表进行加密(redact)实验
redact对具有dba权限的账号不起作用,可以看到未加密前所有的数据,下面每个policy_name都命名为p1,实际情况需要区分不同的命名。
1. 加密准备工作:
sqlplus /nolog
连接pdb
connect sys/oracle@ora12cpdb1 as sysdba
REVOKE dba FROM ZHANGSAN;
GRANT CONNECT, resource, unlimited tablespace TO ZHANGSAN;
GRANT SELECT ON sys.redaction_policies TO ZHANGSAN;
GRANT SELECT ON sys.redaction_columns TO ZHANGSAN;
GRANT EXECUTE ON dbms_redact TO ZHANGSAN;
Grant Select On dba_tables To zhangsan;
查询约束和加密策略
SQL> select policy_name from redaction_policies;
no rows selected
2. ZHANGSAN用户下创建测试表
sqlplus /nolog
connect zhangsan/oracle@ora12cpdb1
create table hxl_redact_test as select * from dba_tables where rownum<10;
2、策略验证:
2.1 full redaction的验证(number)
创建策略前查询:
SQL> select sample_size from hxl_redact_test;
SAMPLE_SIZE
-----------
2919
6944
10
21
8658
0
0
7105
4876
9 rows selected.
创建策略
begin dbms_redact.add_policy(
object_schema=>'zhangsan',
object_name=>'hxl_redact_test',
policy_name=>'p1',
column_name=>'sample_size',
function_type=>dbms_redact.full,
enable=>true,
expression=>'1=1');
end;
查询全部显示0
SQL> select sample_size from hxl_redact_test;
SAMPLE_SIZE
-----------
0
0
0
0
0
0
0
0
0
9 rows selected.
SQL> grant select on hxl_redact_test to alice;
使用alice登陆查询
sqlplus /nolog
connect alice/oracle@ora12cpdb1
SQL> select sample_size from zhangsan.hxl_redact_test;
SAMPLE_SIZE
-----------
0
0
0
0
0
0
0
0
0
9 rows selected.
2.2 full redaction的验证(char)
sqlplus /nolog
connect zhangsan/oracle@ora12cpdb1
begin dbms_redact.alter_policy(
object_schema=>'zhangsan',
object_name=>'hxl_redact_test',
policy_name=>'p1',
column_name=>'table_name',
action=>dbms_redact.add_column,
function_type=>dbms_redact.full,
expression=>'1=1');
end;
SQL> set linesize 1000;
SQL> column table_name format a32;
SQL> column owner format a10;
SQL> select owner,table_name,sample_size from hxl_redact_test;
OWNER TABLE_NAME SAMPLE_SIZE
---------- -------------------------------- -----------
SYS 0
SYS 0
SYS 0
SYS 0
SYS 0
SYS 0
SYS 0
SYS 0
SYS 0
9 rows selected.
可以看到table_name全部显示为空
2.3 full redaction的验证(date)
sqlplus /nolog
connect zhangsan/oracle@ora12cpdb1
begin dbms_redact.alter_policy(
object_schema=>'zhangsan',
object_name=>'hxl_redact_test',
policy_name=>'p1',
column_name=>'last_analyzed',
action=>dbms_redact.add_column,
function_type=>dbms_redact.full,
expression=>'1=1');
end;
SQL> set linesize 1000;
SQL> column table_name format a32;
SQL> column owner format a10;
SQL> select owner,table_name,sample_size,last_analyzed from zhangsan.hxl_redact_test;
OWNER TABLE_NAME SAMPLE_SIZE LAST_ANAL
---------- -------------------------------- ----------- ---------
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
9 rows selected.
日期全部显示为'01-JAN-01'
2.4 partial redaction的验证(char)
sqlplus /nolog
connect zhangsan/oracle@ora12cpdb1
begin
dbms_redact.alter_policy(
object_schema=>'zhangsan',
object_name=>'hxl_redact_test',
policy_name=>'p1',
column_name=>'owner',
action=>dbms_redact.add_column,
function_type=>dbms_redact.partial,
expression=>'1=1',
function_parameters=>'VVVFVVVVFVVVV,VVV-VVVV-VVVV,*,1,3');
end;
SQL> set linesize 1000;
SQL> column table_name format a32;
SQL> column owner format a10;
SQL> select owner,table_name,sample_size,last_analyzed from hxl_redact_test;
OWNER TABLE_NAME SAMPLE_SIZE LAST_ANAL
---------- -------------------------------- ----------- ---------
*** 0 01-JAN-01
*** 0 01-JAN-01
*** 0 01-JAN-01
*** 0 01-JAN-01
*** 0 01-JAN-01
*** 0 01-JAN-01
*** 0 01-JAN-01
*** 0 01-JAN-01
*** 0 01-JAN-01
9 rows selected.
可以看到owner字段全部使用*代替
3.drop 策略验证
sqlplus /nolog
connect zhangsan/oracle@ora12cpdb1
begin
dbms_redact.alter_policy(
object_schema=>'zhangsan',
object_name=>'hxl_redact_test',
policy_name=>'p1',
column_name=>'owner',
action=>dbms_redact.drop_column,
expression=>'1=1');
end;
再次查看owner列,看到已经不是*了
SQL> select owner,table_name,sample_size,last_analyzed from hxl_redact_test;
OWNER TABLE_NAME SAMPLE_SIZE LAST_ANAL
---------- -------------------------------- ----------- ---------
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
SYS 0 01-JAN-01
9 rows selected.
4.有编写策略的表不允许ctas操作
用户可以对xiaoxu_v1表进行dml操作,但是不能基于xiaoxu_v1表进行ctas操作。如下:
SQL> create table hxl_redact_test_copy as select * from hxl_redact_test;
create table hxl_redact_test_copy as select * from hxl_redact_test
*
ERROR at line 1:
ORA-28081: Insufficient privileges - the command references a redacted object.
5.修改policy使得其他用户可以访问到真实数据
sqlplus /nolog
connect zhangsan/oracle@ora12cpdb1
begin
dbms_redact.alter_policy(
object_schema=>'zhangsan',
object_name=>'hxl_redact_test',
policy_name=>'p1',
column_name=>'last_analyzed',
action=>dbms_redact.modify_expression,
expression=>'SYS_CONTEXT(''USERENV'',''SESSION_USER'') != ''ALICE''');
end;
sqlplus /nolog
connect alice/oracle@ora12cpdb1;
SQL> set linesize 1000;
SQL> column table_name format a32;
SQL> column owner format a10;
SQL> select owner,table_name,sample_size,last_analyzed from zhangsan.hxl_redact_test;
OWNER TABLE_NAME SAMPLE_SIZE LAST_ANAL
---------- -------------------------------- ----------- ---------
SYS IND$ 2919 02-DEC-19
SYS CDEF$ 6944 02-DEC-19
SYS CLU$ 10 03-DEC-19
SYS UNDO$ 21 03-DEC-19
SYS CCOL$ 8658 02-DEC-19
SYS PROXY_ROLE_DATA$ 0 26-JAN-17
SYS FET$ 0 26-JAN-17
SYS CON$ 7105 02-DEC-19
SYS ICOL$ 4876 20-NOV-19
9 rows selected.
可以看到last_analyzed字段的值全部显示出来了.
6、其他操作
---禁用编写策略
BEGIN
DBMS_REDACT.DISABLE_POLICY (
object_schema => 'zhangsan',
object_name => 'hxl_redact_test',
policy_name => 'p1');
END;
---启用编写策略
BEGIN
DBMS_REDACT.ENABLE_POLICY (
object_schema => 'zhangsan',
object_name => 'hxl_redact_test',
policy_name => 'p1');
END;
---删除编写策略
BEGIN
DBMS_REDACT.DROP_POLICY (
object_schema => 'zhangsan',
object_name => 'hxl_redact_test',
policy_name => 'p1');
END;
