oracle12c之四 控制PDB操作 PDBLockdown Profiles

除了IO、内存、CPU之外，还有一些限制，比如：限制在pdb中的操作命令，我们可以创建一个lockdown profile来限制对当前PDB的操作，增强某些操作的安全性。

 

关于PDB Lockdown Profiles

以下通过一个简单的测试来看看这个特性的基本功能。 首先在CDB root下创建一个profile，这个profile将对全局可用，并且需要：

 

创建PDB Lockdown Profile

SQL> connect / as sysdba
Connected.

SQL> CREATE LOCKDOWN PROFILE woqutech;
Lockdown Profile created.

SQL> ALTER LOCKDOWN PROFILE woqutech DISABLE STATEMENT = ('ALTER SYSTEM');    --禁用alter system 命令
Lockdown Profile altered.

 

 

 

 

 

8

8

 

 

 

1

SQL> connect / as sysdba

2

Connected.

3

4

SQL> CREATE LOCKDOWN PROFILE woqutech;

5

Lockdown Profile created.

6

7

SQL> ALTER LOCKDOWN PROFILE woqutech DISABLE STATEMENT = ('ALTER SYSTEM');    --禁用alter system 命令

8

Lockdown Profile altered.

 

 

 

连接到PDB WXH,在PDB级别启用lockdown profile :

 

使PDB Lockdown Profile生效

SQL> alter session set container = wxh;
Connected.

SQL> ALTER SYSTEM SET PDB_LOCKDOWN = woqutech;
System altered.

在执行alter system 时就会报ora-01031
例：
SQL> alter system set statistics_level=all ;

ERROR at line 1:
ORA-01031: insufficient privileges

 

 

 

 

 

12

12

 

 

 

1

SQL> alter session set container = wxh;

2

Connected.

3

4

SQL> ALTER SYSTEM SET PDB_LOCKDOWN = woqutech;

5

System altered.

6

7

在执行alter system 时就会报ora-01031

8

例：

9

SQL> alter system set statistics_level=all ;

10

11

ERROR at line 1:

12

ORA-01031: insufficient privileges

 

 

   LOCKDOWN PROFILE可以限制到非常细粒度的权限，比如以下限制仅仅限制用户执行ARCHIVE LOG和CHECKPOINT操作。

SQL> connect / as sysdba
Connected.
SQL> alter lockdown profile woqutech enable statement = ('ALTER SYSTEM') clause all except = ('ARCHIVE LOG','CHECKPOINT');
Lockdown Profile altered.

 

 

 

 

 

4

4

 

 

 

1

SQL> connect / as sysdba

2

Connected.

3

SQL> alter lockdown profile woqutech enable statement = ('ALTER SYSTEM') clause all except = ('ARCHIVE LOG','CHECKPOINT');

4

Lockdown Profile altered.

 

 

禁止当前PDB所有的alter system语句

ALTER LOCKDOWN PROFILE woqutech DISABLE STATEMENT = ('ALTER SYSTEM');

 

 

 

 

 

1

1

 

 

 

1

ALTER LOCKDOWN PROFILE woqutech DISABLE STATEMENT = ('ALTER SYSTEM');

 

 

禁止除了alter system flush shared_pool外的所有altersystem 语句。

ALTER LOCKDOWN PROFILE woqutech ENABLE STATEMENT = ('ALTER SYSTEM') clause = ('flush shared_pool');

 

 

 

 

 

1

1

 

 

 

1

ALTER LOCKDOWN PROFILE woqutech ENABLE STATEMENT = ('ALTER SYSTEM') clause = ('flush shared_pool');

 

 

禁止PDB中XDB protocols(FTP, HTTP, HTTPS)的使用

ALTER LOCKDOWN PROFILE woqutech DISABLEFEATURE = ('XDB_PROTOCOLS')

 

 

 

 

 

1

1

 

 

 

1

ALTER LOCKDOWN PROFILE woqutech DISABLEFEATURE = ('XDB_PROTOCOLS')

 

 

除了特定的权限，还可以对某些数据库功能特点进行限制:

比如调用和执行UTL_HTTP和 UTL_TCP 包可能是高风险的，那么以下的PROFILE设置可以禁用这些特性：

 

alter lockdown profile woqutechdisable feature = ('UTL_HTTP', 'UTL_TCP');

 

 

 

 

 

1

1

 

 

 

1

alter lockdown profile woqutechdisable feature = ('UTL_HTTP', 'UTL_TCP');

 

 

删除PDB Lockdown Profile

DROP LOCKDOWN_PROFILE woqutech;

 

 

 

 

 

1

1

 

 

 

1

DROP LOCKDOWN_PROFILE woqutech;

 

 

<wiz_tmp_tag id="wiz-table-range-border" contenteditable="false" style="display: none;">

 

 

 

 

来自为知笔记(Wiz)