1   说明

1.1   关于PDB Lockdown Profiles

PDB lockdown profile是一组可以控制操作的命名集。控制PDB的操作权限，是对所有用户都生效。http://www.cndba.cn/Expect-le/article/2078

例如：可以控制用户禁止直行ALTER SYSTEM这样的语法。某种程度上保证了数据库的安全性。

可以限制下面四个方面的操作：http://www.cndba.cn/Expect-le/article/2078

1.  Network access features. These are operations that use the network to communicate outside the PDB. For example, the PL/SQL packages UTL_TCP, UTL_HTTP, UTL_MAIL, UTL_SNMP, UTL_INADDR, and DBMS_DEBUG_JDWP perform these kinds of operations. Currently, ACLs are used to control this kind of access to share network identity.http://www.cndba.cn/Expect-le/article/2078

2.  Common user or object access. These are operations in which a local user in the PDB can proxy through common user accounts or access objects in a common schema. These kinds of operations include adding or replacing objects in a common schema, granting privileges to common objects, accessing common directory objects, granting the INHERIT PRIVILEGES role to a common user, and manipulating a user proxy to a common user.

3.  Operating System access. For example, you can restrict access to the UTL_FILE or DBMS_FILE_TRANSFER PL/SQL packages.http://www.cndba.cn/Expect-le/article/2078

4.  Connections. For example, you can restrict common users from connecting to the PDB or you can restrict a local user who has the SYSOPER administrative privilege from connecting to a PDB that is open in restricted mode.

2  实验

2.1   创建PDB Lockdown Profile

--登录到CDB root，然后创建Lockdown profile

SQL> create lockdown profile cndba_prof;
Lockdown Profile created.

--修改Lockdown profile，禁用刷新共享池

http://www.cndba.cn/Expect-le/article/2078http://www.cndba.cn/Expect-le/article/2078

SQL> ALTER LOCKDOWN PROFILE cndba_prof DISABLE STATEMENT = ('ALTER SYSTEM') clause = ('flush shared_pool');

Lockdown Profile altered.

注意：一个Lockdown profile正在使用，如果修改它，会立刻生效。

2.2   启用PDB Lockdown Profile

--CDB级别启用Lockdown Profile，那么就会对该CDB下的所有PDB都生效

SQL> alter system set pdb_lockdown=cndba_prof;
System altered.

--PDB级别启用Lockdown Profile，则只对这个PDB生效

alter system set pdb_lockdown=cndba_prof;

2.3   登录到PDB测试是否有效

根据Lockdown profile所有限制的操作，做清空共享池操作。

SQL> alter system flush shared_pool;
alter system flush shared_pool
*
ERROR at line 1:
ORA-01031: insufficient privileges

提示没有权限操作，其他操作正常。如：

SQL>  alter system set sessions=400;
System altered.

2.4   禁用PDB Lockdown Profile

同样区分CDB级别和PDB级别设置

alter system set pdb_lockdown='';

2.5   删除PDB Lockdown Profile

SQL > DROP Lockdown Profile cndba_prof;
Lockdown Profile dropped.

关于更多PDB Lockdown Profile信息，请查看官方文档：http://www.cndba.cn/Expect-le/article/2078

http://docs.oracle.com/database/122/DBSEG/configuring-privilege-and-role-authorization.htm#DBSEG-GUID-0D525203-A1A7-46BB-B9DB-03F2D1A3803F

 

版权声明：本文为博主原创文章，未经博主允许不得转载。

PDB Lockdown Profiles