虚拟专用数据库VPD应用 (48天)

原创

jeanron100 2021-07-21 17:24:06 ©著作权

文章标签 VPD 文章分类 代码人生

©著作权归作者所有：来自51CTO博客作者jeanron100的原创作品，请联系作者获取转载授权，否则将追究法律责任

系统中有个需求，需要把一个表里的信用卡号字段进行权限管理，大家讨论再三，说TDE不太好，因为需求希望能够让有些用户可以访问这个表，但是卡号字段读不到东西。有些用户可以直接读取该字段的内容。

我给了一个建议，使用VPD,基于列的VPD可以满足这样的需求。

以下是一个样例，供参考。

--create user and grant privileges

create user test identified by test;

grant connect,resource to test;

grant execute dbms_rls to test;

create user credit_test identified by oracle;

grant connect,resource to credit_test;

grant create synonym to credit_test;

--create samples tables

SQL> create table credit_card_test as select object_id card_id,object_name card_name,object_id card_pwd from all_objects ;

Table created.

SQL> select count(*) from all_objects;

COUNT(*)

----------

4876

SQL> select * from credit_card_test where rownum<10;

CARD_ID CARD_NAME CARD_PWD

---------- ------------------------------ ----------

258 DUAL 258

259 DUAL 259

311 SYSTEM_PRIVILEGE_MAP 311

313 SYSTEM_PRIVILEGE_MAP 313

314 TABLE_PRIVILEGE_MAP 314

316 TABLE_PRIVILEGE_MAP 316

317 STMT_AUDIT_OPTION_MAP 317

319 STMT_AUDIT_OPTION_MAP 319

605 MAP_OBJECT 605

9 rows selected.

SQL> desc credit_card_test

Name Null? Type

----------------------------------------- -------- ----------------------------

CARD_ID NOT NULL NUMBER

CARD_NAME NOT NULL VARCHAR2(30)

CARD_PWD NOT NULL NUMBER

--create synonyms or roles using credit_test

create or replace synonym credit_card_test for test.credit_card_test;

--using test(table owner account)

--add_policy create_rls.sql

exec dbms_rls.add_policy(object_schema => 'test',object_name => 'credit_card_test',policy_name => 'card_pwd_policy',function_schema =>'test',policy_function => 'rls_encryption',statement_types =>'select',policy_type => dbms_rls.CONTEXT_SENSITIVE,sec_relevant_cols=>'card_pwd',sec_relevant_cols_opt=>dbms_rls.all_rows);

--add function create_rls_f.sql

create or replace function rls_encryption (p_owner in varchar2,p_obj in varchar2)

return varchar2

is v_flag varchar2(1000);

begin

if(p_owner=USER ) then

v_flag:=null;

else

v_flag:='1=2';

end if;

return v_flag;

end;

--drop policy drop_rls.sql

exec dbms_rls.drop_policy(object_schema => 'test',object_name => 'credit_card_test',policy_name => 'card_pwd_policy');

SQL> @drop_rls.sql

PL/SQL procedure successfully completed.

SQL> @create_rls.sql

PL/SQL procedure successfully completed.

SQL> @create_rls_f.sql

Function created.

SQL> conn test/test

seConnected.

SQL> lect * from credit_card_test where rownum<10;

CARD_ID CARD_NAME CARD_PWD

---------- ------------------------------ ----------

258 DUAL 258

259 DUAL 259

311 SYSTEM_PRIVILEGE_MAP 311

313 SYSTEM_PRIVILEGE_MAP 313

314 TABLE_PRIVILEGE_MAP 314

316 TABLE_PRIVILEGE_MAP 316

317 STMT_AUDIT_OPTION_MAP 317

319 STMT_AUDIT_OPTION_MAP 319

605 MAP_OBJECT 605

9 rows selected.

SQL> conn credit_test/oracle

Connected.

SQL> select * from credit_card_test where rownum<10;

CARD_ID CARD_NAME CARD_PWD

---------- ------------------------------ ----------

258 DUAL

259 DUAL

311 SYSTEM_PRIVILEGE_MAP

313 SYSTEM_PRIVILEGE_MAP

314 TABLE_PRIVILEGE_MAP

316 TABLE_PRIVILEGE_MAP

317 STMT_AUDIT_OPTION_MAP

319 STMT_AUDIT_OPTION_MAP

605 MAP_OBJECT

9 rows selected.

上一篇：关于创建视图的问题(48天)

下一篇：性能调优之redo切换频率(47天)

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯