本帖最后由 windjack 于 2020-6-10 11:24 编辑
Oracle Secure Application Roles-安全角色
------------------------------------------------
安全应用角色
1.可以解决其他客户端程序越权访问数据的问题。
2.比隐藏密码机制更好。
3.使用SYS_CONTEXT机制和VPD效果一样。
4.启用角色时通过包,而不是通过密码。
测试环境:
linux x86-64
ORACLE 19.3.0.0
-----------------------------------------------------------------------------------------------
[oracle@dbserver admin]$ sqlplus / as sysdba
SQL*Plus: Release 19.0.0.0.0 - Production on Wed Jun 10 10:44:35 2020
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL>
1.建立一个名为secure_user的应用用户,只有create session权限或其他权限,但不具有查询HR用户下表的权限。
SQL> create user secure_user identified by oracle;
User created.
SQL> grant create session to secure_user;
Grant succeeded.
2.创建1个安全角色,此时认证使用的过程包不需要已经存在。赋予对hr.emp表的查询权限。
SQL> create role secure_role identified using hr.auth_role;
Role created.
SQL> grant select on hr.emp to secure_role;
Grant succeeded.
3.创建权限信息表。如果权限比较简单,也可以不使用权限信息表,直接在验证包里写验证信息。
目的是为了限制应用用户从指定IP连接上来才具有安全角色权限。
表结构如下
SQL> create table hr.auth_roles
2 (
3 username varchar2(50),
4 role varchar2(50),
5 IP_ADDRESS varchar2(50),
6 enabled number
7 )
8 ;
Table created.
SQL> insert into hr.auth_roles values('SECURE_USER','SECURE_ROLE','192.168.133.1',1);
1 row created.
4.创建验证的包和包体
需要包含AUTHID CURRENT_USER子句:
create or replace procedure hr.auth_role
AUTHID CURRENT_USER
as
cursor vc is
SELECT role
FROM hr.AUTH_ROLES
WHERE username = upper(sys_context('userenv','current_user'))
AND ip_address = upper(sys_context('userenv','ip_address'))
AND enabled=1;
v_role hr.auth_roles.role%TYPE;
begin
open vc;
loop
fetch vc into v_role;
IF vc%ROWCOUNT = 0 THEN
raise_application_error(-20123,'This IP has Invalid Privilege',false);
END IF;
exit when vc%notfound;
dbms_session.set_role(v_role);
end loop;
exception
when others then
dbms_output.put_line(dbms_utility.format_error_stack);
END;
/
5.分配这个包的执行权限,权限表的查询权限以及角色给应用用户。
权限分配表的权限给了应用用户,应用用户可以知道哪些IP具有权限,
如果不使用权限分配表,写在存储过程中,
应用用户也可以从all_sources视图中查询到存储过程的内容。
SQL> grant execute on hr.auth_role to secure_user;
Grant succeeded.
SQL> grant select on hr.auth_roles to secure_user;
Grant succeeded.
SQL> grant secure_role to secure_user;
Grant succeeded.
SQL> ALTER USER secure_user DEFAULT ROLE ALL EXCEPT secure_role;
User altered.
6.测试连接
从IP 192.168.133.1连接(我这里是win10的环境,服务器IP是192.168.133.120)
C:\Users\lg>sqlplus secure_user/oracle@192.168.133.120:1521/orcl
L*Plus: Release 12.1.0.2.0 Production on 星期三 6月 10 11:01:39 2020
Copyright (c) 1982, 2014, Oracle. All rights reserved.
上次成功登录时间: 星期三 6月 10 2020 10:57:50 +08:00
连接到:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
SQL> exec hr.auth_role;
PL/SQL 过程已成功完成。
SQL> select count(*) from hr.emp;
COUNT(*)
----------
107
SQL>
从其他IP连接(我测试从服务器本机连接)
[oracle@dbserver ~]$ sqlplus secure_user/oracle
SQL*Plus: Release 19.0.0.0.0 - Production on Wed Jun 10 11:12:13 2020
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Last Successful login time: Wed Jun 10 2020 11:12:07 +08:00
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL> exec hr.auth_role;
PL/SQL procedure successfully completed.
SQL> select count(*) from hr.emp;
select count(*) from hr.emp
*
ERROR at line 1:
ORA-00942: table or view does not exist
可以看出SECURE_USER只有从192.168.133.1登录才具有查询HR.EMP的权限。
--THE END.
附一道练习题:
QUESTION 198You want to create arole that: - is protected from unauthorized usage - does not use apassword embedded in the application source code or stored in a table - isenabled for a user based on securitypolicies defined in a PL/SQLpackage How would you create this role? A. as asecure applicationrole B. with definer’srights C. with global authentication D. with external authentication Answer: A
|