3. 基础身份验证
数据库管理员 ( 以 SYSDBA/SYSOPER) 身份在 DB 之外被身份验证
操作系统身份验证
密码文件身份验证
举例来说 sqlplus “/ as sysdba” 登录, OS 用户在 Unix 上为 DBA 组用
户,在 Windows 上是 ORADBA 组用户
普通数据库用户只能在数据库启动 (alter database open) 后身份验证并等
登录
也可以采用 OS 身份验证
例如 : create user maclean identified externally .
www.oracledatabase12g.com www.oracledatabase12g.com
www.oracledatabase12g.com
4. 基础身份验证
数据库身份认证
例如: create user maclean identified by oracle;
可以通过数据字典视图来查看用户信息
DBA_USERS describes all users of the database.
ALL_USERS Lists users visible to the current user, but does not
describe them
USER_TS_QUOTAS Describes tablespace quotas for users
V$SESSION Lists session information for each current session,
includes user name
PROXY_USERS Describes users who can assume the identity of other
users
V$PWFILE_USERS lists users granted SYSDBA and SYSOPER
privileges as derived from the password file
www.oracledatabase12g.com www.oracledatabase12g.com
www.oracledatabase12g.com
6. 对象级别的安全控制
将自身拥有对象的权限显示地授权给其他用户,包括查询和修改数据
举例来说: CONN MACLEAN/ORACLE
GRANT SELECT ON wallet to hanna;
角色 (roles) 是一组已被命名的权限,可以直接授权给用户或者其他角色 :
举例来说: CREATE ROLE developer;
GRANT SELECT ON wallet1 to developer;
GRANT INSERT ON wallet1 to developer;
GRANT role1 to hanna;
www.oracledatabase12g.com www.oracledatabase12g.com
www.oracledatabase12g.com
9. 对象级别的安全控制
常用数据字典视图,帮助了解对象和系统权限的信息:
- DBA_SYS_PRIVS describes system privileges granted to users
and roles (USER_SYS_PRIVS for connected user).
- SESSION_PRIVS lists the privileges that are currently available to
the user.
- SESSION_ROLES lists the roles that are currently enabled to the
user.
- DBA_TAB_PRIVS describes all object grants in the database.
(USER_TAB_PRIVS for connected user).
www.oracledatabase12g.com www.oracledatabase12g.com
www.oracledatabase12g.com
12. 数据级别的安全 (RLS/VPD)
CREATE OR REPLACE FUNCTION func1 (schema_name
VARCHAR2,
table_name VARCHAR2) RETURN VARCHAR2 IS
BEGIN
RETURN 'c1 = 10';
END;
/
SQL> EXEC DBMS_RLS.ADD_POLICY ('scott','t1','pol1','scott','func1');
PL/SQL procedure successfully completed.
SQL> select * from t1;
C1
----------
10
10
www.oracledatabase12g.com www.oracledatabase12g.com
www.oracledatabase12g.com
13. 数据级别的安全 (RLS/VPD)
内核函数 kzrtevw() 完成为存在 RLS policy 的表 / 视图 / 同义词创建临时视
图的工作
在语义解析阶段,从数据字典层 kkmfcblo() 调用 kzrtevw()
一个查询语句” select * from maclean” 在语义解析阶段被装换为
Select * from (select * from maclean where t1=10);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 临时视图
kzrtevw() 生成的临时视图会再次被硬解析 hard parse
www.oracledatabase12g.com www.oracledatabase12g.com
www.oracledatabase12g.com
14. 数据级别的安全 (RLS/VPD)
若存在参考完整性约束
例如一张启用了 RLS Policy 的子表上有外键约束, RLS 机制会检查相关
的父表上是否有 RLS Policy 以判断是否真的可以从父表上读取数据以验
证约束。这通过内核函数 kzrtppg() 完成,若无法从父表读取到数据,则
报错 ORA-28117 。
[oracle@vrh8 ~]$ oerr ora 28117
28117, 00000, "integrity constraint violated - parent record not found"
// *Cause: try to update/insert a child record with new foreign key
// values, but the corresponding parent row is not visible
// because of fine-grained security in the parent.
// *Action: make sure that the updated foreign key values must also
visible in the parent
www.oracledatabase12g.com www.oracledatabase12g.com
www.oracledatabase12g.com
15. 数据级别的安全 (RLS/VPD)
SYS 对任何行级安全策略 (RLS) 均享有豁免权
可以通过系统权限 “ EXEMPT ACCESS POLICY” 让普通用户也对 RLS
Policy 豁免
RLS policies 相关的一些有用字典视图:
ALL_POLICIES describes the security policies on the synonyms, tables,
and views accessible to the current user.
DBA_POLICIES describes all security policies in the database.
USER_POLICIES describes the security policies on the synonyms,
tables, and views owned by the current user.
www.oracledatabase12g.com www.oracledatabase12g.com
www.oracledatabase12g.com
24. Audit 审计记录用户行为
启动审计必要的 Init.ora 实例初始化参数
AUDIT_TRAIL = { none | os | db | db,extended | xml | xml,extended }.
AUDIT_SYS_OPERATIONS Oracle 9i 以后版本中通过设置该参数为
TURE 可以记录不限于 CONNECT,STARTUP,SHUTDOWN 的以
SYSDBA 或 SYSOPER 进行的操作。
AUDIT_FILE_DEST 指定审计目录 ( 默认为 $ORACLE_BASE/admin/
$SID/adump)
一些有用的字典视图:
DBA_AUDIT_POLICIES – Lists FGA policies in the database.
DBA_AUDIT_TRAIL – Lists all audit trail entries.
DBA_AUDIT_OBJECT - Lists audit trail records for all objects in the
database.
DBA_FGA_AUDIT_TRAIL - Lists all audit records for fine-grained
auditing.
DBA_COMMON_AUDIT_TRAIL - Lists all standard and fine-grained
audit trail entries, mandatory and SYS audit records written in XML
format. www.oracledatabase12g.com www.oracledatabase12g.com
www.oracledatabase12g.com
Editor's Notes
SQL> create user maclean_priv identified by oracle; User created. SQL> grant connect ,select any table to maclean_priv; Grant succeeded. SQL> conn maclean_priv/oracle Connected. SQL> select count(*) from sys.obj$; select count(*) from sys.obj$ * ERROR at line 1: ORA-00942: table or view does not exist SQL> alter system set O7_DICTIONARY_ACCESSIBILITY=TRUE scope=spfile; System altered. Reboot instance SQL> conn maclean_priv/oracle Connected. SQL> select count(*) from sys.obj$; COUNT(*) ---------- 52140
SQL> alter session set events '10046 trace name context forever,level 8'; Session altered. SQL> SQL> alter system flush shared_pool; System altered. SQL> / System altered. SQL> select * from t1; C1 ---------- 10 10 10046 trace: select * from t1 begin :con := FUNC1(:sn, :on); end; 10053 trace: sql_id=cvta8kmh9uc3z. Current SQL statement for this session: select * from scott.t1 ============ Plan Table ============ -------------------------------------+-----------------------------------+ | Id | Operation | Name | Rows | Bytes | Cost | Time | -------------------------------------+-----------------------------------+ | 0 | SELECT STATEMENT | | | | 3 | | | 1 | TABLE ACCESS FULL | T1 | 1 | 2 | 3 | 00:00:01 | -------------------------------------+-----------------------------------+ Predicate Information: ---------------------- 1 - filter("C1"=10)
o Errors in alert.log file: ORA-07445: exception encountered: core dump [] [] [] [] [] [] o INSERT or UPDATE statements uses Foreign Key/Primary Key enforcement. o The FK / PK enforcement is protected by OLS policies. o kzrtppg exists in the call stack printed in the trace file indicating that a Foreign Key Table is accessing a Parent table with an OLS Policy on it. A call stack example is: kzrtppg kglsscn kqlsscn kkmfcblo kkmpfcbk qcsprfro qcspafq qcspqb kkmdrv opiSem opiprs kksald Cause The Foreign Key/Primary Key reinforcement is protected by an OLS Policy on the Primary Key column that prevents the Foreign Key column from reading the Primary Key column. @ It can be caused by bug:4620832 Solution To implement the solution, please execute the following steps: 1.Enable OLS so that the FKs can select from the primary key. 2.Do not use OLS @ 3. Look for a solution of bug:4620832 . A workaround for this bug is to pin the insert or update cursor @ using dbms_shared_pool.keep
[oracle@vrh8 adump]$ cat g10r25_ora_3630_1.aud Audit file /s01/admin/G10R25/adump/g10r25_ora_3630_1.aud Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options ORACLE_HOME = /s01/oracle/product/10.2.0.5/db_1 System name: Linux Node name: vrh8.oracle.com Release: 2.6.32-200.13.1.el5uek Version: #1 SMP Wed Jul 27 21:02:33 EDT 2011 Machine: x86_64 Instance name: G10R25 Redo thread mounted by this instance: 1 Oracle process number: 18 Unix process pid: 3630, image: oracle@vrh8.oracle.com (TNS V1-V3) Sat Jul 7 02:26:52 2012 LENGTH : '160' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/0' STATUS:[1] '0' DBID:[10] '2652277393'
Audit cleanup is implicit in audsucc, but audsucc is never called.