• 一个简单的Oracle Redaction实验

    本实验包含了:

    • 简单的Oracle Redaction演示
    • 针对指定用户的Redaction

    实验环境

    假设有一个19c多租户数据库,PDB名为orclpdb1。

    我们将在orclpdb1中建立2个用户:

    • redact_user: redact管理员
    • schema_user: schema用户

    基础实验

    首先进入数据库orclpdb1,创建用户redact_user:

    alter session set container=orclpdb1;
create user redact_user identified by oracle;
grant connect, resource, unlimited tablespace to redact_user;
grant select on Sys.redaction_policies to redact_user;
grant select on Sys.redaction_columns to redact_user;
grant execute on dbms_redact to redact_user;

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6

    然后再创建一个普通用户schema_user:

    alter session set container=orclpdb1;
create user schema_user identified by oracle;
grant connect, resource, unlimited tablespace to schema_user;

    • 1
    • 2
    • 3

    以schema_user用户登录,并创建表和插入数据:

    connect schema_user/oracle@orclpdb1
CREATE TABLE "EMPLOYEES" ("EMPLOYEE_ID" NUMBER(6,0), "FIRST_NAME" VARCHAR2(20), "LAST_NAME" VARCHAR2(25), "SOCIAL_SECURITY" VARCHAR2(11), "SALARY" NUMBER(4,0));
insert into EMPLOYEES (EMPLOYEE_ID,FIRST_NAME,LAST_NAME,SOCIAL_SECURITY,SALARY) values (100,'Steven','King','247-85-9056',7000);
insert into EMPLOYEES (EMPLOYEE_ID,FIRST_NAME,LAST_NAME,SOCIAL_SECURITY,SALARY) values (101,'Neena','Kochhar','334-08-6578',5000);
commit;

    • 1
    • 2
    • 3
    • 4
    • 5

    以redact_user登入,定义redact策略:

    connect redact_user/oracle@orclpdb1

BEGIN
DBMS_REDACT.ADD_POLICY (
   object_schema          => 'SCHEMA_USER',
   object_name            => 'EMPLOYEES',
   policy_name            => 'redact_policy',
   column_name            => 'SOCIAL_SECURITY',
   function_type          => DBMS_REDACT.RANDOM,
   expression             => '1=1',
   enable                 => TRUE
   );
END;
/

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14

    注意,此时redact_user对于schema_user中的表是没有读取权限的:

    SQL> show user
USER is "REDACT_USER"
SQL> select * from schema_user.employees;
select * from schema_user.employees
                          *
ERROR at line 1:
ORA-00942: table or view does not exist

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7

    此时schema_user查看SOCIAL_SECURITY列,策略生效:

    SQL> connect schema_user/oracle@orclpdb1
Connected.
SQL> select social_security from employees;

SOCIAL_SECU
-----------
z8e.SQ<Y#@m
qP/uDj(&yX7

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8

    赋予redact_user对表的读取权限:

    grant select on employees to redact_user;
connect redact_user/oracle@orclpdb1

SQL> select social_security from schema_user.employees;

SOCIAL_SECU
-----------
Q*NCEmtLY2V
E,8FG0#gM4@

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9

    可以看到,目前redact策略对redact_user也是生效的。

    扩展实验

    在此实验中,我们将实现选择性的redaction。即redact policy仅对schema_user生效。

    这时通过redact expresion实现的。

    查看DBMS_REDACT的帮助。其语法为:

    DBMS_REDACT.ADD_POLICY (
   object_schema                IN    VARCHAR2 := NULL,
   object_name                  IN    VARCHAR2,
   policy_name                  IN    VARCHAR2,
   column_name                  IN    VARCHAR2 := NULL,
   function_type                IN    BINARY_INTEGER := DBMS_REDACT.FULL,
   function_parameters          IN    VARCHAR2 := NULL,
   expression                   IN    VARCHAR2,
   enable                       IN    BOOLEAN := TRUE,
   regexp_pattern               IN    VARCHAR2 := NULL,
   regexp_replace_string        IN    VARCHAR2 := NULL,
   regexp_position              IN    BINARY_INTEGER := 1,
   regexp_occurrence            IN    BINARY_INTEGER := 0,
   regexp_match_parameter       IN    VARCHAR2 := NULL,
   policy_description           IN    VARCHAR2 := NULL,
   column_description           IN    VARCHAR2 := NULL);

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16

    其expression参数的作用为:

    Default boolean expression for the table or view. If this expression is used, then redaction takes place only if this policy expression evaluates to TRUE.

    现在要做的就是修改策略:

    connect redact_user/oracle@orclpdb1

BEGIN
DBMS_REDACT.ALTER_POLICY (
   object_schema          => 'SCHEMA_USER',
   object_name            => 'EMPLOYEES',
   policy_name            => 'redact_policy',
   column_name            => 'SOCIAL_SECURITY',
   action                 => DBMS_REDACT.MODIFY_EXPRESSION,
   expression             => 'SYS_CONTEXT ( ''USERENV'',''SESSION_USER'' ) =''SCHEMA_USER'''
);
END;
/

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13

    现在不同的用户查看的结果就不一样了:

    SQL> connect redact_user/oracle@orclpdb1
Connected.
SQL> select social_security from schema_user.employees;

SOCIAL_SECU
-----------
247-85-9056
334-08-6578

SQL> connect schema_user/oracle@orclpdb1
Connected.
SQL> select social_security from schema_user.employees;

SOCIAL_SECU
-----------
9NbODS\?AVj
PAOj4FtYXIW

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17

    清理:

    connect redact_user/oracle@orclpdb1

BEGIN
DBMS_REDACT.DROP_POLICY (
   object_schema          => 'SCHEMA_USER',
   object_name            => 'EMPLOYEES',
   policy_name            => 'redact_policy'
   );
END;
/

alter session set container=orclpdb1;
drop user schema_user cascade;
drop user redact_user cascade;

    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14

    参考

  • 相关阅读:
    Go基础语法:指针和make和new
    软件设计原则(下)
    常用Web安全扫描工具合集
    Source Insight安装与使用
    sklearn快速入门教程:处理分类型数据
    k8s--基础--12.2--pod--生命周期,状态,重启策略
    Amazon云计算AWS(三)
    2022.10.29每日刷题打卡(补
    文心一言 VS 讯飞星火 VS chatgpt (88)-- 算法导论8.3 1题
    基于STM32单片机设计的红外测温仪(带人脸检测)
  • 原文地址:https://blog.csdn.net/stevensxiao/article/details/134441595