Oracle Vault是Oracle推出的一套比较完整的运维安全体系框架。在很多运维机构中,Vault是非常好的可选择方案。Oracle Vault的原则
Oracle Vault是Oracle推出的一套比较完整的运维安全体系框架。在很多运维机构中,Vault是非常好的可选择方案。
Oracle Vault的原则是安全职责的拆分保护。从原来数据库管理员sys承担安全职责这个假设,转变为单独安全人员dbvowner和dbvaccount manager为安全配置中心。之后,从行为、领域等多个层面设定了很多安全区,对安全区采用额外的保护策略,将管理员屏蔽住。
注意:Vault的出发点是我们进行选型的一个重要考虑。安全威胁是多种类、多层次的。Oracle Vault是针对运维机构对“自己人”的一种约束设置,形成管理员和安全员相互牵制的结构。
数据库管理员虽然可以进行管理工作,但是却不能访问特定敏感区域。而安全员虽然有安全授权能力,但是没有管理员数据授权(系统权限和数据权限),安全员也不能访问敏感数据。
这个过程中是有一些漏洞的,比如管理员存在修改安全员密码,夺取安全员权限的可能,所以Oracle Vault在安装之后,有一些默认的领域和命令规则,将管理员严格的进行束缚。
此外,管理员有一些日常操作,如使用DB Control、Datapump和Recovery Manager,都有触动安全领域规则的风险。这样的情况Oracle是如何处理呢?本篇从Data Pump操作入手,进行简单讨论。
1、Data Pump与Vault
Oracle Data Pump(数据泵)是Oracle10g以后推出的数据备份管理工具。作为Exp/Imp的进化版,Data Pump对于各种Oracle新特性、功能支持力度是比较好的,在海量数据操作的时候,Data Pump也是有独特的优势。
如果我们仔细研究过Data Pump操作过程,就可以得知,Oracle Data Pump进行数据导入的过程并不是一个整体,而是一系列动作的集合。比如:当进行数据导入Schema模式的时候,如果目标数据库没有这个用户,Data Pump时会创建出这个用户。这个过程其实就是一般的create user xxx语句执行。
所以,进行export和import数据的过程,是一个多种权限(系统权限)综合的过程。这也就是为什么Oracle中导入导出数据库的权限是两个角色权限(Import/Export Full Database)。
那么,,如果管理员(备份操作员)需要进行数据导入导出敏感数据的时候,是要触动到敏感信息的。Oracle Vault环境下我们是怎么配置呢?
2、默认行为配置
当前我们实验选择Oracle 11gR2版本,数据库已经配置Vault组件。对scott数据进行保护,即使sys管理员也是无法访问的。
SQL> show user;
User is "SYS"
SQL> select count(*) from scott.emp;
select count(*) from scott.emp
ORA-01031: 权限不足
创建directory对象,导出数据。
[oracle@SimpleLinux ~]$ cd /dumps/
[oracle@SimpleLinux dumps]$ ls -l
total 0
Oracle中创建directory对象dumps。尝试进行导出。
[oracle@SimpleLinux dumps]$ expdp \"/ as sysdba\" directory=dumps schemas=scott dumpfile=scottvault.dmp
Export: Release 11.2.0.4.0 - Production on Fri Apr 4 15:21:30 2014
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - Production
(篇幅原因,有省略……)
Processing object type SCHEMA_EXPORT/TABLE/CONSTRAINT/REF_CONSTRAINT
ORA-39127: unexpected error from call to export_string :=SYS.DBMS_TRANSFORM_EXIMP.INSTANCE_INFO_EXP('AQ$_MGMT_NOTIFY_QTABLE_S','SYSMAN',1,1,'11.02.00.04.00',newblock)
ORA-01031: insufficient privileges
ORA-06512: at "SYS.DBMS_TRANSFORM_EXIMP", line 197
ORA-06512: at line 1
ORA-06512: at "SYS.DBMS_METADATA", line 9876
ORA-39127: unexpected error from call to export_string :=SYS.DBMS_TRANSFORM_EXIMP.INSTANCE_INFO_EXP('AQ$_MGMT_LOADER_QTABLE_S','SYSMAN',1,1,'11.02.00.04.00',newblock)
ORA-01031: insufficient privileges
ORA-06512: at "SYS.DBMS_TRANSFORM_EXIMP", line 197
ORA-06512: at line 1
ORA-06512: at "SYS.DBMS_METADATA", line 9876
Processing object type SCHEMA_EXPORT/POST_SCHEMA/PROCACT_SCHEMA
ORA-31693: Table data object "SCOTT"."DEPT" failed to load/unload and is being skipped due to error:
ORA-02354: error in exporting/importing data
ORA-28116: insufficient privileges to do direct path access
ORA-31693: Table data object "SCOTT"."EMP" failed to load/unload and is being skipped due to error:
ORA-02354: error in exporting/importing data
ORA-28116: insufficient privileges to do direct path access
ORA-31693: Table data object "SCOTT"."SALGRADE" failed to load/unload and is being skipped due to error:
ORA-02354: error in exporting/importing data
ORA-28116: insufficient privileges to do direct path access
. . exported "SCOTT"."BONUS" 0 KB 0 rows
Master table "SYS"."SYS_EXPORT_SCHEMA_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SYS.SYS_EXPORT_SCHEMA_01 is:
/dumps/scottvault.dmp
Job "SYS"."SYS_EXPORT_SCHEMA_01" completed with 5 error(s) at Fri Apr 4 15:22:22 2014 elapsed 0 00:00:41
从报错信息中,我们看到Data Pump本质就是调用一系列的包方法,来将数据导出。Sys用户是有导出数据权限的,但是默认情况如果碰触敏感信息,也是报错失败。
更多详情见请继续阅读下一页的精彩内容:
What are stored procedures in MySQL?May 01, 2025 am 12:27 AMStored procedures are precompiled SQL statements in MySQL for improving performance and simplifying complex operations. 1. Improve performance: After the first compilation, subsequent calls do not need to be recompiled. 2. Improve security: Restrict data table access through permission control. 3. Simplify complex operations: combine multiple SQL statements to simplify application layer logic.
How does query caching work in MySQL?May 01, 2025 am 12:26 AMThe working principle of MySQL query cache is to store the results of SELECT query, and when the same query is executed again, the cached results are directly returned. 1) Query cache improves database reading performance and finds cached results through hash values. 2) Simple configuration, set query_cache_type and query_cache_size in MySQL configuration file. 3) Use the SQL_NO_CACHE keyword to disable the cache of specific queries. 4) In high-frequency update environments, query cache may cause performance bottlenecks and needs to be optimized for use through monitoring and adjustment of parameters.
What are the advantages of using MySQL over other relational databases?May 01, 2025 am 12:18 AMThe reasons why MySQL is widely used in various projects include: 1. High performance and scalability, supporting multiple storage engines; 2. Easy to use and maintain, simple configuration and rich tools; 3. Rich ecosystem, attracting a large number of community and third-party tool support; 4. Cross-platform support, suitable for multiple operating systems.
How do you handle database upgrades in MySQL?Apr 30, 2025 am 12:28 AMThe steps for upgrading MySQL database include: 1. Backup the database, 2. Stop the current MySQL service, 3. Install the new version of MySQL, 4. Start the new version of MySQL service, 5. Recover the database. Compatibility issues are required during the upgrade process, and advanced tools such as PerconaToolkit can be used for testing and optimization.
What are the different backup strategies you can use for MySQL?Apr 30, 2025 am 12:28 AMMySQL backup policies include logical backup, physical backup, incremental backup, replication-based backup, and cloud backup. 1. Logical backup uses mysqldump to export database structure and data, which is suitable for small databases and version migrations. 2. Physical backups are fast and comprehensive by copying data files, but require database consistency. 3. Incremental backup uses binary logging to record changes, which is suitable for large databases. 4. Replication-based backup reduces the impact on the production system by backing up from the server. 5. Cloud backups such as AmazonRDS provide automation solutions, but costs and control need to be considered. When selecting a policy, database size, downtime tolerance, recovery time, and recovery point goals should be considered.
What is MySQL clustering?Apr 30, 2025 am 12:28 AMMySQLclusteringenhancesdatabaserobustnessandscalabilitybydistributingdataacrossmultiplenodes.ItusestheNDBenginefordatareplicationandfaulttolerance,ensuringhighavailability.Setupinvolvesconfiguringmanagement,data,andSQLnodes,withcarefulmonitoringandpe
How do you optimize database schema design for performance in MySQL?Apr 30, 2025 am 12:27 AMOptimizing database schema design in MySQL can improve performance through the following steps: 1. Index optimization: Create indexes on common query columns, balancing the overhead of query and inserting updates. 2. Table structure optimization: Reduce data redundancy through normalization or anti-normalization and improve access efficiency. 3. Data type selection: Use appropriate data types, such as INT instead of VARCHAR, to reduce storage space. 4. Partitioning and sub-table: For large data volumes, use partitioning and sub-table to disperse data to improve query and maintenance efficiency.
How can you optimize MySQL performance?Apr 30, 2025 am 12:26 AMTooptimizeMySQLperformance,followthesesteps:1)Implementproperindexingtospeedupqueries,2)UseEXPLAINtoanalyzeandoptimizequeryperformance,3)Adjustserverconfigurationsettingslikeinnodb_buffer_pool_sizeandmax_connections,4)Usepartitioningforlargetablestoi
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
