除了IO、内存、CPU之外,还有一些限制,比如:限制在pdb中的操作命令,我们可以创建一个lockdown profile来限制对当前PDB的操作,增强某些操作的安全性。
关于PDB Lockdown Profiles
以下通过一个简单的测试来看看这个特性的基本功能。 首先在CDB root下创建一个profile,这个profile将对全局可用,并且需要:
创建PDB Lockdown Profile
SQL> connect / as sysdba
Connected.
SQL> CREATE LOCKDOWN PROFILE woqutech;
Lockdown Profile created.
SQL> ALTER LOCKDOWN PROFILE woqutech DISABLE STATEMENT = ('ALTER SYSTEM'); --禁用alter system 命令
Lockdown Profile altered.
8
8
1
SQL> connect / as sysdba
2
Connected.
3
4
SQL> CREATE LOCKDOWN PROFILE woqutech;
5
Lockdown Profile created.
6
7
SQL> ALTER LOCKDOWN PROFILE woqutech DISABLE STATEMENT = ('ALTER SYSTEM'); --禁用alter system 命令
8
Lockdown Profile altered.
连接到PDB WXH,在PDB级别启用lockdown profile :
使PDB Lockdown Profile生效
SQL> alter session set container = wxh;
Connected.
SQL> ALTER SYSTEM SET PDB_LOCKDOWN = woqutech;
System altered.
在执行alter system 时就会报ora-01031
例:
SQL> alter system set statistics_level=all ;
ERROR at line 1:
ORA-01031: insufficient privileges
12
12
1
SQL> alter session set container = wxh;
2
Connected.
3
4
SQL> ALTER SYSTEM SET PDB_LOCKDOWN = woqutech;
5
System altered.
6
7
在执行alter system 时就会报ora-01031
8
例:
9
SQL> alter system set statistics_level=all ;
10
11
ERROR at line 1:
12
ORA-01031: insufficient privileges
LOCKDOWN PROFILE可以限制到非常细粒度的权限,比如以下限制仅仅限制用户执行ARCHIVE LOG和CHECKPOINT操作。
SQL> connect / as sysdba
Connected.
SQL> alter lockdown profile woqutech enable statement = ('ALTER SYSTEM') clause all except = ('ARCHIVE LOG','CHECKPOINT');
Lockdown Profile altered.
4
4
1
SQL> connect / as sysdba
2
Connected.
3
SQL> alter lockdown profile woqutech enable statement = ('ALTER SYSTEM') clause all except = ('ARCHIVE LOG','CHECKPOINT');
4
Lockdown Profile altered.
禁止当前PDB所有的alter system语句
ALTER LOCKDOWN PROFILE woqutech DISABLE STATEMENT = ('ALTER SYSTEM');
1
1
1
ALTER LOCKDOWN PROFILE woqutech DISABLE STATEMENT = ('ALTER SYSTEM');
禁止除了alter system flush shared_pool外的所有altersystem 语句。
ALTER LOCKDOWN PROFILE woqutech ENABLE STATEMENT = ('ALTER SYSTEM') clause = ('flush shared_pool');
1
1
1
ALTER LOCKDOWN PROFILE woqutech ENABLE STATEMENT = ('ALTER SYSTEM') clause = ('flush shared_pool');
禁止PDB中XDB protocols(FTP, HTTP, HTTPS)的使用
ALTER LOCKDOWN PROFILE woqutech DISABLEFEATURE = ('XDB_PROTOCOLS')
1
1
1
ALTER LOCKDOWN PROFILE woqutech DISABLEFEATURE = ('XDB_PROTOCOLS')
除了特定的权限,还可以对某些数据库功能特点进行限制:
比如调用和执行
UTL_HTTP
和 UTL_TCP
包可能是高风险的,那么以下的PROFILE设置可以禁用这些特性:alter lockdown profile woqutechdisable feature = ('UTL_HTTP', 'UTL_TCP');
1
1
1
alter lockdown profile woqutechdisable feature = ('UTL_HTTP', 'UTL_TCP');
删除PDB Lockdown Profile
DROP LOCKDOWN_PROFILE woqutech;
1
1
1
DROP LOCKDOWN_PROFILE woqutech;
<wiz_tmp_tag id="wiz-table-range-border" contenteditable="false" style="display: none;">