将光标置于此图标上以加载和查看本教程的所有屏幕截图。(警告:因为此操作会同时加载所有屏幕截图,所以网速较慢时,响应时间可能会比较长。)
注意:
此外,还可以在下列步骤中将光标放在每个单独的图标上,从而仅加载和查看与该步骤相关的屏幕截图。
可以使用 Oracle 标签安全性在使用敏感性标签的现有应用程序中实施更细粒度的安全性。由于大量信息存储在单个数据库中,因此数据库整合和互联网已经使细粒度访问控制变得非常重要。
返回主题列表
本教程使用示例模式表 HR.LOCATIONS 和 HR.JOB_HISTORY。Oracle 标签安全性为 LOCATIONS 和 JOB_HISTORY 表中的数据行分配敏感性标签。亚洲地区中的三个位置被分配了 SENSITIVE::ASIA 敏感性标签。美国的某个位置被分配了 HIGHLY_SENSITIVE::UNITED_STATES 敏感性标签。所有剩余位置被分配了 PUBLIC 敏感性标签。
JOB_HISTORY 表中 END_DATE 大于五年的数据行被分配了 SENSITIVE 敏感性标签。END_DATE 小于或等于五年的数据行被分配了 CONFIDENTIAL 敏感性标签。
应用程序所有者 HR 有权读取和写入 JOB_HISTORY 和 LOCATIONS 中的所有数据行。
MYCO_MGR 应用程序用户有权查看标记为 SENSITIVE 和比 SENSITIVE 低并拥有 US、ASIA 或 EUROPE 组的 LOCATIONS 表中的所有数据。MYCO_PLANNING 应用程序用户有权查看标记为 HIGHLY SENSITIVE 和比 HIGHLY SENSITIVE 低并拥有 GLOBAL 组的 LOCATIONS 表中的所有数据。请注意,US、ASIA 和 EUROPE 组为 GLOBAL 组的下级。
创建了两个 Oracle 标签安全性策略:
FACILITY
指定的安全列为 FACLAB
PRIVACY
指定的安全列为 PRIVLAB
这两个列的安全列在创建策略时标记为 HIDDEN。
返回主题列表
开始学习本教程之前,您应已经:
完成了教程:
使用真正应用集群 (RAC) 和自动存储管理 (ASM) 在 Windows 上安装 Oracle 数据库 10
g
。
完成了教程:
在 Linux 上安装 Oracle 数据库 10
g
。
在本教程中,您将创建三个用户:MYCO_EMP、MYCO_MGR 和 MYCO_PLANNING。您还将授予他们对 HR 模式中的 JOB_HISTORY 和 LOCATIONS 表的访问权限。
打开一个终端窗口。将目录更改为 /home/oracle/wkdir。使用 /nolog 选项启动 SQL*Plus。在 SQL*Plus 会话中,执行以下脚本:
@ols_setup.sql
Prompt ***********************************************************************
Prompt Connect as User SYSTEM or another DBA with permissions to
Prompt create database accounts
Prompt ***********************************************************************
CONNECT system/<password>@SID
Prompt ***********************************************************************
Prompt Create Users MYCO_EMP
Prompt Create Users MYCO_MGR
Prompt Create Users MYCO_PLANNING
Prompt ***********************************************************************
GRANT CREATE SESSION to MYCO_EMP IDENTIFIED BY MYCO_EMP;
GRANT CREATE SESSION to MYCO_MGR IDENTIFIED BY MYCO_MGR;
GRANT CREATE SESSION to MYCO_PLANNING IDENTIFIED BY MYCO_PLANNING;
Prompt ***********************************************************************
Prompt Connect as User HR and grant select on job_history to
Prompt MYCO_MGR, MYCO_EMP and MYCO_PLANNING
Prompt
Prompt Grant select on locations to MYCO_EMP and MYCO_MGR.
Prompt Grant select, insert, update, delete on locations to MYCO_PLANNING
Prompt
Prompt Note - A database role could be used here in place of direct grants
Prompt ***********************************************************************
CONNECT HR/hr@o10g1
GRANT SELECT ON JOB_HISTORY TO MYCO_EMP;
GRANT SELECT ON JOB_HISTORY TO MYCO_MGR;
GRANT SELECT ON JOB_HISTORY TO MYCO_PLANNING;
GRANT SELECT ON LOCATIONS TO MYCO_EMP;
GRANT SELECT ON LOCATIONS TO MYCO_MGR;
GRANT SELECT, INSERT, UPDATE, DELETE ON LOCATIONS TO MYCO_PLANNING;
返回主题列表
您将添加两个策略,即 FACILITY 和 PRIVACY。对于 FACILITY 策略,您将创建三个敏感性级别和四个组。对于 PRIVACY 策略,您将创建两个敏感性级别。使用 SQL*Plus 创建策略,然后使用 Oracle Policy Manager 查看这些策略。执行以下操作:
从 SQL*Plus 会话中,执行以下脚本来创建策略及其组件:
@ols_create_policies.sql
Prompt
Prompt ***********************************************************************
Prompt Connect as User LBACSYS
Prompt ***********************************************************************
CONNECT lbacsys/lbacsys
Prompt
Prompt ***********************************************************************
Prompt Dropping FACILITY and PRIVACY policies in case they exist
Prompt ***********************************************************************
EXECUTE SA_SYSDBA.DROP_POLICY('FACILITY',TRUE);
EXECUTE SA_SYSDBA.DROP_POLICY('PRIVACY',TRUE);
Prompt
Prompt ***********************************************************************
Prompt Creating FACILITY Policy
Prompt ***********************************************************************
EXECUTE SA_SYSDBA.CREATE_POLICY('FACILITY','FACLAB','READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE');
Prompt
Prompt ***********************************************************************
Prompt Adding sensitivity levels to FACILITY policy:
Prompt ***********************************************************************
EXECUTE SA_COMPONENTS.CREATE_LEVEL('FACILITY',1000,'P','PUBLIC');
EXECUTE SA_COMPONENTS.CREATE_LEVEL('FACILITY',2000,'S','SENSITIVE');
EXECUTE SA_COMPONENTS.CREATE_LEVEL('FACILITY',3000,'HS','HIGHLY_SENSITIVE');
Prompt
Prompt ***********************************************************************
Prompt Adding groups to FACILITY policy:
Prompt ***********************************************************************
EXECUTE SA_COMPONENTS.CREATE_GROUP('FACILITY',1000,'Global','Global');
EXECUTE SA_COMPONENTS.CREATE_GROUP('FACILITY',101,'US','United States','GLOBAL');
EXECUTE SA_COMPONENTS.CREATE_GROUP('FACILITY',102,'EU','Europe','GLOBAL');
EXECUTE SA_COMPONENTS.CREATE_GROUP('FACILITY',103,'Asia','Asia','GLOBAL');
Prompt
Prompt ***********************************************************************
Prompt Creating Labels for FACILITY policy
Prompt ***********************************************************************
EXECUTE SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',1000,'P');
EXECUTE SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',2101,'S::US');
EXECUTE SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',3101,'HS::US');
EXECUTE SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',2103,'S::ASIA');
EXECUTE SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',3103,'HS::ASIA');
Prompt
Prompt ***********************************************************************
Prompt Creating PRIVACY Policy
Prompt ***********************************************************************
EXECUTE SA_SYSDBA.CREATE_POLICY('PRIVACY','PRIVLAB','READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE');
Prompt
Prompt ***********************************************************************
Prompt Adding sensitivity levels to PRIVACY policy
Prompt ***********************************************************************
EXECUTE SA_COMPONENTS.CREATE_LEVEL('PRIVACY',1000,'C','CONFIDENTIAL');
EXECUTE SA_COMPONENTS.CREATE_LEVEL('PRIVACY',2000,'S','SENSITIVE');
Prompt
Prompt ***********************************************************************
Prompt Creating Labels for PRIVACY policy
Prompt ***********************************************************************
EXECUTE SA_LABEL_ADMIN.CREATE_LABEL ('PRIVACY',101000,'C');
EXECUTE SA_LABEL_ADMIN.CREATE_LABEL ('PRIVACY',102000,'S');
Prompt ***********************************************************************
Exit;
您现在可以在 Oracle Policy Manager 中查看策略。
@ols_set_user_auth.sql
Prompt
Prompt ***********************************************************************
Prompt Setting User Authorizations for users:
Prompt MYCO_EMP
Prompt MYCO_MGR
Prompt MYCO_PLANNING
Prompt ***********************************************************************
CONNECT lbacsys/lbacsys
Prompt ***********************************************************************
Prompt Setting MYCO_EMP user label authorizations
Prompt Setting MYCO_MGR user label authorizations
Prompt Setting MYCO_PLANNING user label authorizations
Prompt ***********************************************************************
EXECUTE SA_USER_ADMIN.SET_USER_LABELS ('PRIVACY','MYCO_MGR','C');
EXECUTE SA_USER_ADMIN.SET_USER_LABELS ('FACILITY','MYCO_EMP','P');
EXECUTE SA_USER_ADMIN.SET_USER_LABELS ('FACILITY','MYCO_MGR','S::US,EU,ASIA');
EXECUTE SA_USER_ADMIN.SET_USER_LABELS ('FACILITY','MYCO_PLANNING','HS::GLOBAL');
Prompt ***********************************************************************
Prompt Authorize user HR privileges FULL and PROFILE_ACCESS on
Prompt FACILITY and PRIVACY policies.
Prompt (FULL:Can read and write to all data)
Prompt (PROFILE_ACCESS:Allows a session to change its session labels and
Prompt session privileges to those of a different user).
Prompt ***********************************************************************
EXECUTE SA_USER_ADMIN.SET_USER_PRIVS ('PRIVACY','HR','FULL,PROFILE_ACCESS');
EXECUTE SA_USER_ADMIN.SET_USER_PRIVS ('FACILITY','HR','FULL,PROFILE_ACCESS');
Exit;
返回主题列表
可以将 Oracle 标签安全性策略应用于整个应用程序方案或应用于单个应用程序表。您将把它应用于 LOCATIONS 和 JOB_HISTORY 表。执行以下操作:
从 SQL*Plus 会话中,执行以下脚本将 FACILITY 策略应用于 LOCATIONS 表,并将 PRIVACY 策略应用于 JOB_HISTORY 表:
@ols_apply_policy_to_table.sql
Prompt
Prompt **************************************************************
Prompt Applying FACILITY policy to hr.locations table.
Prompt **************************************************************
CONNECT lbacsys/lbacsys@o10g1
Begin
sa_policy_admin.apply_table_policy (
POLICY_NAME => 'FACILITY',
SCHEMA_NAME => 'HR',
TABLE_NAME => 'LOCATIONS',
TABLE_OPTIONS => NULL,
LABEL_FUNCTION => NULL,
PREDICATE => 'to_char(sysdate,' || '''' || 'd' || '''' ||
')in (2,3,4,5,6)');
END;
/
Prompt
Prompt *************************************************************
Prompt Applying PRIVACY policy to hr.job_history table.
Prompt *************************************************************
BEGIN
sa_policy_admin.apply_table_policy (
POLICY_NAME => 'PRIVACY',
SCHEMA_NAME => 'HR',
TABLE_NAME => 'JOB_HISTORY',
TABLE_OPTIONS => NULL,
LABEL_FUNCTION => NULL,
PREDICATE => NULL);
从 SQL*Plus 中,执行以下脚本:
@ols_add_labels_to_data.sql
SPOOL ols_add_labels_to_data.log
Prompt ***********************************************************************
Prompt Populating Data - Enter password for HR schema
Prompt ***********************************************************************
connect hr/hr@o10g1
PROMPT ***********************************************************************
PROMPT SETTING LABELS FOR FACILITY POLICY
PROMPT ***********************************************************************
Prompt ***********************************************************************
Prompt Update Labels for Sites In ASIA
Prompt ***********************************************************************
update hr.locations set faclab = char_to_label('FACILITY','S::ASIA')
where upper(city) in ('BEIJING','TOKYO','SINGAPORE');
Prompt ***********************************************************************
Prompt Update Labels for Sites In US
Prompt ***********************************************************************
update hr.locations set faclab = char_to_label('FACILITY','HS::US')
where upper(city) in ('SOUTH SAN FRANCISCO');
Prompt ***********************************************************************
Prompt Update Labels for all remaining locations
Prompt ***********************************************************************
update hr.locations set faclab = char_to_label('FACILITY','P')
where faclab is NULL;
PROMPT ***********************************************************************
PROMPT SETTING LABELS FOR PRIVACY POLICY
PROMPT ***********************************************************************
update hr.job_history set privlab = char_to_label('PRIVACY','S')
where ((to_char(sysdate,'YYYY') - to_char(end_date,'YYYY')) > 5);
update hr.job_history set privlab = char_to_label('PRIVACY','C')
where ((to_char(sysdate,'YYYY') - to_char(end_date,'YYYY')) <= 5);
COMMIT;
Spool off;
要加载每个用户的数据,执行以下脚本:
@ols_test_facility.sql
spool ols_test_facility.log
set linesize 180
set pagesize 32
col "FACILITY LABEL" format a30
col "PRIVACY LABEL" format a60
col org_name format a10
col org_id format 9999
col hours format 9999
col expenses format 99999
Prompt *******************************************************
Prompt * Connect to the Oracle database as Application User
Prompt * myco_emp
Prompt *
Prompt * select locations.*, label_to_char(faclab)
Prompt * "FACILITY LABEL" from hr.locations;
Prompt *
Prompt *******************************************************
Prompt Hit Return To Continue
Accept CONTINUE
connect myco_emp/myco_emp@o10g1
select locations.*, label_to_char(faclab)
"FACILITY LABEL" from hr.locations;
Prompt Hit Return To Continue
Accept CONTINUE
Prompt *******************************************************
Prompt * Connect to the Oracle database as Application User
Prompt * myco_mgr
Prompt *
Prompt * select locations.*, label_to_char(faclab)
Prompt * "FACILITY LABEL" from hr.locations;
Prompt *
Prompt *******************************************************
Prompt Hit Return To Continue
Accept CONTINUE
connect myco_mgr/myco_mgr@o10g1
select locations.*, label_to_char(faclab)
"FACILITY LABEL" from hr.locations;
Prompt Hit Return To Continue
Accept CONTINUE
Prompt *******************************************************
Prompt * Connect to the Oracle database as Application User
Prompt * myco_planning
Prompt *
Prompt * select locations.*, label_to_char(faclab)
Prompt * "FACILITY LABEL" from hr.locations;
Prompt *
Prompt *******************************************************
Prompt Hit Return To Continue
Accept CONTINUE
connect myco_planning/myco_planning@o10g1
select locations.*, label_to_char(faclab)
"FACILITY LABEL" from hr.locations;
spool off;
请注意,用户 MYCO_EMP 被赋予公共访问权限,并返回了包含 19 行的结果集。
MYCO_MGR 用户被赋予 SENSITIVE 级别,因此收到
SINGAPORE
、
BEIJING
和
TOKYO
三个附加行。
最终,MYCO_PLANNING 被赋予 HIGHLY-SENSITIVE 授权,并另外收到一个 SOUTH SAN FRANCISCO 行。
@ols_test_privacy.sql
set linesize 180
set pagesize 32
col "FACILITY LABEL" format a30
col "PRIVACY LABEL" format a60
col org_name format a10
col org_id format 9999
col hours format 9999
col expenses format 99999
Prompt *******************************************************
Prompt * Connect to the Oracle database as Application User
Prompt * myco_emp
Prompt *
Prompt * select job_history.*, label_to_char(PRIVLAB)
Prompt * "PRIVACY LABEL" from hr.job_history;
Prompt
Prompt *******************************************************
Prompt Hit Return To Continue
Accept CONTINUE
connect myco_emp/myco_emp@o10g1
select job_history.*, label_to_char(PRIVLAB)
"PRIVACY LABEL" from hr.job_history;
Prompt *******************************************************
Prompt * Connect to the Oracle database as Application User
Prompt * myco_mgr
Prompt *
Prompt * select job_history.*, label_to_char(PRIVLAB)
Prompt * "PRIVACY LABEL" from hr.job_history;
Prompt
Prompt *******************************************************
Prompt Hit Return To Continue
Accept CONTINUE
connect myco_mgr/myco_mgr@o10g1
select job_history.*, label_to_char(PRIVLAB)
"PRIVACY LABEL" from hr.job_history;
Prompt Hit Return To Continue
Accept CONTINUE
Prompt *******************************************************
Prompt * Connect to the Oracle database as Application User HR
Prompt *******************************************************
connect hr/hr@orcl
Prompt *******************************************************
Prompt * Connect to the Oracle database as Application User HR
Prompt *
Prompt * User HR has Oracle Label Security FULL and PROFILE_ACCESS
Prompt * privileges on policies FACILITY and PRIVACY
Prompt *
Prompt * select job_history.*, label_to_char(PRIVLAB)
Prompt * "PRIVACY LABEL" from hr.job_history;
Prompt
Prompt ********************************************************
select job_history.*, label_to_char(PRIVLAB)
"PRIVACY LABEL" from hr.job_history;
spool off;
请注意,MYCO_EMP 看不到任何数据。
MYCO_MGR 只能看到 END_DATE 小于等于 5 年的数据。
HR 用户便可以看到所有数据。
执行以下脚本:
@ols_cleanup.sql
Prompt ***************************************************************
Prompt Connect as User SYSTEM or another DBA with permissions to
Prompt drop database accounts
Prompt ***************************************************************
CONNECT system/oracle@o10g1
Prompt ***************************************************************
Prompt Drop Users myco_EMP
Prompt Drop Users myco_MGR
Prompt Drop Users myco_PLANNING
Prompt ***************************************************************
DROP USER myco_EMP;
DROP USER myco_MGR;
DROP USER myco_PLANNING;
Prompt
Prompt ***************************************************************
Prompt Connect as User LBACSYS
Prompt ***************************************************************
CONNECT lbacsys/lbacsys@o10g1
Prompt
Prompt ***************************************************************
Prompt Dropping FACILITY and PRIVACY policies
Prompt ***************************************************************
EXECUTE SA_SYSDBA.DROP_POLICY('FACILITY',TRUE);
EXECUTE SA_SYSDBA.DROP_POLICY('PRIVACY',TRUE);
EXIT;