Orcle 12c 新特性 --- 增强PDB Lockdown Profiles

1 说明

1.1 关于PDB Lockdown Profiles

PDB lockdown profile是一组可以控制操作的命名集。控制PDB的操作权限，是对所有用户都生效。

例如：可以控制用户禁止直行ALTER SYSTEM这样的语法。某种程度上保证了数据库的安全性。

可以限制下面四个方面的操作：

1. Network access features. These are operations that use the network to communicate outside the PDB. For example, the PL/SQL packages UTL_TCP, UTL_HTTP, UTL_MAIL, UTL_SNMP, UTL_INADDR, and DBMS_DEBUG_JDWP perform these kinds of operations. Currently, ACLs are used to control this kind of access to share network identity.

2. Common user or object access. These are operations in which a local user in the PDB can proxy through common user accounts or access objects in a common schema. These kinds of operations include adding or replacing objects in a common schema, granting privileges to common objects, accessing common directory objects, granting the INHERIT PRIVILEGES role to a common user, and manipulating a user proxy to a common user.

3. Operating System access. For example, you can restrict access to the UTL_FILE or DBMS_FILE_TRANSFER PL/SQL packages.

4. Connections. For example, you can restrict common users from connecting to the PDB or you can restrict a local user who has the SYSOPER administrative privilege from connecting to a PDB that is open in restricted mode.

2 实验

2.1 创建PDB Lockdown Profile

–登录到CDB root，然后创建Lockdown profile

SQL> create lockdown profile cndba_prof;
Lockdown Profile created.

–修改Lockdown profile，禁用刷新共享池

SQL> ALTER LOCKDOWN PROFILE cndba_prof DISABLE STATEMENT = ('ALTER SYSTEM') clause = ('flush shared_pool');

Lockdown Profile altered.

注意：一个Lockdown profile正在使用，如果修改它，会立刻生效。

2.2 启用PDB Lockdown Profile

• CDB级别启用Lockdown Profile，那么就会对该CDB下的所有PDB都生效

SQL> alter system set pdb_lockdown=cndba_prof;
System altered.

• PDB级别启用Lockdown Profile，则只对这个PDB生效

alter system set pdb_lockdown=cndba_prof;

2.3 登录到PDB测试是否有效

根据Lockdown profile所有限制的操作，做清空共享池操作。

SQL> alter system flush shared_pool;
alter system flush shared_pool
*
ERROR at line 1:
ORA-01031: insufficient privileges

提示没有权限操作，其他操作正常。如：

SQL>  alter system set sessions=400;
System altered.

2.4 禁用PDB Lockdown Profile

同样区分CDB级别和PDB级别设置

alter system set pdb_lockdown='';

2.5 删除PDB Lockdown Profile

SQL > DROP Lockdown Profile cndba_prof;
Lockdown Profile dropped.

关于更多PDB Lockdown Profile信息，请查看官方文档：
http://docs.oracle.com/database/122/DBSEG/configuring-privilege-and-role-authorization.htm#DBSEG-GUID-0D525203-A1A7-46BB-B9DB-03F2D1A3803F