Orcle 12c 新特性 --- 增强PDB Lockdown Profiles
1 说明
1.1 关于PDB Lockdown Profiles
PDB lockdown profile是一组可以控制操作的命名集。控制PDB的操作权限,是对所有用户都生效。
例如:可以控制用户禁止直行ALTER SYSTEM这样的语法。某种程度上保证了数据库的安全性。
可以限制下面四个方面的操作:
-
Network access features. These are operations that use the network to communicate outside the PDB. For example, the PL/SQL packages UTL_TCP, UTL_HTTP, UTL_MAIL, UTL_SNMP, UTL_INADDR, and DBMS_DEBUG_JDWP perform these kinds of operations. Currently, ACLs are used to control this kind of access to share network identity.
-
Common user or object access. These are operations in which a local user in the PDB can proxy through common user accounts or access objects in a common schema. These kinds of operations include adding or replacing objects in a common schema, granting privileges to common objects, accessing common directory objects, granting the INHERIT PRIVILEGES role to a common user, and manipulating a user proxy to a common user.
-
Operating System access. For example, you can restrict access to the UTL_FILE or DBMS_FILE_TRANSFER PL/SQL packages.
-
Connections. For example, you can restrict common users from connecting to the PDB or you can restrict a local user who has the SYSOPER administrative privilege from connecting to a PDB that is open in restricted mode.
2 实验
2.1 创建PDB Lockdown Profile
–登录到CDB root,然后创建Lockdown profile
SQL> create lockdown profile cndba_prof;
Lockdown Profile created.
–修改Lockdown profile,禁用刷新共享池
SQL> ALTER LOCKDOWN PROFILE cndba_prof DISABLE STATEMENT = ('ALTER SYSTEM') clause = ('flush shared_pool');
Lockdown Profile altered.
注意:一个Lockdown profile正在使用,如果修改它,会立刻生效。
2.2 启用PDB Lockdown Profile
- CDB级别启用Lockdown Profile,那么就会对该CDB下的所有PDB都生效
SQL> alter system set pdb_lockdown=cndba_prof;
System altered.
- PDB级别启用Lockdown Profile,则只对这个PDB生效
alter system set pdb_lockdown=cndba_prof;
2.3 登录到PDB测试是否有效
根据Lockdown profile所有限制的操作,做清空共享池操作。
SQL> alter system flush shared_pool;
alter system flush shared_pool
*
ERROR at line 1:
ORA-01031: insufficient privileges
提示没有权限操作,其他操作正常。如:
SQL> alter system set sessions=400;
System altered.
2.4 禁用PDB Lockdown Profile
同样区分CDB级别和PDB级别设置
alter system set pdb_lockdown='';
2.5 删除PDB Lockdown Profile
SQL > DROP Lockdown Profile cndba_prof;
Lockdown Profile dropped.
关于更多PDB Lockdown Profile信息,请查看官方文档:
http://docs.oracle.com/database/122/DBSEG/configuring-privilege-and-role-authorization.htm#DBSEG-GUID-0D525203-A1A7-46BB-B9DB-03F2D1A3803F