Oracle LiveLabs实验:Oracle Label Security (OLS)
Posted dingdingfish
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Oracle LiveLabs实验:Oracle Label Security (OLS)相关的知识,希望对你有一定的参考价值。
概述
此实验申请地址在这里,时间为30分钟。
本实验也是DB Security Advanced研讨会的的第7个实验,即Lab 7。
实验帮助在这里。
本实验使用的数据库为19.13。
Introduction
本研讨会介绍了 Oracle Label Security (OLS) 的各种特性和功能。 它使用户有机会学习如何配置这些功能以保护其敏感数据,帮助跟踪允诺,并根据《通用数据保护条例》等法规要求强制限制处理。
Task 1: Simple CRM Application
不同的应用有不同的用途:
- 用户应用
- 应用程序:用户设置其偏好以同意营销、处理数据或要求被遗忘
- 用户标签:NCNST::DP ;数据库用户:APPPREFERENCE
- 电子邮件营销
- 应用程序:只能访问已同意处理其数据且专门用于电子邮件营销的用户
- 用户标签:CONS::EMAIL;数据库用户:APPMKT
- 商业智能
- 应用程序:可以访问所有同意处理其数据的用户
- 用户标签:CONS::DP;数据库用户:APPBI
- 匿名者
- 批处理匿名用户记录并将数据标签设置为 ANON::
- 用户标签:FORGET::;数据库用户:APPFORGET
虽然我们提供脚本以自动化方式从头到尾执行整个实验室,但强烈建议您一个一个打开并一个一个复制/执行代码块。这样,您将更好地理解本练习的构建块。如果您决定逐个执行脚本,您可以随时查看日志文件 (.out) 以了解详细信息
进入实验目录:
sudo su - oracle
cd $DBSEC_LABS/label-security
首先设置标签安全环境,输出为ols_setup_env.out:
./ols_setup_env.sh
以上脚本:
- 创建 C##OSCAR_OLS 用户(CDB中)、创建表、加载数据、创建将用于展示不同场景的用户(PDB中),它还配置和启用 OLS
- 调用 load_crm_customer_data.sql 脚本以在 APPCRM 模式中创建表 CRM_CUSTOMER 并插入 391 行
接下来,您将创建标签安全策略。 策略由级别、组和/或分区组成。 政策的唯一强制性组成部分是至少有一个级别:
./ols_create_policy.sh
输出为:
==============================================================================
Create the Label Security policy "OLS_DEMO_GDPR"...
==============================================================================
CON_NAME
------------------------------
PDB1
USER is "C##OSCAR_OLS"
-------------------------------------------
. STEP 1: CREATE OLS POLICY (OLS_DEMO_GDPR)
-------------------------------------------
PL/SQL procedure successfully completed.
-------------------------------------------
. STEP 2: CREATE LEVELS
10 - CONSENT (CNST)
20 - ANONYMIZED (ANON)
30 - FORGET (FRGT)
40 - NOCONSENT (NCNST)
-------------------------------------------
... Create CONSENT level
PL/SQL procedure successfully completed.
... Create ANONYMIZED level
PL/SQL procedure successfully completed.
... Create FORGET level
PL/SQL procedure successfully completed.
... Create NOCONSENT level
PL/SQL procedure successfully completed.
---------------------------------------------------------
. STEP 3: CREATE GROUPS
Here we used a hierarchy of groups to control
which data can be processed (based on given consent):
1000 - DATA_PROCESSING (DT_PROD)
1100 - CAMPAIGN_MGMT (CAMP_MGMT)
1110 - EMAIL
1120 - POST_MAIL
1130 - WEB_ADS
1200 - ANALYTICS
1210 - RECOMMENDATION_ENGINE (REC_ENGINE)
1300 - THIRDPARTY
1310 - CONTACT_DETAILS (CONTACT_DET)
1320 - PREFERENCE_DETAILS (PREF_DETAILS)
1330 - PURCHASE_HIST (PURCH_HIST)
---------------------------------------------------------
... Create DATA_PROCESSING group
PL/SQL procedure successfully completed.
... ... Create CAMPAIGN_MGMT group
PL/SQL procedure successfully completed.
... ... ... Create EMAIL group
PL/SQL procedure successfully completed.
... ... ... Create POST_MAIL group
PL/SQL procedure successfully completed.
... ... ... Create ONLINE_ADS group
PL/SQL procedure successfully completed.
... ... Create ANALYTICS group
PL/SQL procedure successfully completed.
... ... ... Create REC_ENGINE group
PL/SQL procedure successfully completed.
... ... Create THIRDPARTY group
PL/SQL procedure successfully completed.
... ... ... Create CONTACT_DETAILS group
PL/SQL procedure successfully completed.
... ... ... Create PREFERENCE_DETAILS group
PL/SQL procedure successfully completed.
... ... ... Create PURCHASE_HIST group
PL/SQL procedure successfully completed.
------------------------------------------------------------
. STEP 4: CREATE LABELS
The label is automatically designated as a valid data label
This functionality limits the labels that can be assigned to data
If a user widthraws consent the row label will have that compartment removed
Allowed Labels (Trim down/add to suite the use cases):
CNST:: 500
FORGET:: 700
ANON:: 800
NOCONSENT:: 999
---------
CNST::DT_PROC 1000
CNST::CAMP_MGMT 1100
CNST::EMAIL 1110
CNST::POST_MAIL 1120
CNST::WEB_ADS 1130
CNST::EMAIL,POST_MAIL 1140
CNST::EMAIL,ANALYTICS 1145
CNST::EMAIL,WEB_ADS 1150
CNST::CAMP_MGMT,ANALYTICS,THIRDPARTY 1160
CNST::CAMP_MGMT,ANALYTICS 1170
CNST::CAMP_MGMT,THIRDPARTY 1180
CNST::ANALYTICS,THIRDPARTY 1190
CNST::POST_MAIL,WEB_ADS 1195
---------
CNST::ANALYTICS 1200
CNST::REC_ENGINE 1210
---------
CNST::THIRDPARTY 1300
CNST::CONTACT_DETAILS 1310
CNST::PREF_DETAILS 1320
CNST::PURCH_HIST 1330
CNST::CONTACT_DETAILS,PREF_DETAILS 1340
CNST::CONTACT_DETAILS,PURCH_HIST 1350
CNST::PREF_DETAILS,PURCH_HIST 1360
------------------------------------------------------------
...
. STEP 5: ASSING LEVELS TO USERS
Users | Levels
---------------------|------------------------------------------------
APPPREFERENCE | Can process all data
| . Level Min (CNST) and Level Max (NCNST)
| . Group (DT_PROC)
---------------------|------------------------------------------------
APPFORGET | Can process data marked as to be forgotten
| . Level Min (ANON) and Level Max (FRGT)
---------------------|------------------------------------------------
APPMKT | Can process data belonging to group EMAIL only
| . Level Min (CNST) and Level Max (CNST)
| . Group (EMAIL)
---------------------|------------------------------------------------
APPBI | Can process data belonging to group ANALYTICS
| . Level Min (ANON) and Level Max (ANON)
| . Group (ANALYTICS)
---------------------|------------------------------------------------
APP3RD | Can process data belonging to group THIRDPARTY
| . Level Min (CNST) and Level Max (CNST)
| . Group (THIRDPARTY)
------------------------------------------------------------------------
... Set Levels for APPPREFERENCE
PL/SQL procedure successfully completed.
... ... prompt Set Group for APPPREFERENCE
PL/SQL procedure successfully completed.
... Set Level for APPFORGET
PL/SQL procedure successfully completed.
... Set Level for APPMKT
PL/SQL procedure successfully completed.
... ... Set Group for APPMKT
PL/SQL procedure successfully completed.
... Set Level for APPBI
PL/SQL procedure successfully completed.
... ... Set Group for APPBI
PL/SQL procedure successfully completed.
... Set Level for APP3RD
PL/SQL procedure successfully completed.
... ... Set Group for APP3RD
PL/SQL procedure successfully completed.
----------------------------------------------------
. STEP 6: APPLY THE OLS POLICY
----------------------------------------------------
PL/SQL procedure successfully completed.
此脚本将创建策略(级别、组和标签),为用户设置级别和组,并将策略应用于 APPCRM.CRM_CUSTOMER 表。对于每个步骤,您可以查看您执行的脚本的输出(例如“more ols_create_policy.out”)。
然后,我们必须标记数据……我们使用我们创建的策略并应用一个级别,一个或多个分区(可选),一个或多个组(可选)。
输出如下:
==============================================================================
Label the data...
==============================================================================
CON_NAME
------------------------------
PDB1
USER is "SYS"
-- . ANON - Already anonymized: 10 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','ANON')
where customerid between 51 and 60;
10 rows updated.
-- . CNST::ANALYTICS - Consented to be processed for analytics: 200 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','CNST::ANALYTICS')
where customerid between 66 and 265;
200 rows updated.
. CNST::EMAIL - Consented to be processed for email: 123 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','CNST::EMAIL')
where customerid between 266 and 388;
123 rows updated.
. CNST::EMAIL,ANALYTICS - Consented to be processed for email and bi: 3 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','CNST::EMAIL,ANALYTICS')
where customerid >= 389;
3 rows updated.
-- . FRGT - Asked to be forgotten: 5 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET gdpr_col = CHAR_TO_LABEL('OLS_DEMO_GDPR','FRGT')
where customerid between 61 and 65;
5 rows updated.
-- . NCNST - Did not consent or revoked consent: 50 records
SQL>
UPDATE APPCRM.CRM_CUSTOMER
SET GDPR_COL = CHAR_TO_LABEL('OLS_DEMO_GDPR','NCNST')
where customerid between 1 and 50;
50 rows updated.
Commit complete.
. Show the count per Label
SQL>
SELECT LABEL_TO_CHAR (GDPR_COL) label, count(*) count
FROM APPCRM.CRM_CUSTOMER
GROUP BY GDPR_COL
ORDER BY label;
LABEL COUNT
-------------------------------------------------- --------
ANON 10
CNST::ANALYTICS 200
CNST::EMAIL 123
CNST::EMAIL,ANALYTICS 3
FRGT 5
NCNST 50
6 rows selected.
其中,CHAR_TO_LABEL的第1个参数为policy name,第二个参数为label。
此脚本更新数据标签以创建将在场景中使用的各种标签。在现实世界的场景中,建议创建一个标签函数,该函数将根据其他现有表数据(其他列)分配标签。对于每个步骤,您可以查看您执行的脚本的输出(例如“more ols_label_data.out”)
然后我们将看到标签安全性的作用,用不同的用户查看同一张表:
$ $ ./ols_label_sec_in_action.sh
==============================================================================
Connects as different apps would be connecting to see records that they would be able to process...
==============================================================================
. Marketing App would only show 126 records
(Can process data labeled: CNST::EMAIL and CNST::ANALYTICS, EMAIL)
COUNT(*)
----------
126
. BI App would only show 213 records
(Can process data labeled: ANON, CNST::ANALYTICS, CNST::ANALYTICS, EMAIL)
COUNT(*)
----------
213
. FORGET App would only show 15 records
(Can process data labeled: FRGT and ANON)
COUNT(*)
----------
15
. APPPREFERENCE App can be used to set consent
(Can process ALL records - 391)
COUNT(*)
----------
391
. What labels are currently in session?
LABEL
------------------------------------------------------------------------------------------------------------------------------------------------------------------
NCNST::DT_PROC,CAMP_MGMT,EMAIL,POST_MAIL,WEB_ADS,ANALYTICS,REC_ENGINE,THIRDPARTY,CONTACT_DET,PREF_DETAILS,PURCH_HIST
. What is the session row label?
SA_SESSION.ROW_LABEL('OLS_DEMO_GDPR')
------------------------------------------------------------------------------------------------------------------------------------------------------------------
CNST::DT_PROC
每个应用程序只会看到他们能够处理的记录。例如。 AppMKT(用于向客户发送电子邮件的应用程序)只能查看标记为 CNST::EMAIL 的记录; AppBI 将能够查看标记为 ANON 和 CNST::ANALYTICS 的记录(标记为 CNST 级别的行,以及 Group Analytics 的一部分——也适用于 CNST::ANALYTICS、EMAIL)。
现在,我们将 UserID(100) 的状态更改为被遗忘。
$ ./ols_to_be_forgotten.sh
=====================================以上是关于Oracle LiveLabs实验:Oracle Label Security (OLS)的主要内容,如果未能解决你的问题,请参考以下文章
Oracle LiveLabs实验:Oracle RAC Fundamentals
Oracle LiveLabs实验:Install Oracle Database 21c
Oracle LiveLabs实验:DB Security - Oracle Label Security (OLS)
Oracle LiveLabs实验:Oracle Label Security (OLS)