溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

Oracle vs PostgreSQL DBA(21)- Oracle VPD

發(fā)布時(shí)間:2020-08-12 16:04:46 來(lái)源:ITPUB博客 閱讀:163 作者:husthxd 欄目:關(guān)系型數(shù)據(jù)庫(kù)

本節(jié)簡(jiǎn)單介紹了Oracle VPD。VPD用于實(shí)現(xiàn)精細(xì)化的權(quán)限管理。

About Oracle Virtual Private Database

What?
VPD的做法:VPD自動(dòng)添加where子句到SQL語(yǔ)句上
影響的對(duì)象:table、view、synonym
涉及的語(yǔ)句:select、insert、update、index和delete
不支持:DDL

基本做法示例:
SELECT FROM OE.ORDERS;
—>應(yīng)用VPD
SELECT FROM OE.ORDERS
WHERE SALES_REP_ID = 159;

Benefits
Security:不管用戶如何訪問(wèn)數(shù)據(jù),都可以確保精細(xì)化的訪問(wèn)控制策略得到執(zhí)行。
Simplicity:只需要在table、view上操作一次即可
Flexibility:select、insert、update、delete都可以有自己的策略

Using Oracle Virtual Private Database with an Application Context
SELECT FROM orders_tab
—>
SELECT FROM orders_tab
WHERE custno = SYS_CONTEXT (‘order_entry’, ‘cust_num’);

Components of an Oracle Virtual Private Database Policy

function
用于產(chǎn)生where子句(謂詞)
輸入?yún)?shù):schema、object name
輸出參數(shù):where子句(有效的)

Configuring an Oracle Virtual Private Database Policy

What
function需與object進(jìn)行綁定,可通過(guò)配置policy實(shí)現(xiàn)綁定。
policy本身用于管理VPD function,同時(shí)可以進(jìn)行精細(xì)化訪問(wèn)控制,比如指定SQL語(yǔ)句類(lèi)型或者策略影響的特定列。
Oracle提供了DBMS_RLS來(lái)進(jìn)行策略管理:ADD、DROP、ENABLE/DISABLE…

How
例子:
SELECT fname, lname, ssn FROM emp;
—>
SELECT fname, lname, ssn FROM emp
WHERE ssn = ‘my_ssn’;

CREATE OR REPLACE FUNCTION hide_sal_comm (
v_schema IN VARCHAR2,
v_objname IN VARCHAR2)
RETURN VARCHAR2 AS
con VARCHAR2 (200);
BEGIN
con := ‘deptno=30’;
RETURN (con);
END hide_sal_comm;
/

BEGIN
DBMS_RLS.ADD_POLICY (
object_schema => ‘scott’,
object_name => ‘emp’,
policy_name => ‘hide_sal_policy’,
policy_function => ‘hide_sal_comm’,
sec_relevant_cols => ‘sal,comm’);
END;
/

— 設(shè)置敏感列輸出
BEGIN
DBMS_RLS.ADD_POLICY(
object_schema => ‘scott’,
object_name => ‘emp’,
policy_name => ‘hide_sal_policy’,
policy_function => ‘hide_sal_comm’,
sec_relevant_cols =>’ sal,comm’,
sec_relevant_cols_opt => dbms_rls.ALL_ROWS);
END;
/

Tutorials

創(chuàng)建數(shù)據(jù)表,設(shè)定謂詞為:username=’測(cè)試’

drop table t_vpd_1;
create table t_vpd_1(id int,username varchar2(20),name varchar2(30));
insert into t_vpd_1(id,username,name) values(1,'test','name1');
insert into t_vpd_1(id,username,name) values(2,'張三','name1');
insert into t_vpd_1(id,username,name) values(3,'測(cè)試','測(cè)試名稱1');
insert into t_vpd_1(id,username,name) values(4,'測(cè)試','測(cè)試名稱2');
commit;

創(chuàng)建函數(shù)

CREATE OR REPLACE FUNCTION func_testvpd_1( 
  schemaname IN VARCHAR2,
  tablename  IN VARCHAR2
 )
 RETURN VARCHAR2
 IS
  ret VARCHAR2 (400);
 BEGIN
  ret := 'username = ''測(cè)試''';
  RETURN ret;
 END func_testvpd_1;
/

創(chuàng)建策略(select)

BEGIN
  DBMS_RLS.DROP_POLICY (
    object_schema    => 'test',
    object_name      => 't_vpd_1',
    policy_name      => 'policy_t_vpd_1'
   );
 END;
/
BEGIN
  DBMS_RLS.ADD_POLICY (
    object_schema    => 'test',
    object_name      => 't_vpd_1',
    policy_name      => 'policy_t_vpd_1',
    function_schema  => 'test',
    policy_function  => 'func_testvpd_1',
    statement_types  => 'select'
   );
 END;
/

測(cè)試策略

-- 查詢
select * from t_vpd_1;
-- 插入
TEST-orcl@DESKTOP-V430TU3>create table t_vpd_2 as select * from t_vpd_1 where 1=2;
Table created.
TEST-orcl@DESKTOP-V430TU3>insert into t_vpd_2(id,username,name) select * from t_vpd_1;
2 rows created.
TEST-orcl@DESKTOP-V430TU3>delete from t_vpd_1;
4 rows deleted.
TEST-orcl@DESKTOP-V430TU3>
TEST-orcl@DESKTOP-V430TU3>update t_vpd_1 set name = 'test';
0 rows updated.

創(chuàng)建策略(select、insert、update、delete)

BEGIN
  DBMS_RLS.DROP_POLICY (
    object_schema    => 'test',
    object_name      => 't_vpd_1',
    policy_name      => 'policy_t_vpd_1'
   );
 END;
/
BEGIN
  DBMS_RLS.ADD_POLICY (
    object_schema    => 'test',
    object_name      => 't_vpd_1',
    policy_name      => 'policy_t_vpd_1',
    function_schema  => 'test',
    policy_function  => 'func_testvpd_1',
    statement_types  => 'select,insert,update,delete'
   );
 END;
/

測(cè)試策略

insert into t_vpd_1(id,username,name) values(1,'test','name1');
insert into t_vpd_1(id,username,name) values(2,'張三','name1');
insert into t_vpd_1(id,username,name) values(3,'測(cè)試','測(cè)試名稱1');
insert into t_vpd_1(id,username,name) values(4,'測(cè)試','測(cè)試名稱2');
commit;
-- 查詢
TEST-orcl@DESKTOP-V430TU3>select * from t_vpd_1;
        ID USERNAME             NAME
---------- -------------------- ------------------------------
         3 測(cè)試                 測(cè)試名稱1
         4 測(cè)試                 測(cè)試名稱2
-- 插入
TEST-orcl@DESKTOP-V430TU3>drop table t_vpd_2 ;
Table dropped.
TEST-orcl@DESKTOP-V430TU3>create table t_vpd_2 as select * from t_vpd_1 where 1=2;
Table created.
TEST-orcl@DESKTOP-V430TU3>insert into t_vpd_2(id,username,name) select * from t_vpd_1;
2 rows created.
TEST-orcl@DESKTOP-V430TU3>update t_vpd_1 set name = 'test';
2 rows updated.
TEST-orcl@DESKTOP-V430TU3>delete from t_vpd_1;
2 rows deleted.
TEST-orcl@DESKTOP-V430TU3>
向AI問(wèn)一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI