author:sufei
版本:MySQL8.0.18
说明:本文主要是测试初步在MySQL 8.0.18中实现的行级别强制访问控制
数据库强制访问控制采用三权分立,也就是有特定的安全员账号,源码中采用动态权限MAC_ADMIN来表明使用是否为安全员。下面是详细的实验步骤。
一、数据安全员进行MAC配置
为满足数据安全,提供了一个动态安全权限MAC_ADMIN,只有具有该权限的用户才能够配置相关MAC表(添加的强制访问控制相关表)以及打开或者关闭mac_enable全局变量。
1.1 安全用户测试
下面是有关安全管理员测试情况:
mysql> select * from mysql.global_grants;
+---------------+-----------+----------------------------+-------------------+
| USER | HOST | PRIV | WITH_GRANT_OPTION |
+---------------+-----------+----------------------------+-------------------+
| mysql.session | localhost | BACKUP_ADMIN | N |
| mysql.session | localhost | CLONE_ADMIN | N |
| mysql.session | localhost | CONNECTION_ADMIN | N |
| mysql.session | localhost | PERSIST_RO_VARIABLES_ADMIN | N |
| mysql.session | localhost | SESSION_VARIABLES_ADMIN | N |
| mysql.session | localhost | SYSTEM_USER | N |
| mysql.session | localhost | SYSTEM_VARIABLES_ADMIN | N |
| root | localhost | APPLICATION_PASSWORD_ADMIN | Y |
| root | localhost | AUDIT_ADMIN | Y |
| root | localhost | BACKUP_ADMIN | Y |
| root | localhost | BINLOG_ADMIN | Y |
| root | localhost | BINLOG_ENCRYPTION_ADMIN | Y |
| root | localhost | CLONE_ADMIN | Y |
| root | localhost | CONNECTION_ADMIN | Y |
| root | localhost | ENCRYPTION_KEY_ADMIN | Y |
| root | localhost | GROUP_REPLICATION_ADMIN | Y |
| root | localhost | INNODB_REDO_LOG_ARCHIVE | Y |
| root | localhost | MAC_ADMIN | Y |
| root | localhost | PERSIST_RO_VARIABLES_ADMIN | Y |
| root | localhost | REPLICATION_APPLIER | Y |
| root | localhost | REPLICATION_SLAVE_ADMIN | Y |
| root | localhost | RESOURCE_GROUP_ADMIN | Y |
| root | localhost | RESOURCE_GROUP_USER | Y |
| root | localhost | ROLE_ADMIN | Y |
| root | localhost | SERVICE_CONNECTION_ADMIN | Y |
| root | localhost | SESSION_VARIABLES_ADMIN | Y |
| root | localhost | SET_USER_ID | Y |
| root | localhost | SYSTEM_USER | Y |
| root | localhost | SYSTEM_VARIABLES_ADMIN | Y |
| root | localhost | TABLE_ENCRYPTION_ADMIN | Y |
| root | localhost | XA_RECOVER_ADMIN | Y |
| sf | % | APPLICATION_PASSWORD_ADMIN | Y |
| sf | % | AUDIT_ADMIN | Y |
| sf | % | BACKUP_ADMIN | Y |
| sf | % | BINLOG_ADMIN | Y |
| sf | % | BINLOG_ENCRYPTION_ADMIN | Y |
| sf | % | CLONE_ADMIN | Y |
| sf | % | CONNECTION_ADMIN | Y |
| sf | % | ENCRYPTION_KEY_ADMIN | Y |
| sf | % | GROUP_REPLICATION_ADMIN | Y |
| sf | % | INNODB_REDO_LOG_ARCHIVE | Y |
| sf | % | PERSIST_RO_VARIABLES_ADMIN | Y |
| sf | % | REPLICATION_APPLIER | Y |
| sf | % | REPLICATION_SLAVE_ADMIN | Y |
| sf | % | RESOURCE_GROUP_ADMIN | Y |
| sf | % | RESOURCE_GROUP_USER | Y |
| sf | % | ROLE_ADMIN | Y |
| sf | % | SERVICE_CONNECTION_ADMIN | Y |
| sf | % | SESSION_VARIABLES_ADMIN | Y |
| sf | % | SET_USER_ID | Y |
| sf | % | SYSTEM_USER | Y |
| sf | % | SYSTEM_VARIABLES_ADMIN | Y |
| sf | % | TABLE_ENCRYPTION_ADMIN | Y |
| sf | % | XA_RECOVER_ADMIN | Y |
+---------------+-----------+----------------------------+-------------------+
54 rows in set (0.00 sec)
可以看到root有MAC_ADMIN权限(是安全员),而sf用户并没有(不是安全员)。下面分别使用root和sf用户操作mac配置表
## 使用没有MAC_ADMIN权限的用户(非安全员),此时既无法修改权限表,也无法关停mac_enable
mysql> select current_user();insert into mysql.subject values('sf','mac_level_3'),('sf1','mac_level_2');set global mac_enable = OFF;
+----------------+
| current_user() |
+----------------+
| sf@% |
+----------------+
1 row in set (0.00 sec)
ERROR 1148 (42000): The used command is not allowed with this MySQL version
ERROR 1227 (42000): Access denied; you need (at least one of) the MAC_ADMIN privilege(s) for this operation
下面则是使用安全员,进行操作
mysql> select current_user();insert into mysql.subject values('sf','mac_level_3'),('sf1','mac_level_2');set global mac_enable = OFF;
+----------------+
| current_user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
Query OK, 2 rows affected (0.01 sec)
Records: 2 Duplicates: 0 Warnings: 0
Query OK, 0 rows affected (0.00 sec)
1.2 安全员配置MAC系统表
# 配置主体规则表如下
mysql> select * from mysql.subject;
+------+-------------+
| User | Agent |
+------+-------------+
| sf | mac_level_3 |
| sf1 | mac_level_2 |
+------+-------------+
2 rows in set (0.00 sec)
mysql> select * from mysql.agent;
+-------------+-------+-------+
| Agent | Level | Cate |
+-------------+-------+-------+
| mac_level_2 | 2 | (1,2) |
| mac_level_3 | 3 | (1,2) |
+-------------+-------+-------+
2 rows in set (0.00 sec)
mysql> select * from mysql.object;
+----------+-------------+-------+-------+-------+------+
| Db | Object_name | Type | Level | Cate | flag |
+----------+-------------+-------+-------+-------+------+
| mac_test | test | TABLE | 2 | (1,2) | N |
+----------+-------------+-------+-------+-------+------+
1 row in set (0.00 sec)
// 其中flag为N, 则说明现在是表级别的强制访问控制。
从上述配置表示:
主体:用户sf行级别为3,sf1行级别为2
客体:表mac_test.test,默认flag参数为N,表示进行表级别的强制访问控制
1.3 针对特定表开启行级别强制访问控制
开启前测试表情况如下:
mysql> select * from test;
+----+------+
| id | name |
+----+------+
| 1 | dog |
+----+------+
1 row in set (0.00 sec)
开启行级别强制访问控制(其中第一个参数为库名,第二个参数为表名)
mysql> call mac_enable_row('mac_test','test');
+---------+
| success |
+---------+
| 0 |
+---------+
1 row in set (0.03 sec)
Query OK, 0 rows affected (0.03 sec)
开启后,可以看到flag行级别已经打开,而且表增加了一个安全等级字段
mysql> select * from test;
+----+------+-----------+
| id | name | mac_level |
+----+------+-----------+
| 1 | dog | 0 |
+----+------+-----------+
1 row in set (0.00 sec)
mysql> select * from mysql.object;
+----------+-------------+-------+-------+-------+------+
| Db | Object_name | Type | Level | Cate | flag |
+----------+-------------+-------+-------+-------+------+
| mac_test | test | TABLE | 2 | (1,2) | Y |
+----------+-------------+-------+-------+-------+------+
1 row in set (0.00 sec)
由于强制访问控制,存在一个全局开关,我们需要开启,如果没有打开,可以执行如下命令: set global mac_enable = ON;
二、测试
通过三个客户端分别使用sf(安全等级为3),sf1(安全等级为2),sf2(没有配置,默认安全等级为0,最低)用户进行登入测试
image.png
image.png
image.png