begin x.foo; end; package x authid definer Emp Emp package y authid definer package z authid definer Overview of Definer Rights
  16. 16. Emp begin x.foo; end; package x authid current_user Emp Emp package y authid definer package z authid current_user Overview of Invoker Rights
  17. 17. Emp begin x.foo; end; package x authid current_user Emp Emp package y authid definer package z authid current_user Emp begin x.foo; end; Overview of Invoker Rights
  18. 18. Mock objects To compile code you still need the structure of the objects.
  19. 19. begin x.foo; end; begin x.foo; end; package x authid current_user Col1` Col2 Col3 Col4 Col1 Col2 Col3 Col4 A.val1 A.val2 A.val3 A.val4 A.val5 A.val6 A.val7 A.val8 A.val9 A.val10 A.val11 A.val12 A.val13 A.val14 A.val15 A.val16 Col1 Col2 Col3 Col4 B.val1 B.val2 B.val3 B.val4 B.val5 B.val6 B.val7 B.val8 B.val9 B.val10 B.val11 B.val12 B.val13 B.val14 B.val15 B.val16 Execute Execute Mock objects
  20. 20. Definer Rights Definer rights Single codebase SQL Injection
  21. 21. Definer Rights Use a single codebase for multiple users (a bit of) Protection from SQL Injection
  22. 22. Single codebase User1 User2 App
  23. 23. User1 User2 App Mock objects Single codebase
  24. 24. User1 User2 App Code Single codebase
  25. 25. User1 User2 App Single codebase
  26. 26. User1 User2 App Application code in a central schema (with mock objects) Single codebase
  27. 27. User1 User2 App Each user has it’s own set of tables, views and sequences Single codebase
  28. 28. User1 User2 App Columns can be different in each schema Single codebase demo_ir.sqldemo_ir.sql
  29. 29. Advantages One time development Specific code in user schema (partial) Protection from SQL Injection
  30. 30. Drawbacks Debugging can be hard Support can be hard
  31. 31. SQL Injection Dynamic SQL Modification (drop) of objects – You cannot drop what is not there Modification of records – Will only affect current users data You should always use binding instead of concatenating in Dynamic SQL Statements
  32. 32. Definer Rights Model Invoker Rights Model Rules and Restrictions • AUTHID DEFINER – Uses directly granted privileges – Default, so no need to change current code • AUTHID CURRENT_USER – Uses ROLEs – On entire objects – Need for ‘mock’ objects – (at compile time it’s Definer Rights)

×