Database Vault(DBV)和領域管理

hooca發表於2015-01-07
Database
DB:11.2.0.4

在安裝時,選擇安裝元件Database Vault(在選擇企業版、標準版的介面)
建立完資料庫後,使用DBCA->資料庫配置,新增Database Vault,會要求建立DBV相關賬號。

提示,要在DBCA正式開始新增DBV前(進度條介面還沒出來前),重啟資料庫(會有彈出視窗作如此提示)。要啟動到open狀態。

完成後,可以登入https://hostname:port/dva進入Web管理頁面(記住,裡面登入要輸入資料庫主機地址和監聽器埠號)。

DBV將建立3個賬戶實現職責分離:
安全管理員:DBV物件所有者,DV_OWNER,DV_ADMIN
賬戶管理員:負責管理賬戶命令,DV_ACCTMGR。sys使用者不再能建立使用者。
執行管理員:負責授權,並保護安全相關的引數修改。sys使用者將是唯一在該領域的使用者。

領域管理

建立領域

使用角色為DV_OWNER的使用者,

點選(此處)摺疊或開啟

  1. BEGIN
  2.         dbms_macadm.create_realm(
  3.            realm_name => 'Cust_Card_realm'
  4.          , description => 'Protect customer and card details information'
  5.          , enabled => dbms_macutl.g_yes
  6.          , audit_options => dbms_macutl.g_realm_audit_fail
  7.         );
  8. END;
  9. /
新增領域的保護物件

點選(此處)摺疊或開啟

  1. BEGIN
  2.      dbms_macadm.add_object_to_realm (
  3.        realm_name => 'Cust_Card_realm'
  4.       ,object_owner => 'HK'
  5.       ,object_name => '%'
  6.       ,object_type => '%'
  7.       );
  8. END;
  9. /

  11. BEGIN
  12.      dbms_macadm.add_object_to_realm (
  13.        realm_name => 'Cust_Card_realm'
  14.       ,object_owner => 'SOE'
  15.       ,object_name => 'ORDERS'
  16.       ,object_type => 'TABLE'
  17.       );
  18. END;
  19. /




領域帶來的許可權變化

1. 如果有角色對領域所保護的物件有許可權,那麼因為DBA有GRANT許可權,因此DBA可以把自己GRANT該角色並使用SET ROLE切換到該角色來繞開領域的保護。
應對該問題的方法是:將該角色一道加入領域的保護

點選(此處)摺疊或開啟

  1. BEGIN
  2.      dbms_macadm.add_object_to_realm (
  3.        realm_name => 'Cust_Card_realm'
  4.       ,object_owner => 'SOE'
  5.       ,object_name => 'SELECT_SOE_ROLE'
  6.       ,object_type => 'ROLE'
  7.       );
  8. END;
  9. /
2. 領域針對的是對系統ANY許可權。意味著光有領域授權,沒有ANY許可權是無用的;同樣如果是對物件object的許可權,領域與此無關。
3. 領域管理員自身不能被賦予領域許可權,也無法直接訪問資料庫物件。
4. 在有物件被領域保護後,物件所有者仍然可以對該物件執行SELECT, DML, EXECUTE操作,但DDL,GRANT操作被禁止。
5. 授予使用者賬戶管理領域物件的許可權:
管理領域的角色有兩種:領域管理員和領域參與者。前者可以:
    1)授予、撤銷領域保護物件的許可權
    2)授予、撤銷領域保護的角色

a. 使用角色為DV_ACCTMGR得賬戶建立角色

點選(此處)摺疊或開啟

  1. SQL> show user
  2. USER is "DBVACCMGR"
  3. SQL>
  4. SQL> create user batman identified by batman;

  6. User created.

  8. SQL> create user robin identified by robin;

  10. User created.
b. 使用sys賬戶賦予應用程式管理員ANY許可權

點選(此處)摺疊或開啟

  1. SQL> connect / as sysdba
  2. Connected.
  3. SQL> grant dba to batman;

  5. Grant succeeded.

  7. SQL> grant dba to robin;

  9. Grant succeeded.
c. 賦予領域許可權

點選(此處)摺疊或開啟

  1. --領域管理員
  2. BEGIN
  3.   dbms_macadm.add_auth_to_realm (
  4.       realm_name => 'Customer_Card_realm'
  5.     , grantee => 'BATMAN'
  6.     , rule_set_name => NULL
  7.     , auth_options => dbms_macutl.g_realm_auth_owner );
  8. END;
  9. /
  10. --領域參與者
  11. BEGIN
  12.   dbms_macadm.add_auth_to_realm (
  13.       realm_name => 'Customer_Card_realm'
  14.     , grantee => 'ROBIN'
  15.     , rule_set_name => NULL
  16.     , auth_options => dbms_macutl.g_realm_auth_participant );
  17. END;
  18. /

d. 然後使用BATMAN, ROBIN賬戶登入對領域內物件執行管理任務。
如執行DDL語句,GRANT/REVOKE語句, 角色管理等。
使用安全應用程式角色(SAR)管理領域內的物件

與上例的領域擁有者/參與者針對系統許可權不同,SAR主要是針對物件許可權

摘抄原書:

點選(此處)摺疊或開啟

  1. dbvowner@aos> -- create the DBV Secure Application Role
    dbvowner@aos> BEGIN
        dbms_macadm.create_role(
           role_name     => 'SALES_ARCHIVE_ROLE'
         , enabled       => 'Y'
         , rule_set_name => 'Is System Maintenance Allowed'
         );
    END;
    /
    PL/SQL procedure successfully completed.
    dbvowner@aos> -- protect the role in the Sales History realm
    dbvowner@aos> BEGIN
        dbms_macadm.add_object_to_realm (
          realm_name    => 'Sales History'
         ,object_owner  => 'SH'
         ,object_name   => 'SALES_ARCHIVE_ROLE'
  2.      ,object_type   => 'ROLE'
         );
    END;
    /
    PL/SQL procedure successfully completed.
  3. --檢視當前SAR角色
  4. sys@aos>SELECT *
    FROM dba_application_roles
    WHERE role = 'SALES_ARCHIVE_ROLE';
    ROLE                SCHEMA    PACKAGE
    ------------------- --------- ------------------
    SALES_ARCHIVE_ROLE  DVSYS     DBMS_MACSEC_ROLES
    1 row selected.
  5. --使用領域所有者賬戶為SAR授予物件許可權
  6. mary@aos> -- grant the require object privileges
    mary@aos> -- to the DBV Secure Application Role
    mary@aos> GRANT DELETE ON sh.channels TO sales_archive_role;
    Grant succeeded.
    mary@aos> GRANT DELETE ON sh.costs TO sales_archive_role;
    Grant succeeded.
    mary@aos> GRANT DELETE ON sh.countries TO sales_archive_role;
    Grant succeeded.
    mary@aos> GRANT DELETE ON sh.customers TO sales_archive_role;
    Grant succeeded.
    mary@aos> GRANT DELETE ON sh.products TO sales_archive_role;
    Grant succeeded.
    mary@aos> GRANT DELETE ON sh.promotions TO sales_archive_role;
    Grant succeeded.
    mary@aos> GRANT DELETE ON sh.sales TO sales_archive_role;
    Grant succeeded.
    mary@aos> -- grant the DBV Secure Application Role
    mary@aos> -- to the account SCOTT
    mary@aos> GRANT sales_archive_role TO scott;
    Grant succeeded.
  7. --驗證
  8. scott@aos> -- show the date and time of day factors that affect
    scott@aos> -- the DBV Rule Set that controls the role enablement
    scott@aos>SELECT TO_CHAR(SYSDATE,'DAY') "DAY_OF_WEEK",
            TO_CHAR(SYSDATE,'HH24') "HOUR_OF_DAY"
    FROM DUAL;
    DAY_OF_WEEK                          HO
    ------------------------------------ --
    MONDAY                               10
    1 row selected.
    scott@aos> -- attempt to use the privileges granted to the
    scott@aos> -- role to demonstrate the privileges are not enabled
    scott@aos> -- by default as with a normal Oracle role.
    scott@aos> -- We will test deleting records greater than 10 years old
    scott@aos>DELETE sh.sales WHERE time_id < (SYSDATE-(365*10));
    DELETE sh.sales WHERE time_id < (SYSDATE-(365*10))
              *
    ERROR at line 1:
    ORA-01031: insufficient privileges
    scott@aos> -- attempt to enable the role outside of the
    scott@aos> -- authorized system maintenance timeframe
    scott@aos>EXEC dvsys.dbms_macsec_roles.set_role('SALES_ARCHIVE_ROLE');
    BEGIN dvsys.dbms_macsec_roles.set_role('SALES_ARCHIVE_ROLE'); END;
    *
    ERROR at line 1:
    ORA-47305: Rule Set violation on SET ROLE (Is System Maintenance Allowed)
    ORA-06512: at "DVSYS.DBMS_MACUTL", line 38
    ORA-06512: at "DVSYS.DBMS_MACUTL", line 381
    ORA-06512: at "DVSYS.DBMS_MACSEC", line 242
    ORA-06512: at "DVSYS.ROLE_IS_ENABLED", line 4
    ORA-06512: at "DVSYS.DBMS_MACSEC_ROLES", line 24
    ORA-06512: at line 1
  9. scott@aos> -- show the date and time of day factors that affect
    scott@aos> -- the DBV Rule Set that controls the role enablement
    scott@aos>SELECT TO_CHAR(SYSDATE,'DAY') "DAY_OF_WEEK",
            TO_CHAR(SYSDATE,'HH24') "HOUR_OF_DAY"
    FROM DUAL;
    DAY_OF_WEEK                          HO
    ------------------------------------ --
    FRIDAY                               17
    1 row selected.
    scott@aos> -- attempt to enable the role, which will succeed
    scott@aos>EXEC dvsys.dbms_macsec_roles.set_Role('SALES_ARCHIVE_ROLE');
    PL/SQL procedure successfully completed.
    scott@aos> -- attempt to use the privileges granted to the
    scott@aos> -- role by deleting records greater than 10 years old
    scott@aos>DELETE sh.sales WHERE time_id < (SYSDATE-(365*10));
    221651 rows deleted.




來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/22621861/viewspace-1393649/,如需轉載,請註明出處,否則將追究法律責任。

相關文章