Oracle 12c新特性--数据编写(Redaction)
在Oracle数据库中,当低权限的用户查询列中的敏感数据时,Oracle redaction可以对返回给用户的数据稍作掩藏,以保证机密数据的安全。对于列中的数据有以下几种redaction方式:
1.Full redaction.对列中的数据全部redact,number类型的列将全部返回为0,character类型的列将全部返回为空格,日期类型返回为2001-01-01。
2.Partial redaction.对列中的一部分数据进行redact,比如,可以对社会保险号的前几位设置返回为*,剩下的几位保持不变。只有列中的数据为固定宽度时才能使用这种方式,如果列中存储的是email地址,每个email地址的宽度不尽相同,此时要使用Regular expressions。
3.Regular expressions. You can use regular expressions to look for patterns of data to redact. For example, you can use regular expressions to redact email addresses, which can have varying character lengths. It is designed for use with character data only.
4.Random redaction. The redacted data presented to the querying user appears as randomly generated values each time it is displayed, depending on the data type of the column.
5.No redaction.This option enables you to test the internal operation of your redaction policies, with no effect on the results of queries against tables with policies defined on them. You can use this option to test the redaction policy definitions before applying them to a production environment.
不能对sys和system用户进行数据的redact。因为他们都有EXP_FULL_DATABASE这个角色,而这个角色又包含了EXEMPT REDACTION POLICY系统权限。同理,也不能直接赋予用户dba权限,dba自动包含EXP_FULL_DATABASE角色。
案例分析:
SQL> create table employee(id number,name varchar2(10),salary number,jobdate date,mobile varchar2(20));
Table created.
SQL> insert into employee values(1,'tom',6000,to_date('01-07-2012','dd-mm-yyyy'),'135-2009-1146');
1 row created.
SQL> insert into employee values(2,'mary',9000,to_date('01-07-2013','dd-mm-yyyy'),'135-2009-1111');
1 row created.
SQL> commit;
Commit complete.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE
---------- ---------- ---------- --------- --------------------
1 tom 6000 01-JUL-12 135-2009-1146
2 mary 9000 01-JUL-13 135-2009-1111
1、完全编写
full redaction的验证(number)
建立编写策略
SQL> begin dbms_redact.add_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'salary',
6 function_type=>dbms_redact.full,
7 enable=>true,
8 expression=>'1=1');
9 end;
10 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE
---------- ---------- ---------- --------- --------------------
1 tom 001-JUL-12 135-2009-1146
2 mary 0 01-JUL-13 135-2009-1111
full redaction的验证(char)
SQL> begin dbms_redact.alter_policy(
2 object_schema=>‘scottf',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'name',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.full,
8 expression=>'1=1');
9 end;
10 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE
---------- ---------- ---------- --------- --------------------
1 0 01-JUL-12 135-2009-1146
2 0 01-JUL-13 135-2009-1111
full redaction的验证(date)
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'jobdate',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.full,
8 expression=>'1=1');
9 end;
10 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE
---------- ---------- ---------- --------- --------------------
1 0 01-JAN-01 135-2009-1146
2 0 01-JAN-01 135-2009-1111
2、部分编写
partial redaction的验证(char)
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'mobile',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.partial,
8 expression=>'1=1',
9 function_parameters=>'VVVFVVVVFVVVV,VVV-VVVV-VVVV,*,1,8');
10 end;
11 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATEMOBILE
---------- ---------- ---------- --------- --------------------
1 0 01-JAN-01 ***-****-*146
2 0 01-JAN-01 ***-****-*111
partial redaction的验证(number)
SQL> alter table employee add num number(38);
Table altered.
SQL> update employee set num=12345 where id=1;
1 row updated.
SQL> update employee set num=67890 where id=2;
1 row updated.
SQL> commit;
Commit complete.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 01-JAN-01 ***-****-*146 12345
2 0 01-JAN-01 ***-****-*111 67890
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'num',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.partial,
8 expression=>'1=1',
9 function_parameters=>'9,1,3');
10 end;
11 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILENUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 01-JAN-01 ***-****-*14699945
2 0 01-JAN-01 ***-****-*11199990
partial redaction的验证(date)
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'jobdate',
6 action=>dbms_redact.drop_column,
7 expression=>'1=1')
8 ;
9 end;
10 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 01-JUL-12 ***-****-*146 99945
2 0 01-JUL-13 ***-****-*111 99990
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'jobdate',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.partial,
8 expression=>'1=1',
9 function_parameters=>'Md15YHMS');----Md15YHMS:month day year hour minute second
10 end;
11 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 15-JUL-12***-****-*146 99945
2 0 15-JUL-13 ***-****-*111 99990
partial redaction的验证
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'mobile',
6 action=>dbms_redact.drop_column);
7 end;
8 /
PL/SQL procedure successfully completed.
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'num',
6 action=>dbms_redact.drop_column);
7 end;
8 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 15-JUL-12 135-2009-1146 12345
2 0 15-JUL-13 135-2009-1111 67890
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'mobile',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.random,
8 expression=>'1=1');
9 end;
10 /
PL/SQL procedure successfully completed.
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'scott',
3 object_name=>'employee',
4 policy_name=>'p1',
5 column_name=>'num',
6 action=>dbms_redact.add_column,
7 function_type=>dbms_redact.random,
8 expression=>'1=1');
9 end;
10 /
PL/SQL procedure successfully completed.
SQL> select *from employee;
ID NAME SALARY JOBDATEMOBILENUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 15-JUL-12 )3;&xt]Y1;C.! 9903
2 0 15-JUL-13 "Rf(LML)*Zn0T 18940
SQL> select *from employee;
ID NAME SALARY JOBDATEMOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 15-JUL-12 NHP*iNGYVPX2q 8443
2 0 15-JUL-13 pA,s<
用户可以对employee表进行dml操作,但是不能基于employee表进行ctas操作。如下:
SQL> insert into employee values(3,'mouse',10000,to_date('01-08-2013','dd-mm-yyyy'),'135-2009-1126',12345);
1 row created.
SQL> commit;
Commit complete.
SQL> select * from employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 15-JUL-12
2 0 15-JUL-13 @adG3r.LHilO; 20119
3 0 15-AUG-13 T]@7MM(2eH?U 9883
SQL> create table test as select * from employee;
create table test as select * from employee
*
ERROR at line 1:
ORA-28081: Insufficient privileges - the command references a redacted object.
3、修改policy使得其他用户可以访问到真实数据
当前用户是test
SQL> show user
USER is "TEST"
SQL> select *from ysf.employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 0 15-JUL-12 =!'<[j9.E)/Dc 12012
2 0 15-JUL-13 b6JNe.`?j>RVm 44494
3 0 15-AUG-13 /.v~m-Gt76~'u 4632
SQL> begin dbms_redact.alter_policy(
2 object_schema=>'ysf',
3 object_name=>'employee',
4 policy_name=>'p1',
5 action=>dbms_redact.modify_expression,
6 expression=>'SYS_CONTEXT(''USERENV'',''SESSION_USER'') != ''TEST''');
7 end;
8 /
PL/SQL procedure successfully completed.
SQL> select *from ysf.employee;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 tom 6000 01-JUL-12 135-2009-1146 12345
2 mary 9000 01-JUL-13 135-2009-1111 67890
3 mouse 10000 01-AUG-13 135-2009-1126 12345
让test用户看到真实数据的话,在policy中不能只针对某一列,这样的话不会生效。
4、查看redaction信息:
8:00:04 SYS@ orcl> select * from redaction_policies
OBJECT_OWN OBJECT_NAME POLICY_NAME EXPRESSION ENABLE POLICY_DESCRIPTION
---------- -------------------- -------------------- -------------------- ------- --------------------------------------------------
SCOTT employee p1 SYS_CONTEXT('USERENV YES
','SESSION_USER') !=
'TOM'
Elapsed: 00:00:00.00
18:04:28 SYS@ orcl>col COLUMN_NAME for a20
18:04:47 SYS@ orcl>col FUNCTION_PARAMETERS for a40
18:05:02 SYS@ orcl>select object_owner,object_name,column_name,function_type,function_parameters
2* from redaction_columns
OBJECT_OWN OBJECT_NAME COLUMN_NAME FUNCTION_TYPE FUNCTION_PARAMETERS
---------- -------------------- -------------------- --------------------------- ----------------------------------------
SCOTT employee JOBDATE PARTIAL REDACTION Md15YHMS
SCOTT employee NUM PARTIAL REDACTION 9,1,3
SCOTT employee MOBILE PARTIAL REDACTION VVVFVVVVFVVVV,VVV-VVVV-VVVV,*,1,8
SCOTT employee NAME FULL REDACTION
SCOTT employee SALARY FULL REDACTION
17:18:14 SCOTT@ orcl>select * from t1;
ID NAME SALARY JOBDATE MOBILE NUM
---------- ---------- ---------- --------- -------------------- ----------
1 tom 6000 01-JUL-12 135-2009-1146 12345
2 mary 9000 01-JUL-13 135-2009-1111 67890
Elapsed: 00:00:00.02
以上文章内容参考部分网友的内容,在这里一并感谢!