Oracle Data Redaction和Oracle Data Pump

本实验的使用环境基于之前的博客：一个简单的Oracle Redaction实验

本实验参考文档为15.14 Oracle Data Redaction and Oracle Data Pump

先创建directory并赋权：

-- connect to database or pluggable database
alter session set container=orclpdb1;
CREATE OR REPLACE DIRECTORY test_dir AS '/u01/app/oracle/oradata/';
GRANT READ, WRITE ON DIRECTORY test_dir TO schema_user;
1
2
3
4

先以schema_user用数据泵导出：

$ expdp schema_user@orclpdb1 tables=employees directory=TEST_DIR dumpfile=expdp.dmp

Export: Release 19.0.0.0.0 - Production on Mon Nov 20 08:13:33 2023
Version 19.20.0.0.0

Copyright (c) 1982, 2019, Oracle and/or its affiliates.  All rights reserved.
Password:

Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Starting "SCHEMA_USER"."SYS_EXPORT_TABLE_01":  schema_user/********@orclpdb1 tables=employees directory=TEST_DIR dumpfile=expdp.dmp
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Processing object type TABLE_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS
Processing object type TABLE_EXPORT/TABLE/STATISTICS/MARKER
Processing object type TABLE_EXPORT/TABLE/TABLE
ORA-31693: Table data object "SCHEMA_USER"."EMPLOYEES" failed to load/unload and is being skipped due to error:
ORA-28081: Insufficient privileges - the command references a redacted object.

Master table "SCHEMA_USER"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SCHEMA_USER.SYS_EXPORT_TABLE_01 is:
  /u01/app/oracle/oradata/expdp.dmp
Job "SCHEMA_USER"."SYS_EXPORT_TABLE_01" completed with 1 error(s) at Mon Nov 20 08:13:48 2023 elapsed 0 00:00:12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

出错了，错误为：

$ oerr ora 28081
28081, 00000, "Insufficient privileges - the command references a redacted object."
// *Cause: The command referenced a redacted column in an
// object protected by a data redaction policy.
// *Action: If possible, modify the command to avoid referencing any
// redacted columns.  Otherwise, drop the data redaction policies that
// protect the referenced tables and views, or ensure that the user issuing
// the command has the EXEMPT REDACTION POLICY system privilege, then
// retry the operation.  The EXEMPT REDACTION POLICY system privilege
// is required for creating or refreshing a materialized view when the
// materialized view is based on an object protected by a data redaction
// policy.  The EXEMPT REDACTION POLICY system privilege is required for
// performing a data pump schema-level export including any object
// protected by a data redaction policy.  All data redaction policies are
// listed in the REDACTION_COLUMNS catalog view.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

关键的错误是：

The EXEMPT REDACTION POLICY system privilege is required for performing a data pump schema-level export including any object protected by a data redaction policy.
执行数据泵架构级导出（包括受数据编辑策略保护的任何对象）需要 EXEMPT REDACTION POLICY 系统权限。

简单来说就是，想利用Data Redaction实现数据泵导出的脱敏是做不到的，因为其实质上是物理脱敏。因此，要么你绕过redact policy（利用EXEMPT REDACTION POLICY权限），要么你只导出元数据。

绕过redact policy可以用特权用户，如SYS：

$ expdp system@orclpdb1 tables=schema_user.employees directory=TEST_DIR dumpfile=expdp.dmp

Export: Release 19.0.0.0.0 - Production on Mon Nov 20 08:20:26 2023
Version 19.20.0.0.0

Copyright (c) 1982, 2019, Oracle and/or its affiliates.  All rights reserved.
Password:

Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Starting "SYSTEM"."SYS_EXPORT_TABLE_01":  system/********@orclpdb1 tables=schema_user.employees directory=TEST_DIR dumpfile=expdp.dmp
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
Processing object type TABLE_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS
Processing object type TABLE_EXPORT/TABLE/STATISTICS/MARKER
Processing object type TABLE_EXPORT/TABLE/TABLE
Processing object type TABLE_EXPORT/TABLE/RADM_POLICY
. . exported "SCHEMA_USER"."EMPLOYEES"                   6.929 KB       2 rows
Master table "SYSTEM"."SYS_EXPORT_TABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SYSTEM.SYS_EXPORT_TABLE_01 is:
  /u01/app/oracle/oradata/expdp.dmp
Job "SYSTEM"."SYS_EXPORT_TABLE_01" successfully completed at Mon Nov 20 08:20:41 2023 elapsed 0 00:00:11
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

绕过redact policy的数据泵导出的是原始数据：

$ strings /u01/app/oracle/oradata/expdp.dmp |grep '247-85-9056'
247-85-9056
1
2

文档里也提到了：

This means that, when you export objects with Data Redaction policies defined on them, the actual data in the protected tables is copied to the Data Pump target system without being redacted.

不过redact policy会被一并导出。

利用数据泵导入，验证redact policy也包含在数据泵导出中。

$ impdp system@orclpdb1 tables=schema_user.employees directory=TEST_DIR dumpfile=expdp.dmp remap_table=employees:employees_new

Import: Release 19.0.0.0.0 - Production on Mon Nov 20 08:35:03 2023
Version 19.20.0.0.0

Copyright (c) 1982, 2019, Oracle and/or its affiliates.  All rights reserved.
Password:

Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Master table "SYSTEM"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SYSTEM"."SYS_IMPORT_TABLE_01":  system/********@orclpdb1 tables=schema_user.employees directory=TEST_DIR dumpfile=expdp.dmp remap_table=employees:employees_new
Processing object type TABLE_EXPORT/TABLE/TABLE
Processing object type TABLE_EXPORT/TABLE/RADM_POLICY
ORA-39083: Object type RADM_POLICY failed to create with error:
ORA-28069: A data redaction policy already exists on this object.

Failing sql is:
BEGIN DBMS_REDACT.ADD_POLICY(object_schema => '"SCHEMA_USER"', object_name => '"EMPLOYEES"', policy_name => 'redact_policy', expression => '1=1', enable => TRUE);
DBMS_REDACT.ALTER_POLICY (object_schema => '"SCHEMA_USER"', object_name => '"EMPLOYEES"', policy_name => 'redact_policy', action => DBMS_REDACT.ADD_COLUMN, column_name => '"SOCIAL_SECURITY"', function_type => DBMS_REDACT.RANDOM, function_parameters => NULL);
END;

Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
. . imported "SCHEMA_USER"."EMPLOYEES_NEW"               6.929 KB       2 rows
Processing object type TABLE_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS
Processing object type TABLE_EXPORT/TABLE/STATISTICS/MARKER
Job "SYSTEM"."SYS_IMPORT_TABLE_01" completed with 1 error(s) at Mon Nov 20 08:35:21 2023 elapsed 0 00:00:15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

出错了，原因是由于原表的redact policy已存在。那我们就先删除此policy。

然后导入就没问题了：

$ impdp system@orclpdb1 tables=schema_user.employees directory=TEST_DIR dumpfile=expdp.dmp remap_table=employees:employees_new

Import: Release 19.0.0.0.0 - Production on Mon Nov 20 08:39:58 2023
Version 19.20.0.0.0

Copyright (c) 1982, 2019, Oracle and/or its affiliates.  All rights reserved.
Password:

Connected to: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Master table "SYSTEM"."SYS_IMPORT_TABLE_01" successfully loaded/unloaded
Starting "SYSTEM"."SYS_IMPORT_TABLE_01":  system/********@orclpdb1 tables=schema_user.employees directory=TEST_DIR dumpfile=expdp.dmp remap_table=employees:employees_new
Processing object type TABLE_EXPORT/TABLE/TABLE
Processing object type TABLE_EXPORT/TABLE/RADM_POLICY
Processing object type TABLE_EXPORT/TABLE/TABLE_DATA
. . imported "SCHEMA_USER"."EMPLOYEES_NEW"               6.929 KB       2 rows
Processing object type TABLE_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS
Processing object type TABLE_EXPORT/TABLE/STATISTICS/MARKER
Job "SYSTEM"."SYS_IMPORT_TABLE_01" successfully completed at Mon Nov 20 08:40:06 2023 elapsed 0 00:00:05
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

导入后，我们发现策略也导入了：

SQL> select count(*) from redaction_policies;

  COUNT(*)
----------
         1
1
2
3
4
5