20:01:53 SQL> grant inherit privileges on user sys to lbacsys container=all;
Grant succeeded.
Elapsed: 00:00:00.40
07:48:31 SQL> select name,status from dba_ols_status;
NAME STATU
-------------------- -----
OLS_CONFIGURE_STATUS FALSE
OLS_DIRECTORY_STATUS FALSE
OLS_ENABLE_STATUS FALSE
Elapsed: 00:00:00.01
07:48:40 SQL> exec configure_ols;
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.07
07:49:00 SQL> select name,status from dba_ols_status;
NAME STATU
-------------------- -----
OLS_CONFIGURE_STATUS TRUE
OLS_DIRECTORY_STATUS FALSE
OLS_ENABLE_STATUS FALSE
Elapsed: 00:00:00.00
07:49:11 SQL> exec ols_enforcement.enable_ols;
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.08
07:49:42 SQL> select name,status from dba_ols_status;
NAME STATU
-------------------- -----
OLS_CONFIGURE_STATUS TRUE
OLS_DIRECTORY_STATUS FALSE
OLS_ENABLE_STATUS TRUE
Elapsed: 00:00:00.01
20:02:57 SQL> exec sa_sysdba.create_policy(policy_name=>'lbac_policy_test1',column_name=>'lbac_col1',default_options=>'read_control,update_control');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.94
08:04:58 SQL> exec sa_sysdba.create_policy(policy_name=>'policy_ccc1',column_name=>'policy_ccc1_col1');
BEGIN sa_sysdba.create_policy(policy_name=>'policy_ccc1',column_name=>'policy_ccc1_col1'); END;
*
ERROR at line 1:
ORA-12458: Oracle Label Security not enabled
ORA-06512: at "LBACSYS.LBAC_SERVICES", line 54
ORA-06512: at "LBACSYS.LBAC_LGSTNDBY_UTIL", line 96
ORA-12458: Oracle Label Security not enabled
ORA-06512: at "LBACSYS.LBAC_STANDARD", line 3
ORA-06512: at "LBACSYS.LBAC_LGSTNDBY_UTIL", line 9
ORA-06512: at "LBACSYS.LBAC_LGSTNDBY_UTIL", line 75
ORA-06512: at "LBACSYS.SA_SYSDBA", line 23
ORA-06512: at line 1
如果遇到上面的问题,则需要运行下面的command
08:05:35 SQL> alter session set container=cdb$root;
Session altered.
Elapsed: 00:00:00.00
08:06:42 SQL> grant inherit privileges on user sys to lbacsys container=all;
Grant succeeded.
Elapsed: 00:00:00.53
08:06:47 SQL> alter session set container=tdetest2pdb10888;
Session altered.
Elapsed: 00:00:00.00
08:07:00 SQL> exec sa_sysdba.create_policy(policy_name=>'policy_ccc1',column_name=>'policy_ccc1_col1');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.79
20:06:02 SQL> select policy_name,column_name,status,policy_options,policy_subscribed from dba_sa_policies;
POLICY_NAME COLUMN_NAM STATUS POLICY_OPTIONS POLIC
-------------------- ---------- -------- ------------------------------ -----
LBAC_POLICY_TEST1 LBAC_COL1 ENABLED READ_CONTROL, UPDATE_CONTROL FALSE
20:26:44 SQL> exec sa_components.create_level(policy_name=>'lbac_policy_test1',level_num=>500,short_name=>'hs',long_name=>'highly_sensitive');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.11
20:28:45 SQL> select policy_name,level_num,short_name,long_name from dba_sa_levels;
POLICY_NAME LEVEL_NUM SHORT_NAME LONG_NAME
-------------------- ---------- ------------------------------ ------------------------------
LBAC_POLICY_TEST1 500 HS HIGHLY_SENSITIVE
23:29:32 SQL> exec sa_components.create_level(policy_name=>'lbac_policy_test1',level_num=>400,short_name=>'s',long_name=>'sensitive');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.17
23:30:14 SQL> exec sa_components.create_level(policy_name=>'lbac_policy_test1',level_num=>300,short_name=>'c',long_name=>'confidential');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.01
23:31:03 SQL> exec sa_components.create_level(policy_name=>'lbac_policy_test1',level_num=>200,short_name=>'p',long_name=>'public');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.00
创建compartment
23:35:44 SQL> exec sa_components.create_compartment(policy_name=>'lbac_policy_test1',comp_num=>400,short_name=>'fi',long_name=>'financial');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.07
23:38:09 SQL> exec sa_components.create_compartment(policy_name=>'lbac_policy_test1',comp_num=>300,short_name=>'che',long_name=>'chemical');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.01
23:38:50 SQL> exec sa_components.create_compartment(policy_name=>'lbac_policy_test1',comp_num=>200,short_name=>'op',long_name=>'operational');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.01
23:41:32 SQL> select policy_name,comp_num,short_name,long_name from dba_sa_compartments;
POLICY_NAME COMP_NUM SHORT_NAME LONG_NAME
------------------------------ ---------- ------------------------------ ------------------------------
LBAC_POLICY_TEST1 300 CHE CHEMICAL
LBAC_POLICY_TEST1 400 FI FINANCIAL
LBAC_POLICY_TEST1 200 OP OPERATIONAL
Elapsed: 00:00:00.01
创建groups
01:09:52 SQL> exec sa_components.create_group(policy_name=>'lbac_policy_test1',group_num=>1000,short_name=>'wr',long_name=>'western_region');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.06
01:12:16 SQL> exec sa_components.create_group(policy_name=>'lbac_policy_test1',group_num=>1100,short_name=>'wr_sal',long_name=>'wr_sales');
PL/SQL procedure successfully completed.
01:14:36 SQL> exec sa_components.create_group(policy_name=>'lbac_policy_test1',group_num=>1200,short_name=>'wr_fin',long_name=>'wr_financial',parent_name=>'wr');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.01
01:20:01 SQL> exec sa_components.alter_group_parent(policy_name=>'lbac_policy_test1',short_name=>'wr_sal',new_parent_name=>'wr');
PL/SQL procedure successfully completed.
01:21:28 SQL> exec sa_components.create_group(policy_name=>'lbac_policy_test1',group_num=>1300,short_name=>'wr_hr',long_name=>'wr_human_resources',parent_name=>'wr');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.01
01:24:43 SQL> exec sa_components.create_group(policy_name=>'lbac_policy_test1',group_num=>1250,short_name=>'wr_fin_receiv',long_name=>'wr_fin_receivable',parent_name=>'wr_fin');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.00
01:26:14 SQL> exec sa_components.create_group(policy_name=>'lbac_policy_test1',group_num=>1260,short_name=>'wr_fin_pay',long_name=>'wr_fin_payable',parent_name=>'wr_fin');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.01
01:27:13 SQL> select policy_name,group_num,short_name,long_name,parent_num,parent_name from dba_sa_groups;
POLICY_NAME GROUP_NUM SHORT_NAME LONG_NAME PARENT_NUM PARENT_NAME
------------------------------ ---------- ------------------------------ ------------------------------ ---------- ------------------------------
LBAC_POLICY_TEST1 1000 WR WESTERN_REGION
LBAC_POLICY_TEST1 1200 WR_FIN WR_FINANCIAL 1000 WR
LBAC_POLICY_TEST1 1260 WR_FIN_PAY WR_FIN_PAYABLE 1200 WR_FIN
LBAC_POLICY_TEST1 1250 WR_FIN_RECEIV WR_FIN_RECEIVABLE 1200 WR_FIN
LBAC_POLICY_TEST1 1300 WR_HR WR_HUMAN_RESOURCES 1000 WR
LBAC_POLICY_TEST1 1100 WR_SAL WR_SALES 1000 WR
6 rows selected.
Elapsed: 00:00:00.00
创建label
01:43:00 SQL> exec sa_label_admin.create_label(policy_name=>'lbac_policy_test1',label_tag=>1000,label_value=>'s:op:wr_sal,wr_fin_receiv',data_label=>true);
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.17
01:44:31 SQL> select policy_name,label,label_tag,label_type from dba_sa_labels;
POLICY_NAME LABEL LABEL_TAG LABEL_TYPE
------------------------------ ------------------------------ ---------- ---------------
LBAC_POLICY_TEST1 S:OP:WR_SAL,WR_FIN_RECEIV 1000 USER/DATA LABEL
Elapsed: 00:00:00.00
authorize user
01:51:59 SQL> exec sa_components.create_level(policy_name=>'lbac_policy_test1',level_num=>600,short_name=>'sec',long_name=>'secret');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.00
01:54:56 SQL> exec sa_components.create_level(policy_name=>'lbac_policy_test1',level_num=>700,short_name=>'top_sec',long_name=>'top_secret');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.00
01:56:41 SQL> select * from dba_sa_levels;
POLICY_NAME LEVEL_NUM SHORT_NAME LONG_NAME
------------------------------ ---------- ------------------------------ ------------------------------
LBAC_POLICY_TEST1 300 C CONFIDENTIAL
LBAC_POLICY_TEST1 500 HS HIGHLY_SENSITIVE
LBAC_POLICY_TEST1 200 P PUBLIC
LBAC_POLICY_TEST1 600 SEC SECRET
LBAC_POLICY_TEST1 400 S SENSITIVE
LBAC_POLICY_TEST1 700 TOP_SEC TOP_SECRET
6 rows selected.
Elapsed: 00:00:00.01
01:58:29 SQL> exec sa_user_admin.set_levels(policy_name=>'lbac_policy_test1',user_name=>'pdbadmin',max_level=>'sec',min_level=>'p',def_level=>'s',row_level=>'c');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.16
02:08:27 SQL> exec sa_user_admin.set_compartments(policy_name=>'lbac_policy_test1',user_name=>'pdbadmin',read_comps=>'che,fi,op',write_comps=>'che,fi',def_comps=>'che,fi,op',row_comps=>'che,fi');
PL/SQL procedure successfully completed.
02:16:30 SQL> exec sa_user_admin.set_groups(policy_name=>'lbac_policy_test1',user_name=>'pdbadmin',read_groups=>'wr_fin,wr_sal',write_groups=>'wr_fin',def_groups=>'wr_fin',row_groups=>'wr_fin');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.06
赋予用户权限
05:29:15 SQL> exec sa_user_admin.set_user_privs(policy_name=>'lbac_policy_test1',user_name=>'pdbadmin',privileges=>'writeup,writedown');
PL/SQL procedure successfully completed.
05:31:13 SQL> select * from dba_sa_user_privs;
USER_NAME POLICY_NAME USER_PRIVILEGES
------------------------------ ------------------------------ ------------------------------
PDBADMIN LBAC_POLICY_TEST1 WRITEUP,WRITEDOWN
将policy和table关联起来
05:45:16 SQL> exec sa_policy_admin.apply_table_policy(policy_name=>'lbac_policy_test1',schema_name=>'pdbadmin',table_name=>'t_1',table_options=>'read_control,write_control,check_control');
PL/SQL procedure successfully completed.
更新表的label信息
05:44:48 SQL> create table pdbadmin.t_1 as select * from dba_objects;
Table created.
Elapsed: 00:00:00.90
05:45:16 SQL> exec sa_policy_admin.apply_table_policy(policy_name=>'lbac_policy_test1',schema_name=>'pdbadmin',table_name=>'t_1',table_options=>'read_control,write_control,check_control');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.76
05:57:18 SQL> update pdbadmin.t_1 set lbac_col1=char_to_label('lbac_policy_test1','S:OP:WR_SAL,WR_FIN_RECEIV') where owner in ('SYS','SYSTEM');
54297 rows updated.
Elapsed: 00:00:07.78
05:58:52 SQL> COMMIT;
Commit complete.
Elapsed: 00:00:00.00
我只对u1用户赋予了read权限,在尝试update的时候就报错了
06:04:32 SQL> exec sa_user_admin.set_user_privs(policy_name=>'lbac_policy_test1',user_name=>'u1',privileges=>'read');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.04
06:25:50 SQL> select owner,object_name,object_id from pdbadmin.t_1 where object_name='I_FILE#_BLOCK#';
OWNER OBJECT_NAME OBJECT_ID
-------------------- ------------------------------ ----------
SYS I_FILE#_BLOCK# 9
Elapsed: 00:00:00.01
06:07:41 SQL> update pdbadmin.t_1 set object_id=999 where object_name='I_FILE#_BLOCK#';
update pdbadmin.t_1 set object_id=999 where object_name='I_FILE#_BLOCK#'
*
ERROR at line 1:
ORA-12406: unauthorized SQL statement for policy LBAC_POLICY_TEST1
Elapsed: 00:00:00.10
移除u1用户的read权限
06:27:24 SQL> select * from dba_sa_user_privs;
USER_NAME POLICY_NAME USER_PRIVILEGES
------------------------------ ------------------------------ ------------------------------
PDBADMIN LBAC_POLICY_TEST1 WRITEUP,WRITEDOWN
U1 LBAC_POLICY_TEST1 READ
Elapsed: 00:00:00.01
06:27:33 SQL> exec sa_user_admin.drop_user_access(policy_name=>'lbac_policy_test1',user_name=>'u1');
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.02
06:28:10 SQL> select * from dba_sa_user_privs;
USER_NAME POLICY_NAME USER_PRIVILEGES
------------------------------ ------------------------------ ------------------------------
PDBADMIN LBAC_POLICY_TEST1 WRITEUP,WRITEDOWN
Elapsed: 00:00:00.01
u1用户需要重新连接,重新连接后,事实上存在的数据由于权限不足无法查询到
06:28:48 SQL> connect u1/u1@tdetest2pdb10896
Connected.
06:29:05 SQL> select owner,object_name,object_id from pdbadmin.t_1 where object_name='I_FILE#_BLOCK#';
no rows selected
Elapsed: 00:00:00.01
label security对于sys用户无法限制,sys用户可以访问所有的数据
label security是限制owner的权限的,owner如果没有授权的话,是无法访问自己的表里的数据的