Oracle 12c新特性--數據編寫(Redaction)
在Oracle數據庫中,當低權限的用戶查詢列中的敏感數據時,Oracle redaction可以對返回給用戶的數據稍作掩藏,以保證機密數據的安全。對於列中的數據有以下幾種redaction方式:
1.Full redaction.對列中的數據全部redact,number類型的列將全部返回爲0,character類型的列將全部返回爲空格,日期類型返回爲2001-01-01。
2.Partial redaction.對列中的一部分數據進行redact,比如,可以對社會保險號的前幾位設置返回爲*,剩下的幾位保持不變。只有列中的數據爲固定寬度時才能使用這種方式,如果列中存儲的是email地址,每個email地址的寬度不盡相同,此時要使用Regular expressions。
3.Regular expressions. You can use regular expressions to look for patterns of data to redact. For example, you can use regular expressions to redact email addresses, which can have varying character lengths. It is designed for use with character data only.
4.Random redaction. The redacted data presented to the querying user appears as randomly generated values each time it is displayed, depending on the data type of the column.
5.No redaction.This option enables you to test the internal operation of your redaction policies, with no effect on the results of queries against tables with policies defined on them. You can use this option to test the redaction policy definitions before applying them to a production environment.
不能對sys和system用戶進行數據的redact。因爲他們都有EXP_FULL_DATABASE這個角色,而這個角色又包含了EXEMPT REDACTION POLICY系統權限。同理,也不能直接賦予用戶dba權限,dba自動包含EXP_FULL_DATABASE角色。
案例分析:
SQL> create table employee(id number,name varchar2(10),salary number,jobdate date,mobile varchar2(20));
Table created.
SQL> insert into employee values(1,'tom',6000,to_date('01-07-2012','dd-mm-yyyy'),'135-2009-1146');
1 row created.
SQL> insert into employee values(2,'mary',9000,to_date('01-07-2013','dd-mm-yyyy'),'135-2009-1111');
1 row created.
SQL> commit;
Commit complete.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE
---------- ---------- ---------- --------- --------------------
1 tom 6000 01-JUL-12 135-2009-1146
2 mary 9000 01-JUL-13 135-2009-1111
1、完全編寫
full redaction的驗證(number)
建立編寫策略
SQL> begin dbms_redact.add_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'salary',
6 function_type=>dbms_redact.full,
7 enable=>true,
8 expression=>'1=1');
9 end;
10 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE
---------- ---------- ---------- --------- --------------------
1 tom 001-JUL-12 135-2009-1146
2 mary 0 01-JUL-13 135-2009-1111
full redaction的驗證(char)
SQL> begin dbms_redact.alter_policy(
2 object_schema=>‘scottf',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'name',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.full,
8 expression=>'1=1');
9 end;
10 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE
---------- ---------- ---------- --------- --------------------
1 0 01-JUL-12 135-2009-1146
2 0 01-JUL-13 135-2009-1111
full redaction的驗證(date)
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'jobdate',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.full,
8 expression=>'1=1');
9 end;
10 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE
---------- ---------- ---------- --------- --------------------
1 0 01-JAN-01 135-2009-1146
2 0 01-JAN-01 135-2009-1111
2、部分編寫
partial redaction的驗證(char)
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'mobile',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.partial,
8 expression=>'1=1',
9 function_parameters=>'VVVFVVVVFVVVV,VVV-VVVV-VVVV,*,1,8');
10 end;
11 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATEMOBILE
---------- ---------- ---------- --------- --------------------
1 0 01-JAN-01 ***-****-*146
2 0 01-JAN-01 ***-****-*111
partial redaction的驗證(number)
SQL> alter table employee add num number(38);
Table altered.
SQL> update employee set num=12345 where id=1;
1 row updated.
SQL> update employee set num=67890 where id=2;
1 row updated.
SQL> commit;
Commit complete.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 01-JAN-01 ***-****-*146 12345
2 0 01-JAN-01 ***-****-*111 67890
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'num',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.partial,
8 expression=>'1=1',
9 function_parameters=>'9,1,3');
10 end;
11 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILENUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 01-JAN-01 ***-****-*14699945
2 0 01-JAN-01 ***-****-*11199990
partial redaction的驗證(date)
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'jobdate',
6 action=>dbms_redact.drop_column,
7 expression=>'1=1')
8 ;
9 end;
10 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 01-JUL-12 ***-****-*146 99945
2 0 01-JUL-13 ***-****-*111 99990
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'jobdate',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.partial,
8 expression=>'1=1',
9 function_parameters=>'Md15YHMS');----Md15YHMS:month day year hour minute second
10 end;
11 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 15-JUL-12***-****-*146 99945
2 0 15-JUL-13 ***-****-*111 99990
partial redaction的驗證
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'mobile',
6 action=>dbms_redact.drop_column);
7 end;
8 /
PL/SQL procedure successfully completed.
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'num',
6 action=>dbms_redact.drop_column);
7 end;
8 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 15-JUL-12 135-2009-1146 12345
2 0 15-JUL-13 135-2009-1111 67890
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'mobile',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.random,
8 expression=>'1=1');
9 end;
10 /
PL/SQL procedure successfully completed.
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'num',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.random,
8 expression=>'1=1');
9 end;
10 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATEMOBILENUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 15-JUL-12 )3;&xt]Y1;C.! 9903
2 0 15-JUL-13 "Rf(LML)*Zn0T 18940
SQL> select *from employee;
ID NAME SALARY JOBDATEMOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 15-JUL-12 NHP*iNGYVPX2q 8443
2 0 15-JUL-13 pA,s<
用戶可以對employee表進行dml操作,但是不能基於employee表進行ctas操作。如下:
SQL> insert into employee values(3,'mouse',10000,to_date('01-08-2013','dd-mm-yyyy'),'135-2009-1126',12345);
1 row created.
SQL> commit;
Commit complete.
SQL> select * from employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 15-JUL-12
2 0 15-JUL-13 @adG3r.LHilO; 20119
3 0 15-AUG-13 T]@7MM(2eH?U 9883
SQL> create table test as select * from employee;
create table test as select * from employee
*
ERROR at line 1:
ORA-28081: Insufficient privileges - the command references a redacted object.
3、修改policy使得其他用戶可以訪問到真實數據
當前用戶是test
SQL> show user
USER is "TEST"
SQL> select *from ysf.employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 15-JUL-12 =!'<[j9.E)/Dc 12012
2 0 15-JUL-13 b6JNe.`?j>RVm 44494
3 0 15-AUG-13 /.v~m-Gt76~'u 4632
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'ysf',
3 object_name=>'employee',
4 policy_name=>'p1',
5 action=>dbms_redact.modify_expression,
6 expression=>'SYS_CONTEXT(''USERENV'',''SESSION_USER'') != ''TEST''');
7 end;
8 /
PL/SQL procedure successfully completed.
SQL> select *from ysf.employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 tom 6000 01-JUL-12 135-2009-1146 12345
2 mary 9000 01-JUL-13 135-2009-1111 67890
3 mouse 10000 01-AUG-13 135-2009-1126 12345
讓test用戶看到真實數據的話,在policy中不能只針對某一列,這樣的話不會生效。
4、查看redaction信息:
8:00:04 SYS@ orcl> select * from redaction_policies
OBJECT_OWN OBJECT_NAME POLICY_NAME EXPRESSION ENABLE POLICY_DESCRIPTION
---------- -------------------- -------------------- -------------------- ------- --------------------------------------------------
SCOTT employee p1 SYS_CONTEXT('USERENV YES
','SESSION_USER') !=
'TOM'
Elapsed: 00:00:00.00
18:04:28 SYS@ orcl>col COLUMN_NAME for a20
18:04:47 SYS@ orcl>col FUNCTION_PARAMETERS for a40
18:05:02 SYS@ orcl>select object_owner,object_name,column_name,function_type,function_parameters
2* from redaction_columns
OBJECT_OWN OBJECT_NAME COLUMN_NAME FUNCTION_TYPE FUNCTION_PARAMETERS
---------- -------------------- -------------------- --------------------------- ----------------------------------------
SCOTT employee JOBDATE PARTIAL REDACTION Md15YHMS
SCOTT employee NUM PARTIAL REDACTION 9,1,3
SCOTT employee MOBILE PARTIAL REDACTION VVVFVVVVFVVVV,VVV-VVVV-VVVV,*,1,8
SCOTT employee NAME FULL REDACTION
SCOTT employee SALARY FULL REDACTION
17:18:14 SCOTT@ orcl>select * from t1;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 tom 6000 01-JUL-12 135-2009-1146 12345
2 mary 9000 01-JUL-13 135-2009-1111 67890
Elapsed: 00:00:00.02
以上文章內容參考部分網友的內容,在這裏一併感謝!