怎么进行OracleDataRedaction数据加密

今天就跟大家聊聊有关怎么进行Oracle Data Redaction数据加密,可能很多人都不太了解,为了让大家更加了解,小编给大家总结了以下内容,希望大家根据这篇文章可以有所收获。

站在用户的角度思考问题,与客户深入沟通,找到临河网站设计与临河网站推广的解决方案,凭借多年的经验,让设计与互联网技术结合,创造个性化、用户体验好的作品,建站类型包括:成都做网站、网站制作、企业官网、英文网站、手机端网站、网站推广、空间域名、网络空间、企业邮箱。业务覆盖临河地区。

1.Oracle Redaction概述

Oracle Data Redaction是Oracle安全加密类的高级功能,可用于对于敏感数据的加密处理,加密配置处理均在Oracle层面实现。这是一项和安全相关的技术类别,对于指定的用户可以限制某些表的某些列显示被加密改过的值。对于Redaction之前,可能需要自定义加密函数、创建特定的视图,或者在存储到数据库的时候就用加密算法进行加密。而Redaction可以直接对数据进行加密,不会影响到数据真实的存储,对应用透明,不需要改动。

对于权限,Redaction不能对sys和system用户进行数据的加密。因为他们都有EXP_FULL_DATABASE这个角色, 而这个角色又包含了EXEMPT REDACTION POLICY系统权限。同时,也不能直接赋予用户dba权限,dba自动包含EXP_FULL_DATABASE角色。测试过程中发现,对于拥有dba权限的用户来说,表的数据可以加密操作,但没有实际加密效果。

对于常用的加密类型说明如下:

1.Full redaction:对某字段数据全部加密,number类型的列将全部返回为0,character类型的列将全部返回为空格,日期类型返回为yyyy-mm-dd;

2.Partial redaction:对列中的一部分数据进行redact,比如,可以对身份证号或手机号的中间几位设置返回为*,剩下的几位保持不变,这种场景适用于固定长度;

3.Regular expressions:对于非固定长度的character类型数据进行部分加密;

4.Random redaction:随机加密,每次展现的加密结果是不一定一样;

本次加密测试环境介绍信息如下:

OS版本

Oracle版本

是否RAC

RHEL6.5

11.2.0.4.170418

 


2. Oracle Redaction加密测试

2.1环境测试准备

本次只模拟几种常用加密场景,创建用户、表,并赋予相应权限;若无特殊说明时,调用DBMS_REDACT所使用的均为zhangxg用户。

SQL> create user zhangxg identified by zhangxg;

User created.

SQL> grant connect,resource to zhangxg;

Grant succeeded.

SQL> grant select on sys.redaction_policies TO zhangxg;

Grant succeeded.

SQL> grant select on sys.redaction_columns TO zhangxg;

Grant succeeded.

SQL> grant execute on dbms_redact TO zhangxg;

Grant succeeded.

SQL> create user nosee identified by zhangxg;

User created.

SQL> grant connect,resource to nosee;

Grant succeeded.

SQL> CREATE TABLE ZHANGXG.TAB1 (

  2  "EMPLOYEE_ID" NUMBER(6,0),

  3  "FIRST_NAME" VARCHAR2(20),

  4  "LAST_NAME" VARCHAR2(25),

  5  "SOCIAL_SECURITY" VARCHAR2(11),

  6  "SALARY" NUMBER(4,0)

  7  );

Table created.

SQL> insert into tab1 values (100,'steven','king','247-85-9056',7000);

1 row created.

SQL> insert into tab1  values (101,'neena','kochhar','334-08-6578',5000);

1 row created.

SQL> commit;

commit complete.

SQL> grant select on zhangxg.tab1 to nosee;

grant succeeded.

SQL> select * from tab1;

EMPLOYEE_ID FIRST_NAME     LAST_NAME       SOCIAL_SECU     SALARY

----------- -------------------- ------------------------- ----------- ----------

        100 Steven               King                      247-85-9056       7000

        101 Neena                Kochhar                   334-08-6578       5000

2.2对表的某些字段加密

调用DBMS_REDACT包创建policy策略

SQL> BEGIN

  2    DBMS_REDACT.ADD_POLICY (

  3       object_schema          => 'ZHANGXG',

  4       object_name            => 'TAB1',

  5       policy_name            => 'REDACT_1',

  6       column_name            => 'SOCIAL_SECURITY',

  7       function_type          => DBMS_REDACT.PARTIAL,

  8       EXPRESSION             =>'1=1',

  9       function_parameters    => 'VVVFVVFVVVV,VVV-VV-VVVV,*,1,5'

 10    );

 11    END;

 12    /

PL/SQL procedure successfully completed.

SQL>

SQL>  select * from tab1;

EMPLOYEE_ID FIRST_NAME        LAST_NAME       SOCIAL_SECURITY               SALARY

----------- -------------------- -------------------- ------------------ ----------

        100 Steven         King               ***-**-9056                 7000

        101 Neena           Kochhar           ***-**-6578                 5000

SQL> SQL> conn nosee/zhangxg

Connected.

SQL>

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME           LAST_NAME                 SOCIAL_SECU     SALARY

----------- -------------------- ------------------------- ----------- ----------

        100 Steven               King                      ***-**-9056       7000

        101 Neena                Kochhar                   ***-**-6578       5000

基于某列加密的基础上,再增加一个乱码显示的列,即多列加密显示

SQL> BEGIN

  2  DBMS_REDACT.ALTER_POLICY(

  3    object_schema       => 'ZHANGXG',

  4    object_name         => 'TAB1',

  5    policy_name         => 'REDACT_1',

  6    action              => DBMS_REDACT.ADD_COLUMN,

  7    column_name         => 'LAST_NAME',

  8    function_type       => DBMS_REDACT.RANDOM);

  9  END;

 10  /

PL/SQL procedure successfully completed.

SQL> select * from tab1;

EMPLOYEE_ID FIRST_NAME           LAST_NAME                 SOCIAL_SECU     SALARY

----------- -------------------- ------------------------- ----------- ----------

        100 Steven               K5r.                      ***-**-9056       7000

        101 Neena                ymP'@Ea                   ***-**-6578       5000

SQL> conn nosee/zhangxg

Connected.

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME           LAST_NAME                 SOCIAL_SECU     SALARY

----------- -------------------- ------------------------- ----------- ----------

        100 Steven               YZ$z                      ***-**-9056       7000

        101 Neena                HSTk}5l                   ***-**-6578       5000

2.3Redaction的权限控制

对于权限的控制,我们可以直接选择用户去过滤,但用户过多时可以使用role来进行权限的控制。

nosee用户看到的结果也是加密的

SQL> show user

USER is "ZHANGXG"

SQL>

SQL> select * from tab1;

EMPLOYEE_ID FIRST_NAME           LAST_NAME                 SOCIAL_SECU     SALARY

----------- -------------------- ------------------------- ----------- ----------

        100 Steven               NPnj                      ***-**-9056       7000

        101 Neena                ~<'`utz                   ***-**-6578       5000

SQL> conn nosee/zhangxg

Connected.

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME           LAST_NAME                 SOCIAL_SECU     SALARY

----------- -------------------- ------------------------- ----------- ----------

        100 Steven               @a8H                      ***-**-9056       7000

        101 Neena                `&&3P--                   ***-**-6578       5000

更改策略,除zhangxg本身用户外,其他用户访问均为加密

SQL> BEGIN

  2  DBMS_REDACT.ALTER_POLICY (

  3     object_schema          =>'ZHANGXG',

  4     object_name            =>'TAB1',

  5     policy_name            =>'REDACT_1',

  6     column_name            =>'SOCIAL_SECURITY',

  7     action                 => DBMS_REDACT.MODIFY_EXPRESSION,

  8     expression      =>'SYS_CONTEXT ( ''USERENV'',''SESSION_USER'' ) !=''ZHANGXG'''

  9  );

 10  END;

 11  /

PL/SQL procedure successfully completed.

SQL> select * from tab1;

EMPLOYEE_ID FIRST_NAME           LAST_NAME                 SOCIAL_SECU     SALARY

----------- -------------------- ------------------------- ----------- ----------

        100 Steven               King                      247-85-9056       7000

        101 Neena                Kochhar                   334-08-6578       5000

SQL> conn nosee/zhangxg

Connected.

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME           LAST_NAME                 SOCIAL_SECU     SALARY

----------- -------------------- ------------------------- ----------- ----------

        100 Steven               5}2g                      ***-**-9056       7000

        101 Neena                $b=Z%,W                   ***-**-6578       5000

创建角色和用户用于模拟

SQL> create user cansee identified by zhangxg;

User created.

SQL> grant connect,resource to cansee;

Grant succeeded.

SQL> grant select on zhangxg.tab1 to cansee;

Grant succeeded.

SQL> create role redac_role;

Role created.

SQL> grant redac_role to cansee;

Grant succeeded.

下面,我们尝试去掉一个列的加密效果,即去掉LAST_NAME字段的全加密策略

 

SQL> BEGIN

  2   DBMS_REDACT.ALTER_POLICY(

  3    object_schema       => 'ZHANGXG',

  4    object_name         => 'TAB1',

  5    policy_name         => 'REDACT_1',

  6    action              => DBMS_REDACT.DROP_COLUMN,

  7    column_name         => 'LAST_NAME',

  8  expression             =>'1=1');

  9  END;

 10  /

PL/SQL procedure successfully completed.

SQL>

SQL> conn nosee/zhangxg

Connected.

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID     FIRST_NAME      LAST_NAME      SOCIAL_SECU     SALARY

----------- -------------------- -------------- ----------- ----------

        100 Steven      King                      ***-**-9056       7000

        101 Neena      Kochhar                   ***-**-6578       5000

 

再次更改策略,只让zhangxg和cansee用户查看,其他用户为加密结果;这里我们新建了REDAC_ROLE角色去控制,拥有该角色的用户可正常查看,没有该角色的用户查看结果为加密;

 

SQL> BEGIN

  2  DBMS_REDACT.ALTER_POLICY (

  3     object_schema          =>'ZHANGXG',

  4     object_name            =>'TAB1',

  5     policy_name            =>'REDACT_1',

  6     column_name            =>'SOCIAL_SECURITY',

  7     action                 => DBMS_REDACT.MODIFY_EXPRESSION,

  8     expression     => 'SYS_CONTEXT(''SYS_SESSION_ROLES'',''REDAC_ROLE'') = ''FALSE'''

  9  );

 10  END;

 11  /

PL/SQL procedure successfully completed.

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME           LAST_NAME                 SOCIAL_SECU     SALARY

----------- -------------------- ------------------------- ----------- ----------

        100 Steven               King                      ***-**-9056       7000

        101 Neena                Kochhar                   ***-**-6578       5000

SQL>

SQL> conn / as sysdba

Connected.

SQL>

SQL> grant redac_role to zhangxg;

Grant succeeded.

SQL> conn zhangxg/zhangxg

Connected.

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME           LAST_NAME                 SOCIAL_SECU     SALARY

----------- -------------------- ------------------------- ----------- ----------

        100 Steven               King                      247-85-9056       7000

        101 Neena                Kochhar                   334-08-6578       5000

SQL> conn cansee/zhangxg

Connected.

SQL>

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME           LAST_NAME                 SOCIAL_SECU     SALARY

----------- -------------------- ------------------------- ----------- ----------

        100 Steven               King                      247-85-9056       7000

        101 Neena                Kochhar                   334-08-6578       5000

SQL> conn nosee/zhangxg

Connected.

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME           LAST_NAME                 SOCIAL_SECU     SALARY

----------- -------------------- ------------------------- ----------- ----------

        100 Steven               King                      ***-**-9056       7000

        101 Neena                Kochhar                   ***-**-6578       5000

2.4Redaction的使用限制

通过测试可以得出以下结论:

1.对加密的列不能同时使用distinct和order by,如果使用,必须加一层select,无论对于使用的用户是否是加密可见;

2.加密的结果优先级高于函数,比如distinct;

3.对于group by不影响结果的准确性,与未加密结果一致;

4.加密后的表无法进行CTAS(create table as select)操作;

对于加密后剩余字符不一样时,distinct结果是不影响的

SQL> show user

USER is "NOSEE"

SQL> col SOCIAL_SECURITY for a25

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME   LAST_NAME   SOCIAL_SECURITY     SALARY

----------- ------------ ----------- ------------------ -------

        100 Steven       King        ***-**-9056           7000

        101 Neena        Kochhar     ***-**-6578           5000

SQL> select distinct SOCIAL_SECURITY from zhangxg.tab1;

SOCIAL_SECURITY

-------------------------

***-**-9056

***-**-6578

SQL> conn zhangxg/zhangxg

Connected.

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME   LAST_NAME    SOCIAL_SECURITY      SALARY

----------- ------------ ------------ ---------------- ----------

        100 Steven       King         247-85-9056            7000

        101 Neena        Kochhar      334-08-6578            5000

手动update,将SOCIAL_SECURITY后4位改成一致

SQL> update tab1 set SOCIAL_SECURITY='334-08-9056' where EMPLOYEE_ID=101;

1 row updated.

SQL> commit;

Commit complete.

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME   LAST_NAME   SOCIAL_SECURITY        SALARY

----------- ------------ ----------- ------------------ ----------

        100 Steven       King        247-85-9056              7000

        101 Neena        Kochhar     334-08-9056              5000

此时,对于加密不限制用户来说,distinct结果是2行

SQL> select distinct SOCIAL_SECURITY from zhangxg.tab1;

SOCIAL_SECURITY

-------------------------

334-08-9056

247-85-9056

对于加密用户来说,distinct结果是1行,说明是先进行的加密,后进行distinct

SQL> conn nosee/zhangxg

Connected.

SQL> select distinct SOCIAL_SECURITY from zhangxg.tab1;

SOCIAL_SECURITY

-------------------------

***-**-9056

当对加密列同时使用distinct和order by,报语法错误,该问题已确认为bug,而且没有补丁,Bug 19558306 ;

SQL> select distinct SOCIAL_SECURITY from zhangxg.tab1 order by SOCIAL_SECURITY;

select distinct SOCIAL_SECURITY from zhangxg.tab1 order by SOCIAL_SECURITY

                *

ERROR at line 1:

ORA-01791: not a SELECTed expression

做为workaround,可以将SQL改写为子查询

SQL> select * from (select distinct SOCIAL_SECURITY from zhangxg.tab1 order by SOCIAL_SECURITY);

SOCIAL_SECURITY

-------------------------

***-**-9056

***-**-9056

SQL> conn zhangxg/zhangxg

Connected.

SQL> select distinct SOCIAL_SECURITY from zhangxg.tab1 order by SOCIAL_SECURITY;

select distinct SOCIAL_SECURITY from zhangxg.tab1 order by SOCIAL_SECURITY

                *

ERROR at line 1:

ORA-01791: not a SELECTed expression

SQL> select * from  zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME     LAST_NAME   SOCIAL_SECURITY        SALARY

----------- -------------- ----------- ------------------ ----------

        100 Steven         King        247-85-9056              7000

        101 Neena          Kochhar     334-08-9056              5000

对于group by,加密后的效果是不影响分组判断

SQL>  conn zhangxg/zhangxg

Connected.

SQL> select SOCIAL_SECURITY,count(*) from zhangxg.tab1 group by SOCIAL_SECURITY;

SOCIAL_SECURITY             COUNT(*)

------------------------- ----------

334-08-9056                        1

247-85-9056                        1

SQL>  conn nosee/zhangxg

Connected.

SQL>

SQL>  select SOCIAL_SECURITY,count(*) from zhangxg.tab1 group by SOCIAL_SECURITY;

SOCIAL_SECURITY             COUNT(*)

------------------------- ----------

***-**-9056                        1

***-**-9056                        1

对于加密后的表无法进行CTAS操作,其实逻辑上是对的,既然加密了,如果能ctas成功那么加密就是去了意义

SQL> show user

USER is "NOSEE"

SQL> select * from  zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME   LAST_NAME  SOCIAL_SECURITY   SALARY

----------- ------------ ---------- ----------------- ------

        100 Steven       King       ***-**-9056         7000

        101 Neena        Kochhar    ***-**-9056         5000

SQL> create table ctastab as select * from zhangxg.tab1;

create table ctastab as select * from zhangxg.tab1

                               *

ERROR at line 1:

ORA-28081: Insufficient privileges - the command references a redacted object.

SQL> conn / as sysdba

Connected.

SQL> grant exempt redaction policy to NOSEE;

Grant succeeded.

SQL>  conn nosee/zhangxg

Connected.

SQL> create table ctastab as select * from zhangxg.tab1;

Table created.

SQL> select * from ctastab;

EMPLOYEE_ID FIRST_NAME   LAST_NAME   SOCIAL_SECURITY    SALARY

----------- ------------ ----------- ----------------- -------

        100 Steven       King        247-85-9056          7000

        101 Neena        Kochhar     334-08-9056          5000

同时,有了该权限后加密也是去了意义

SQL> select * from zhangxg.tab1;

EMPLOYEE_ID FIRST_NAME   LAST_NAME   SOCIAL_SECURITY    SALARY

----------- ------------ ----------- ----------------- -------

        100 Steven       King        247-85-9056          7000

        101 Neena        Kochhar     334-08-9056          5000

3.附录

    1.对于已添加的策略,可通过下面视图进行查询

select * from redaction_policies;

selectobject_owner,object_name,column_name,function_type,function_parameters from redaction_columns;

   2.删除加密策略

BEGIN

  DBMS_REDACT.DROP_POLICY(

    object_schema  => 'ZHANGXG',

    object_name    => 'TAB1',

    policy_name    => 'REDACT_1');

END;

看完上述内容,你们对怎么进行Oracle Data Redaction数据加密有进一步的了解吗?如果还想了解更多知识或者相关内容,请关注创新互联行业资讯频道,感谢大家的支持。


分享标题:怎么进行OracleDataRedaction数据加密
转载源于:http://scyanting.com/article/gdoepg.html