创建label security的policy

最新推荐文章于 2022-04-20 10:46:09 发布
最新推荐文章于 2022-04-20 10:46:09 发布
阅读量322 收藏
点赞数
分类专栏: orale 文章标签: oracle
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wgz7747147820/article/details/112261991
版权 
20:01:53 SQL> grant inherit privileges on user sys to lbacsys container=all;

Grant succeeded.

Elapsed: 00:00:00.40

07:48:31 SQL> select name,status from dba_ols_status;

NAME		     STATU
-------------------- -----
OLS_CONFIGURE_STATUS FALSE
OLS_DIRECTORY_STATUS FALSE
OLS_ENABLE_STATUS    FALSE

Elapsed: 00:00:00.01
07:48:40 SQL> exec configure_ols;

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.07
07:49:00 SQL> select name,status from dba_ols_status;

NAME		     STATU
-------------------- -----
OLS_CONFIGURE_STATUS TRUE
OLS_DIRECTORY_STATUS FALSE
OLS_ENABLE_STATUS    FALSE

Elapsed: 00:00:00.00
07:49:11 SQL> exec ols_enforcement.enable_ols;

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.08
07:49:42 SQL> select name,status from dba_ols_status;

NAME		     STATU
-------------------- -----
OLS_CONFIGURE_STATUS TRUE
OLS_DIRECTORY_STATUS FALSE
OLS_ENABLE_STATUS    TRUE

Elapsed: 00:00:00.01


20:02:57 SQL> exec sa_sysdba.create_policy(policy_name=>'lbac_policy_test1',column_name=>'lbac_col1',default_options=>'read_control,update_control');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.94


08:04:58 SQL> exec sa_sysdba.create_policy(policy_name=>'policy_ccc1',column_name=>'policy_ccc1_col1');
BEGIN sa_sysdba.create_policy(policy_name=>'policy_ccc1',column_name=>'policy_ccc1_col1'); END;

*
ERROR at line 1:
ORA-12458: Oracle Label Security not enabled
ORA-06512: at "LBACSYS.LBAC_SERVICES", line 54
ORA-06512: at "LBACSYS.LBAC_LGSTNDBY_UTIL", line 96
ORA-12458: Oracle Label Security not enabled
ORA-06512: at "LBACSYS.LBAC_STANDARD", line 3
ORA-06512: at "LBACSYS.LBAC_LGSTNDBY_UTIL", line 9
ORA-06512: at "LBACSYS.LBAC_LGSTNDBY_UTIL", line 75
ORA-06512: at "LBACSYS.SA_SYSDBA", line 23
ORA-06512: at line 1

如果遇到上面的问题,则需要运行下面的command

08:05:35 SQL> alter session set container=cdb$root;

Session altered.

Elapsed: 00:00:00.00
08:06:42 SQL> grant inherit privileges on user sys to lbacsys container=all;

Grant succeeded.

Elapsed: 00:00:00.53
08:06:47 SQL> alter session set container=tdetest2pdb10888;

Session altered.

Elapsed: 00:00:00.00
08:07:00 SQL> exec sa_sysdba.create_policy(policy_name=>'policy_ccc1',column_name=>'policy_ccc1_col1');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.79



20:06:02 SQL> select policy_name,column_name,status,policy_options,policy_subscribed from dba_sa_policies;

POLICY_NAME	     COLUMN_NAM STATUS	 POLICY_OPTIONS 		POLIC
-------------------- ---------- -------- ------------------------------ -----
LBAC_POLICY_TEST1    LBAC_COL1	ENABLED  READ_CONTROL, UPDATE_CONTROL	FALSE

20:26:44 SQL> exec sa_components.create_level(policy_name=>'lbac_policy_test1',level_num=>500,short_name=>'hs',long_name=>'highly_sensitive');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.11

20:28:45 SQL> select policy_name,level_num,short_name,long_name from dba_sa_levels;

POLICY_NAME	      LEVEL_NUM SHORT_NAME		       LONG_NAME
-------------------- ---------- ------------------------------ ------------------------------
LBAC_POLICY_TEST1	    500 HS			       HIGHLY_SENSITIVE

23:29:32 SQL> exec sa_components.create_level(policy_name=>'lbac_policy_test1',level_num=>400,short_name=>'s',long_name=>'sensitive');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.17
23:30:14 SQL> exec sa_components.create_level(policy_name=>'lbac_policy_test1',level_num=>300,short_name=>'c',long_name=>'confidential');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.01
23:31:03 SQL> exec sa_components.create_level(policy_name=>'lbac_policy_test1',level_num=>200,short_name=>'p',long_name=>'public');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.00

创建compartment

23:35:44 SQL> exec sa_components.create_compartment(policy_name=>'lbac_policy_test1',comp_num=>400,short_name=>'fi',long_name=>'financial');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.07

23:38:09 SQL> exec sa_components.create_compartment(policy_name=>'lbac_policy_test1',comp_num=>300,short_name=>'che',long_name=>'chemical');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.01
23:38:50 SQL> exec sa_components.create_compartment(policy_name=>'lbac_policy_test1',comp_num=>200,short_name=>'op',long_name=>'operational');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.01

23:41:32 SQL> select policy_name,comp_num,short_name,long_name from dba_sa_compartments;

POLICY_NAME			 COMP_NUM SHORT_NAME			 LONG_NAME
------------------------------ ---------- ------------------------------ ------------------------------
LBAC_POLICY_TEST1		      300 CHE				 CHEMICAL
LBAC_POLICY_TEST1		      400 FI				 FINANCIAL
LBAC_POLICY_TEST1		      200 OP				 OPERATIONAL

Elapsed: 00:00:00.01

创建groups

01:09:52 SQL> exec sa_components.create_group(policy_name=>'lbac_policy_test1',group_num=>1000,short_name=>'wr',long_name=>'western_region');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.06

01:12:16 SQL> exec sa_components.create_group(policy_name=>'lbac_policy_test1',group_num=>1100,short_name=>'wr_sal',long_name=>'wr_sales');

PL/SQL procedure successfully completed.

01:14:36 SQL> exec sa_components.create_group(policy_name=>'lbac_policy_test1',group_num=>1200,short_name=>'wr_fin',long_name=>'wr_financial',parent_name=>'wr');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.01

01:20:01 SQL> exec sa_components.alter_group_parent(policy_name=>'lbac_policy_test1',short_name=>'wr_sal',new_parent_name=>'wr');

PL/SQL procedure successfully completed.

01:21:28 SQL> exec sa_components.create_group(policy_name=>'lbac_policy_test1',group_num=>1300,short_name=>'wr_hr',long_name=>'wr_human_resources',parent_name=>'wr');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.01


01:24:43 SQL> exec sa_components.create_group(policy_name=>'lbac_policy_test1',group_num=>1250,short_name=>'wr_fin_receiv',long_name=>'wr_fin_receivable',parent_name=>'wr_fin');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.00
01:26:14 SQL> exec sa_components.create_group(policy_name=>'lbac_policy_test1',group_num=>1260,short_name=>'wr_fin_pay',long_name=>'wr_fin_payable',parent_name=>'wr_fin');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.01
01:27:13 SQL> select policy_name,group_num,short_name,long_name,parent_num,parent_name from dba_sa_groups;

POLICY_NAME			GROUP_NUM SHORT_NAME			 LONG_NAME			PARENT_NUM PARENT_NAME
------------------------------ ---------- ------------------------------ ------------------------------ ---------- ------------------------------
LBAC_POLICY_TEST1		     1000 WR				 WESTERN_REGION
LBAC_POLICY_TEST1		     1200 WR_FIN			 WR_FINANCIAL			      1000 WR
LBAC_POLICY_TEST1		     1260 WR_FIN_PAY			 WR_FIN_PAYABLE 		      1200 WR_FIN
LBAC_POLICY_TEST1		     1250 WR_FIN_RECEIV 		 WR_FIN_RECEIVABLE		      1200 WR_FIN
LBAC_POLICY_TEST1		     1300 WR_HR 			 WR_HUMAN_RESOURCES		      1000 WR
LBAC_POLICY_TEST1		     1100 WR_SAL			 WR_SALES			      1000 WR

6 rows selected.

Elapsed: 00:00:00.00

创建label

01:43:00 SQL> exec sa_label_admin.create_label(policy_name=>'lbac_policy_test1',label_tag=>1000,label_value=>'s:op:wr_sal,wr_fin_receiv',data_label=>true);

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.17

01:44:31 SQL> select policy_name,label,label_tag,label_type from dba_sa_labels;

POLICY_NAME		       LABEL			       LABEL_TAG LABEL_TYPE
------------------------------ ------------------------------ ---------- ---------------
LBAC_POLICY_TEST1	       S:OP:WR_SAL,WR_FIN_RECEIV	    1000 USER/DATA LABEL

Elapsed: 00:00:00.00

authorize user

01:51:59 SQL> exec sa_components.create_level(policy_name=>'lbac_policy_test1',level_num=>600,short_name=>'sec',long_name=>'secret');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.00

01:54:56 SQL> exec sa_components.create_level(policy_name=>'lbac_policy_test1',level_num=>700,short_name=>'top_sec',long_name=>'top_secret');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.00

01:56:41 SQL> select * from dba_sa_levels;

POLICY_NAME			LEVEL_NUM SHORT_NAME			 LONG_NAME
------------------------------ ---------- ------------------------------ ------------------------------
LBAC_POLICY_TEST1		      300 C				 CONFIDENTIAL
LBAC_POLICY_TEST1		      500 HS				 HIGHLY_SENSITIVE
LBAC_POLICY_TEST1		      200 P				 PUBLIC
LBAC_POLICY_TEST1		      600 SEC				 SECRET
LBAC_POLICY_TEST1		      400 S				 SENSITIVE
LBAC_POLICY_TEST1		      700 TOP_SEC			 TOP_SECRET

6 rows selected.

Elapsed: 00:00:00.01

01:58:29 SQL> exec sa_user_admin.set_levels(policy_name=>'lbac_policy_test1',user_name=>'pdbadmin',max_level=>'sec',min_level=>'p',def_level=>'s',row_level=>'c');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.16

02:08:27 SQL>  exec sa_user_admin.set_compartments(policy_name=>'lbac_policy_test1',user_name=>'pdbadmin',read_comps=>'che,fi,op',write_comps=>'che,fi',def_comps=>'che,fi,op',row_comps=>'che,fi');

PL/SQL procedure successfully completed.

02:16:30 SQL> exec sa_user_admin.set_groups(policy_name=>'lbac_policy_test1',user_name=>'pdbadmin',read_groups=>'wr_fin,wr_sal',write_groups=>'wr_fin',def_groups=>'wr_fin',row_groups=>'wr_fin');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.06

赋予用户权限

05:29:15 SQL> exec sa_user_admin.set_user_privs(policy_name=>'lbac_policy_test1',user_name=>'pdbadmin',privileges=>'writeup,writedown');

PL/SQL procedure successfully completed.


05:31:13 SQL> select * from dba_sa_user_privs;

USER_NAME		       POLICY_NAME		      USER_PRIVILEGES
------------------------------ ------------------------------ ------------------------------
PDBADMIN		       LBAC_POLICY_TEST1	      WRITEUP,WRITEDOWN

将policy和table关联起来

05:45:16 SQL> exec sa_policy_admin.apply_table_policy(policy_name=>'lbac_policy_test1',schema_name=>'pdbadmin',table_name=>'t_1',table_options=>'read_control,write_control,check_control');

PL/SQL procedure successfully completed.

更新表的label信息


05:44:48 SQL> create table pdbadmin.t_1 as select * from dba_objects;

Table created.

Elapsed: 00:00:00.90
05:45:16 SQL> exec sa_policy_admin.apply_table_policy(policy_name=>'lbac_policy_test1',schema_name=>'pdbadmin',table_name=>'t_1',table_options=>'read_control,write_control,check_control');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.76


05:57:18 SQL> update pdbadmin.t_1 set lbac_col1=char_to_label('lbac_policy_test1','S:OP:WR_SAL,WR_FIN_RECEIV') where owner in ('SYS','SYSTEM');

54297 rows updated.

Elapsed: 00:00:07.78
05:58:52 SQL> COMMIT;

Commit complete.

Elapsed: 00:00:00.00

我只对u1用户赋予了read权限,在尝试update的时候就报错了

06:04:32 SQL> exec sa_user_admin.set_user_privs(policy_name=>'lbac_policy_test1',user_name=>'u1',privileges=>'read');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.04


06:25:50 SQL> select owner,object_name,object_id from pdbadmin.t_1 where object_name='I_FILE#_BLOCK#';

OWNER		     OBJECT_NAME		     OBJECT_ID
-------------------- ------------------------------ ----------
SYS		     I_FILE#_BLOCK#			     9

Elapsed: 00:00:00.01


06:07:41 SQL> update pdbadmin.t_1 set object_id=999 where object_name='I_FILE#_BLOCK#';
update pdbadmin.t_1 set object_id=999 where object_name='I_FILE#_BLOCK#'
                *
ERROR at line 1:
ORA-12406: unauthorized SQL statement for policy LBAC_POLICY_TEST1


Elapsed: 00:00:00.10

移除u1用户的read权限

06:27:24 SQL> select * from dba_sa_user_privs;

USER_NAME		       POLICY_NAME		      USER_PRIVILEGES
------------------------------ ------------------------------ ------------------------------
PDBADMIN		       LBAC_POLICY_TEST1	      WRITEUP,WRITEDOWN
U1			       LBAC_POLICY_TEST1	      READ

Elapsed: 00:00:00.01
06:27:33 SQL> exec sa_user_admin.drop_user_access(policy_name=>'lbac_policy_test1',user_name=>'u1');

PL/SQL procedure successfully completed.

Elapsed: 00:00:00.02
06:28:10 SQL> select * from dba_sa_user_privs;

USER_NAME		       POLICY_NAME		      USER_PRIVILEGES
------------------------------ ------------------------------ ------------------------------
PDBADMIN		       LBAC_POLICY_TEST1	      WRITEUP,WRITEDOWN

Elapsed: 00:00:00.01

u1用户需要重新连接,重新连接后,事实上存在的数据由于权限不足无法查询到
06:28:48 SQL> connect u1/u1@tdetest2pdb10896
Connected.
06:29:05 SQL> select owner,object_name,object_id from pdbadmin.t_1 where object_name='I_FILE#_BLOCK#';

no rows selected

Elapsed: 00:00:00.01

label security对于sys用户无法限制,sys用户可以访问所有的数据
label security是限制owner的权限的,owner如果没有授权的话,是无法访问自己的表里的数据的
wgz7747147820
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
SQLT 说明文档 215187.1
u010692693的专栏
11-16 571
215187.1SQLTXPLAIN (SQLT) 10g_11g_12c_18c_19c_4th_August_2019 Tool that helps to diagnose SQL statements performing poorly SQLTOverview Security Model InstallingSQLT UninstallingS...
Oracle Label Security(Oracle标签安全性)
KEI
12-14 955
如需转载,请注明出处 http://kei.iteye.com   Why we choose OLS   1、绝大多数商业应用程序都必须处理安全性问题。应用程序经常需要限制对专用记录的访问、建立审计跟踪,或者执行一个工作流过程,所有这些都要符合公司的安全策略。构建安全的软件是一个富有挑战性且复杂的工作,在整个机构内管理软件的安全策略可能会更困难。   2、作为模式(schema)设计...
Oracle_Label_Security[转]
abc123098098的博客
06-21 191
http://www.dbform.com/html/tag/oracle_label_security 前言:在Oracle9i中有一个组件称为Oracle Label Security,这个组件实现了基于自定义策略而对数据库中的表甚或是整个Schema提供行级安全性功能。实际上Oracle Label Security是在Oracle8.1.7中提出的,在9i版本中功能得到了大幅度...
GBase 8s CREATE SECURITY POLICY 语句
qq_39280087的博客
04-20 94
使用 CREATE SECURITY POLICY 语句在当前数据库中定义新的安全策略,标识它的安全标签组 件和存取规则。只有 GBase 8s 支持此语句。 该语句是 SQL ANSI/ISO 标准的扩展。 语法 用法 安全策略是存储以下信息的已命名的数据库对象:  它定义包括安全标签的安全标签组件集。  它将存取规则集合与安全标签关联。 对于由安全策略保护的表,该存取规则使 GBase 8s 比较具有一列或行的安全标签的用户的安全凭证。 安全策略应用于确定拥有给定安全标签的用户是否可以向被安全标签
【拾漏补遗】【12c Release 1 (12.1.0.2)】Managing Security for Definer's Rights and Invoker's Rights
viviliving的专栏
03-21 597
5Managing Security for Definer's Rights andInvoker's Rights Invoker’s rights and definer’s rights用于控制对特权的访问以运行用户创建的过程时具有几个安全优势 Topics: About Definer's Rights and Invoker's Rights How Proce...
ORA-06598: insufficient INHERIT PRIVILEGES privilege (Doc ID 2690051.1)
j_ychen的博客
11-26 1351
Issue is from OEM data masking .Database using account pdbadmin , which has sysdba grant . But during Application data modeling job below error is coming. Processing application: TEST_MASK(TEST_MASK) User does not have sufficient privileges to complete..
Oracle Security
06-12
About the Security Policy and Security Plan Types of Accounts Standards for Accounts Standards for Usernames Standards for Passwords Standards for Roles Standards for Views Standards for the ...
privacy-policy
03-15
使用`<label>`和`<input>`标签创建表单元素,允许用户选择是否同意政策。例如: ```html 通过继续使用我们的服务,您表示同意我们的服务条款和本隐私政策。 <label for="agreement">我已阅读并同意上述隐私...
Oracle Solaris 11.3 Trusted Extensions Label Administration-136
最新发布
06-28
2. **安全策略(Security Policy)**:定义了标签的使用方式和规则,包括哪些用户可以访问哪些标签,以及标签之间的转换规则。安全策略可以通过 ZFS 文件系统和网络服务进行配置。 3. **网络命名空间(Network ...
Oracle Solaris 11 Trusted Extensions Label Administration-124
06-19
这些策略可以通过“安全策略表”(Security Policy Tables, SPTs)进行配置。 4. **颜色(Color)**:颜色是一种可视化的标签表示,用户可以通过颜色快速识别不同安全级别的对象。例如,红色可能代表最高安全级别,...
netlabel.rar_Linux/Unix编程_Unix_Linux_
08-11
NetLabel是Linux内核中的一项功能,用于处理网络数据包的安全标签,特别是针对CIPSO(Common Internet Policy Security Option)标签。它允许系统对不同安全级别的网络流量进行分类和管理,提高了系统的整体安全性。...
在plsql中控制调用者权限
jc_benben的专栏
03-28 1157
-- 1,环境创建 SQL> create user sneaky_developer identified by 123; 用户已创建。 SQL> grant create session,create procedure to sneaky_developer; 授权成功。 SQL> create user normal_user identified by 123; 用户已创建
12c 新增权限Inherit privilege说明
cuiqiong6888的博客
09-14 1194
inherit privilege权限: B用户(较低权限)创建了Invoker’s right procedure,A用户(较高权限)调用B用户的procedure执行时使用的是A的权限,为防止B在A不知情...
Element-UI级联(cascader)实现权限管理
weixin_42592879的博客
09-26 1968
Element-UI级联实现权限管理 最近在用element-ui练习项目重构,为了实现权限管理这个模块,花了不少功夫。 文章目录Element-UI级联实现权限管理1.实现效果1.element-ui的级联1.选择组件2.配置组件总结 1.实现效果 这里是对角色的管理,可以修改删除和授权,修改是修改名字,删除就是删除角色。主要难点在于如何实现授权这个功能,点击授权之后,首先要获得后台的权限数据,如果有授权有层级,还有显示出层级效果,并且要根据用户的不同,默认选中其拥有的权限。 1.element-
(Win10家庭版)Oracle出现insufficient privileges权限不足问题的解决方法之一
懵懵不懂的博客
08-06 3070
起因 在学习WEB时,需要用到数据库进行交互。当索取超级管理员身份时,报错提示权限不足。 conn /as sysdba ERROR:ORA-01031:insufficient privileges 摸索 我使用的系统是笔记本自带的Win10家庭版。为了解决问题,我查找了网上的许多资料。可惜,这些参考资料大多是默认系统为专业版,有组这个功能的。没有办法,只好自己瞎鼓捣。 解决办法 1.在开始菜单中,找到Oracle文件夹,打开其中的Administration Assistant for Window
Oracle Sharding
weixin_33762321的博客
07-25 274
一直以来在关系型数据库当中,MySQL的分库分表被所有企业认可,并广泛的应用于互联网行业及各大电商平台,数据库的中间件产品也是满目狼藉,如代表,官方的MySQL Proxy、商用的有阿里DRDS、开源的有MyCAT、Altas等等。 自从Oracle 12.2发布之后,Oracle数据库也可以实现分库分表,袋鼠云RDS基于Oracle12.2分库分表的功...
官方文档关于sqlt工具的介绍
kiwi的专栏
10-29 3872
215187.1 SQLTXPLAIN (SQLT) 11.4.5.3 2012 年 12 月 31 日 帮 助诊断性能较差的 SQL 语句的工具 SQLT 概览 安全模式 安 装 SQLT 卸 载 SQLT 升 级 SQLT 常 见问题 新 增功能!   主 要方法 XTRACT XECUTE XTRXEC XPLAIN
Oracle Label Security(Oracle标签安全性)
bjguan's BLOG
01-18 4847
现在保护每一行的安全  
安装卸载Oracle Label Security
njyxfw的专栏
03-24 3257
本文给大家简单演示一下在Linux操作系统下,Oracle 11g环境中如何安装和卸载Oracle Label Security。 1.操作系统信息 ora11g@secdb /home/oracle$ uname -a Linux secdb 2.6.18-194.el5 #1 SMP Mon Mar 29 20:06:41 EDT 2010 i686 i686 i386 GNU/
Oracle Label Security Administrator’s Guide 11g Release 2 (11.2)
06-18
Oracle Label Security Administrator’s Guide 11g Release 2 (11.2)-294

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值