Oracle
The new experience of ORACLE's virtual Private database
===============================================
Welcome everyone to exchange with me: small white enhydra_boy@tom.com
Welcome to reprint, please keep this statement, thank you!
================================================
Before beginning the introduction of virtual Private database for Oracle, I would like to say a few words about the concept of Row-rule control (row record-level access controls).
Row record level access control problem and its significance?
The enterprise's application system is inseparable from the database system, the database system's permission control is a very important link, the large-scale database system (ORACLE, DB2, SYBASE, MS SQL Server) all provides the perfect user management mechanism, thus may control the database object (table, view, function , stored procedures, packages, and so on. However, this is often object-level.
As business needs continue to be raised, there are requirements for line records control:
1 data query and report output data need to be able to effectively isolate, such as in a simple sales data statistics application, regional managers and sales staff to query the data is different.
2 ASP (Application Service Provider) system appears, in the system structure, there are many enterprise user data will be stored in the same database species, but the system needs to be able to effectively isolate.
In order to meet this demand, in the business data table needs to add some fields to control, the application development will often develop a lot of code to implement the line record control. However, as the business changes, we find it increasingly expensive to develop and maintain this management requirement.
We need to look for a new solution that makes the architecture of an application system simple, scalable, and inexpensive to manage and maintain.
A new feature of oracle8i virtual Private Database
ORACLE 8i provides a new feature to implement row-level rules, called Virtual Private Database. Make full use of the virtual Private database technology provided by 8i, you can realize that the data of a database schema is accessed by multiple database users at the same time, but it can isolate the data content well. Obviously, this is not the original object-level control concept.
The following is the author's experience, written down for your reference. Let me begin by using a simple example to illustrate the new feature of Oracle 8i (which requires Oracle 8i Enterprise Edition).
Environment: Windows Server + ORACLE 8.1.7 (Enterprise Edition)
Under Scott's user, there is a Customers table that records customer information and assigns an Oracle database login account to each client in the future, and customers can log in and inquire about their order. So, what we need to do is to be able to match each login account with the client code. This means that to implement a mapping relationship, of course, you can do this by building your own relational mapping table, writing code, but Oracle 8I makes it all very simple (my next introduction will revolve around Oracle 8i This technology is how our work is simpler and easier to control, remember, This is the author's purpose of writing this article.
--Create a SECUSR account for permissions control
Connect system/manager@oracle;
Create user secusr identified by SECUSR;
Grant CONNECT,RESOURCE,DBA to SECUSR;
--giving Secusr the right to inquire customers
Connect scott/tiger@oracle;
Grant SELECT on "Customers" to secusr;
--Connect to SECUSR user
Connect secusr/secusr@oracle;
--Create context
The Create context Customer_context USING secusr. Customer_security_context;
--Create Package Customer_security_context
Create or Replace Package
Secusr.customer_security_context is
Procedure Set_customerid;
End
Create or Replace package body
Secusr. Customer_security_context is
Procedure Set_customerid is
Begin
IF sys_context (' USERENV ', ' session_user ') = ' SCOTT ' THEN
Grant execute on SECUSR. Customer_security_context to public;
ORACLE 8i provides the concept of context (connection contexts), similar to the session in ASP, where you can set up multiple global variables for the current connection and record the information until the connection is released. The above code, is to use SCOTT account login connection, a client code mapping (SCOTT->ALFKI), and, at any time can sys_context to query.
However, I do not feel enough, to be able to do each connection when the establishment of the automatic completion of this mapping, it is gratifying that ORACLE 8i provides a system-level triggers, let me easily achieve.
--scott User Login Trigger
Connect system/manager@oracle
CREATE OR REPLACE TRIGGER scott.tg_set_usr_context
How do I use virtual Private database to achieve data Control access requirements on SQL DML?
Virtual Private Database technology can set the filtering policy for DML operations on a table record. Oracle8i provides the concept of policy and is equipped with a system package to complete the setup. Next, let me introduce:
Connect secusr/secusr@oracle
--do a function to return the corresponding filter condition
Create or Replace package secusr.customer_security is
function customer_sec
return VARCHAR2;
End
Create or replace package body secusr.customer_security
Is
function customer_sec (D1 varchar2,d2 varchar2)
return VARCHAR2
Is
Begin
IF sys_context (' USERENV ', ' Session_user ') in (' SYS ', ' SYSTEM ', ' secusr ') THEN
The Customer_sec function of the customer_security package is implemented, according to the contents of CustomerID in the previous context, to return a filtering strategy, the function of the parameter form is fixed. By dbms_rls the add_policy process of the package, the policy condition is bound to the table, and every select,update,delete will automatically apply this strategy.
Okay, now let's test it out.
--Log in with Scott and see only his own information.
Sql> Connect scott/tiger@oracle;
is connected.
Sql> Select customerid,city from "Customers";
CUSTOMERID City
---------- ------------------------------
ALFKI Berlin
--With System login, you can see all the
Sql> Connect system/manager@oracle;
is connected.
Sql> Select customerid,city from "SCOTT". " Customers ";
CUSTOMERID City
---------- ------------------------------
ALFKI Berlin
Anatr México D.F.
ANTON México D.F.
Arout London
Bergs Lule? D.F.
Blaus Mannheim
Blonp Strasbourg
Bolid Madrid
Bonap Marseille
Bottm Tsawassen
Bsbev London
Very good, completely satisfied with the requirements, now can be assured that Scott account to the customer (ALFKI), customers can inquire about their own orders, of course, can only be their own.
Sql> SELECT A.orderid,a.customerid,a.orderdate,
2 sum (c.unitprice*c.quantity* (1-c.discount)) as Totalmoney
3 from "Orders" A, "Customers" B, "Order Details" C
4 where A.customerid=b.customerid and A.orderid=c.orderid
Below, let me summarize the advantages of virtual Private database:
• Provides a workable, reliable, fully transparent user-controlled protocol
With your own set of user control permissions, Virtual Private database is transparent to users, your application does not have to consider this, your application needs to be more focused on the implementation of your business process, rather than let data isolation control, as a process of your business process. You can develop functional applications completely, then add data isolation control, which is based on the backend database system, which is completely compatible with existing applications and does not cause existing programs to run
L control more closely, not only for business systems
As a result of the background database technology, this control, all applications (in addition to business systems, database management tools, etc.) have played a controlling role. In contrast, the use of their own rights control applications, only in the application of the business system is effective, while the other (sqlplus,sqlplus worksheet, etc.) is completely ineffective. And most systems use a database account login to the system, in this case, the account for the business database generally operating permissions are very high, and this account once leaked, the attackers use sqlplus tools can be used to steal data.
L This technology is more flexible and easier to manage than the methods implemented by the application itself, while the cost of development is minimal.
The use of this logging control technology, do not need to implement through the application, greatly simplifies the application system complexity, but also make your system structure is very clear, and the possibility of error is lower. Of course, your own control system can also do Oracle 8i function, but will greatly increase the cost of development.
L for ASP (Application Service Provider) system, satisfies the requirement that the user data is stored together, but can be independently accessed separately. The author believes that this technology is particularly useful for building users of ASP applications, making full use of the new technologies provided by Oracle to make your system more secure and reliable.
In short, Virtual Private database is a powerful line-level rule control technology, is a powerful feature provided to us by oracle8i, fully applied, can greatly reduce the cost of software development.
The author believes that virtual Private database technology is a very useful technology, while in SQL Server 2000 and Sybase ASE 12.5, no similar technology is seen.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.