Home > Developer > Oracle

Oracle's security tag is not a bug

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

ORACLE provides the security tag function, that is, OLS, also known as force access control. The model is built on the BLP Security Model and expanded.

The BLP model has the security level and scope, that is, you can set the security level and scope of the subject and object to control the data flow, that is, the downward read and write rules. That is, the user can read data lower than the user's security level, and write data higher than the user's security level, of course, there is a range of conventions, which will not be introduced here ).

ORACLE expands the BLP model. You can set multiple security levels through the following interfaces:

 
 
    
  
  
  1. SA_USER_ADMIN.SET_LEVELS          
    2. 
  
  
  2. Syntax:      
    3. 
  
  
  3. PROCEDURE SET_LEVELS (policy_name IN VARCHAR2,         
    4. 
  
  
  4. user_name          
    5. 
  
  
  5. IN VARCHAR2,         
    6. 
  
  
  6. max_level          
    7. 
  
  
  7. IN VARCHAR2,         
    8. 
  
  
  8. min_level          
    9. 
  
  
  9. IN VARCHAR2 DEFAULT NULL,         
    10. 
  
  
  10. def_level          
    11. 
  
  
  11. IN VARCHAR2 DEFAULT NULL,         
    12. 
  
  
  12. row_level          
    13. 
  
  
  13. IN VARCHAR2 DEFAULT NULL);          
    14. 
  
  
  14. Parameter                                     Meaning      
    15. 
  
  
  15. policy_name                                 Specifies the policy          
    16. 
  
  
  16. user_name                                 Specifies the user name           
    17. 
  
  
  17. max_level                                 The highest level for read and write access      
    18. 
  
  
  18. min_level                                 The lowest level for write access def_level                                 Specifies the default level (equal to or   
    19. 
  
  
  19.                                           greater than the minimum level, and equal                                                                                to or less than the maximum level)          
    20. 
  
  
  20. row_level                                 Specifies the row level (equal to or greater                                                                              than the minimum level, and equal to or     
    21.

We can see that user tags can specify the maximum, minimum, default, and row-level security levels. These security levels are constrained.

 
 
    
  
  
  1. min_level<=max_levelmin_level<=def_level<=max_levelmin_level<=row_level<=def_level  
    2.

If this rule is violated, the execution of this function will fail. After learning so much about it, we can use LBACSYS to log on and execute the following statement.

 
 
    
  
  
  1. -- Create policy P1 and add a security level for the policy. A greater value indicates a higher security level.
    2. 
  
  
  2. -- L1 <L2 <L3 <L4
    3. 
  
  
  3. EXEC sa_sysdba.create_policy ('p1', 'label _ col ');
    4. 
  
  
  4. EXEC sa_components.create_level ('p1', 10, 'l1', 'l1 ');
    5. 
  
  
  5. EXEC sa_components.create_level ('p1', 20, 'l2', 'l2 ');
    6. 
  
  
  6. EXEC sa_components.create_level ('p1', 30, 'l3 ', 'l3 ');
    7. 
  
  
  7. EXEC sa_components.create_level ('p1', 40, 'l4 ', 'l4 ');
    8. 
  
  
  8. -- Set User tags for user SYSMAN
    9. 
  
  
  9. EXEC sa_user_admin.set_levels ('p1', 'sysmanc', 'l2', 'l1', 'l2', 'l2 ');
    10.

According to the above introduction, the four security levels set here meet the requirements. You can view User tags in the DBA_SA_USER_LABELS view.

 
 
    
  
  
  1. SQL> SELECT USER_NAME, LABELS FROM DBA_SA_USER_LABELS;  
    2. 
  
  
  2. USER_NAME      
    3. 
  
  
  3. --------------------------------------------------------------------------------      
    4. 
  
  
  4. LABELS      
    5. 
  
  
  5. --------------------------------------------------------------------------------      
    6. 
  
  
  6. SYSMAN      
    7. 
  
  
  7. MAX READ LABEL='L2',MAX WRITE LABEL='L2',MIN WRITE LABEL='L1',DEFAULT READ LABEL      
    8. 
  
  
  8. ='L2',DEFAULT WRITE LABEL='L2',DEFAULT ROW LABEL='L2' 
    9.

You can see that min write label = L1

At the same time, ORACLE provides a system function to change the tag value:

 
 
    
  
  
  1. Syntax:      
    2. 
  
  
  2. PROCEDURE ALTER_LABEL (         
    3. 
  
  
  3.    policy_name       IN VARCHAR2,         
    4. 
  
  
  4.    label_tag         IN INTEGER,         
    5. 
  
  
  5.    new_label_value   IN VARCHAR2 DEFAULT NULL,         
    6. 
  
  
  6.    new_data_label    IN BOOLEAN  DEFAULT NULL);      
    7. 
  
  
  7. PROCEDURE ALTER_LABEL (  
    8. 
  
  
  8.    policy_name       IN VARCHAR2,         
    9. 
  
  
  9.    label_value       IN VARCHAR2,         
    10. 
  
  
  10.    new_label_value   IN VARCHAR2 DEFAULT NULL,         
    11. 
  
  
  11.    new_data_label    IN BOOLEAN  DEFAULT NULL);      
    12. 
  
  
  12. Table 6–18 Parameters for SA_LABEL_ADMIN.ALTER_LABEL      
    13. 
  
  
  13.    Parameter Name                         Parameter Description   
    14. 
  
  
  14.    policy_name                     Specifies the name of an existing policy       
    15. 
  
  
  15.    label_tag                          Identifies the integer tag assigned to the label                                                                           to be altered       
    16. 
  
  
  16.    label_value                         Identifies the existing character string                                                                                   representation of the label to be altered       
    17. 
  
  
  17.    new_label_value                 Specifies the new character string                                                                                   representation of the label value. If NULL, the                                                                             existing value is not changed.  
    18.

In this case, the L1 mark is rewritten.

 
 
    
  
  
  1. EXEC sa_label_admin.alter_label('P1', 'L1', 'L4', TRUE); 
    2.

After the operation is successful, we can view the user tag table and find the following:

 
 
    
  
  
  1. SQL> SELECT USER_NAME, LABELS FROM DBA_SA_USER_LABELS;  
    2. 
  
  
  2. USER_NAME  
    3. 
  
  
  3. --------------------------------------------------------------------------------  
    4. 
  
  
  4. LABELS  
    5. 
  
  
  5. --------------------------------------------------------------------------------  
    6. 
  
  
  6. SYSMAN  
    7. 
  
  
  7. MAX READ LABEL='L2',MAX WRITE LABEL='L2',MIN WRITE LABEL='L4',DEFAULT READ LABEL  
    8. 
  
  
  8. ='L2',DEFAULT WRITE LABEL='L2',DEFAULT ROW LABEL='L2' 
    9.

It can be seen that the min write label is changed to L4, And the other LABEL is L2. At this time, the user LABEL is invalid. In this case, when performing the corresponding operation, many operations are forbidden, such as updating a marked table, because the user mark will always be a constant false value during access judgment, but the system will not crash at this time, A little disappointed ..), the above experiment version is 11.1.0.6.0

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More