You are on page 1of 8

Trang bia

Ti liu gii php Oracle Virtual Private Database Mc lc 1. Application Context .................................................................................................................... 3 2. Oracle Virtual Private Database.................................................................................................. 3 2.1 nh ngha v Oracle Virtual Private Database VPD ........................................................ 3 2.2 Cc thnh phn chnh ca VPD ............................................................................................ 4 2.2.1 Application Context ....................................................................................................... 4 2.2.2 PL/SQL Functions ......................................................................................................... 5 2.2.3 Security Policy ............................................................................................................... 5 2.3 To hm thc hin cc chnh sch an ton ca VPD ............................................................ 7 2.4 Ci t VPD mc dng ......................................................................................................... 7 2.5 Ci t VPD mc ct ............................................................................................................ 7 2.6 Nhm cc chnh sch an ton................................................................................................ 7 2.7 Nhng li th v hn ch khi p dng VPD ......................................................................... 7 3. p dng gii php Oracle Private Database cho d n V-Tracking ........................................... 8 4. Thng tin tham kho ................................................................................................................... 8

Ti liu gii php Oracle Virtual Private Database

1. Application Context
USERENV Application Context Oracle cung cp mt ng cnh ng dng mc nh l USERENV cho php truy cp n cc thuc tnh c nh ngha sn. y l cc thuc tnh c bn m h qun tr c s d liu s t ng lu li mi khi c kt ni n v d nh a ch IP m t kt ni n database, Cc thuc tnh c nh ngha trc ny c s dng rt nhiu trong vic qun l quyn truy cp n cc i tng, mt trong nhng v d quan trng l trng CLIENT_IDENTIFIER dng xc nh nh danh ca ngi dng (ngi dng cui). truy nhp thng tin vo ng cnh ng dng ny c th dng SYS_CONTEXT('userenv', 'attribute') Danh sch cc thuc tnh ca ng cnh ng dng mc nh USERENV Ng cnh ng dng s c cc thuc tnh chnh nh trong bng sau:
AUDITED_CURSORID AUTHENTICATED_IDENTITY AUTHENTICATION_DATA AUTHENTICATION_METHOD BG_JOB_ID CLIENT_IDENTIFIER CLIENT_INFO CURRENT_BIND CURRENT_SCHEMA CURRENT_SCHEMAID CURRENT_SQL CURRENT_SQL1 to CURRENT_SQL7 CURRENT_SQL_LENGTH DB_DOMAIN DB_NAME ENTRYID ENTERPRISE_IDENTITY FG_JOB_ID GLOBAL_CONTEXT_MEMORY GLOBAL_UID HOST IDENTIFICATION_TYPE INSTANCE INSTANCE_NAME IP_ADDRESS ISDBA LANG LANGUAGE NETWORK_PROTOCOL NLS_TERRITORY NLS_CURRENCY NLS_CALENDAR NLS_DATE_FORMAT NLS_DATE_LANGUAGE NLS_SORT OS_USER POLICY_INVOKER PROXY_USER PROXY_USERID SERVER_HOST SESSION_USER SESSION_USERID SESSIONID SID STATEMENTID TERMINAL

Thay i thng tin trong ng cnh mc nh

2. Oracle Virtual Private Database


2.1 nh ngha v Oracle Virtual Private Database VPD
Oracle Virtual Private Database (Vit tt l Oracle VPD) l cng c kt hp vic s dng cng c iu khin truy cp (FGAC Fine-Grain Access Control) v Application Context (ng cnh ng dng) t cho php ngi qun tr nh ngha v p dng cc chnh sch v qun l quyn truy cp ti mc dng hoc ct theo tng phin lm vic. Oracle Virtual Private Database i khi cn c gi l Oracle Row-Level Security (RLS) hoc Fine Grained Access Control (FGAC)

Ti liu gii php Oracle Virtual Private Database Oracle VPD cho php nh ngha cc chnh sch an ton n mc tng i tng (Table, View, Synonym) tng ng vi tng thao tc (SELECT, INSERT, UPDATE, DELETE). Khi ngi dng trc tip hoc gin tip truy cp vo i tng c thit lp chnh sch an ton, h qun tr c s d liu s t ng thay i cu lnh SQL ca ngi dng bng cch thm vo cu lnh SQL ca ngi dng mnh WHERE hay cn gi l v ng (predicate) c tr v bi hm thc thi chnh sch an ton cho i tng . Vic thay i cu lnh SQL ny din ra trong sut vi ngi s dng cui (ngi thc hin cu lnh SQL). Hm thc thi chnh sch an ton c th gi mt hm khc hoc gi n on m C hoc Java nhng sinh ra mnh v ng t file ca h iu hnh hoc mt ni tp trung lu tr cc chnh sch an ton. Hm thc thi cng c th tr ra cc v ng khc nhau ty thuc vo tng ngi dng, nhm ngi dng hoc ng dng bng cch s dng ng cnh ng dng (Application Context).

2.2 Cc thnh phn chnh ca VPD


V mt vt l, khi p dng Oracle VPD ngi dng cn c nhng thnh phn nh sau: Application Context Ng cnh ng dng: L ni lu tr thng tin ca ng cnh cho ng dng PL/SQL Functions Cc hm PL/SQL: L cc hm thc thi cc chnh sch an ton Security Policy Cc chnh sch an ton: L cc chnh sch an ton p dng cho cc i tng.

2.2.1 Application Context


Chi tit v Application Context Ng cnh ng dng c cp trong mc 1 nn trong phn ny ta s ch xem xt vic p dng ng cnh ng dng vo Oracle VPD nh th no. Ng cnh ng dng c th c s dng theo mt trong cc cch sau: Dng nh mt b m d liu an ton: Trong cch dng ny ta lu cc d liu c th dng li ca mt ng dng (cc d liu ny c th phi truy vn t nhiu bng) vo mt ng cnh ng dng cc hm thc thi chnh sch an ton c th dng li cc thng tin ny trong sut phin lm vic m khng phi thc hin li vic truy vn t cc bng ly ra thng tin . iu ny s c bit hu ch khi cc hm thc thi chnh sch an ton da trn nhiu thuc tnh. Mt v d l gi s chnh sch bo mt truy cp ti bng ORDERS_TAB da vo thuc tnh m s ca khch hng. Thay v mi ln phi truy vn ly m s ca khch hng mi khi dng ta c th truy vn mt ln ri thit lp gi tr trong ng cnh ng dng (Application Context). M s khch hng s c lu tr trong sut phin lm vic v c th ly bt c khi no t tng tc vic thc hin cc hm thc thi chnh sch an ton. 4

Ti liu gii php Oracle Virtual Private Database Dng p dng cc chnh sch an ton cho tng loi i tng tham gia: Trong cch dng ny ta c th s dng ng cnh ng dng phn bi cc loi i tng. V d trong mt ng dng t hng, khch hng ch c th nhn thy cc n t hng ca h cn nhn vin bn hng c th nhn thy ton b cc n hng, y c hai chnh sch bo mt khc nhau cho hai i tng. Ta c th to mt ng cnh ng dng vi thuc tnh position v thuc tnh ny c th c truy nhp trong hm thc thi chnh sch an ton gip phn bit c l khch hng hay nhn vin t c th a ra v ng tng ng. V d trong trng hp ny ta c th vit sao cho hm thc thi s thc hin bin i cu truy vn trong trng hp i tng khch hng ng nhp t: SELECT * FROM Orders_tab Sang: SELECT * FROM Orders_tab WHERE Custno = SYS_CONTEXT ('order_entry', 'cust_num'); Cung cp cc bin s dng trong mnh WHERE: Cng tng t nh trong v d trn nhng y ta s dng ng cnh ng dng nh mt bin gip phn bit tng khch hng thng qua hm SYS_CONTEXT(namespace,attribute)

2.2.2 PL/SQL Functions


Cc hm PL/SQL c s dng c th sinh ra cc mnh iu kin WHERE thm vo cc cu truy vn hay cn gi l v ng t gip cho vic thc hin kim sot truy cp mc dng d liu. Cc hm ny phi c gi trong iu kin ng t cc chnh sch an ton (policy) c th gi ti hm ny. Kt qu ca cc hm ny tr ra l mt xu cha cc iu kin cn thm vo cu truy vn, v d Custno = 5

2.2.3 Security Policy


L cc chnh sch an ton c gn n tng i tng v tng ng vi tng phng thc truy cp c th. Chnh sch an ton c qun l bi cc phng thc trong package DBMS_RLS bao gm cc hm: ADD_POLICY: thm mi chnh sch an ton ENABLE_POLICY: enable hoc disable cc chnh sch an ton REFRESH_POLICY: Cp nht li hm cho cc chnh sch an ton DROP_POLICY: b mt chnh sch an ton

Khi thm mi mt chnh sch an ton ta c th xc nh loi ca chnh sch ny thuc mt trong cc trng hp sau:

Ti liu gii php Oracle Virtual Private Database Static: Hm thc thi chnh sch an ton s c thc hin ng mt ln v kt qu s c s dng li cho cc cu truy vn sau, v ng tr v c lu trong vng nh Shared Global Area (SGA). SHARED_STATIC: Tng t nh trng hp Static nhng cho php v ng c th s dng chung khi nhiu i tng dng chung mt hm thc thi chnh sch an ton. CONTEXT_SENSITIVE: Hm thc thi s lun c gi mi khi phn tch cu lnh. Hm ny s ch c gi li khi ng cnh thay i. iu ny thch hp cho vic s dng b m kt ni (connection pooling) ti database m s dng chung mt schema v s dng ng cnh ng dng thay i nh danh ca ngi dng ng dng. SHARED_CONTEXT_SENSITIVE: Tng t nh CONTEXT_SENSITIVE ngoi tr vic c th p dng chung khi nhiu i tng dng chung hm thc thi chnh sch an ton Dynamic (Mc nh): L loi mc nh nu khng xc nh r, loi ny s khng lu li d liu sau khi hm thc thi chnh sch an ton c gi n, hm thc thi s c gi mi ln cu truy vn c phn tch hoc thc thi.

2.2.4 C ch hot ng
Khi Oracle VPD hot ng th mi cu truy vn s c tri qua cc bc chnh sau: Ngi dng truy cp vo i tng c gn km chnh sch an ton Database server gi ti hm thc thi chnh sch an ton ca i tng tng ng vi loi lnh Hm ny tr v mt v ng (mnh where) Database server thm mnh ny vo cu truy vn Database server thc thi cu lnh thay i

2.2.5 Cc m hnh ngi dng


Oracle gip cho ng dng c th thc hin vic kim sot quyn truy cp cho mi ngi dng bt k l ngi dng vi ng dng hay ngi dng i vi c s d liu. Khi ngi dng ca ng dng ng thi cng l ngi dng i vi h qun tr c s d liu th vic p dng Oracle VPD tng i n gin, ngi dng kt ni ti c s d liu v ng dng thc hin vic thit lp ng cnh ng dng cho tng phin lm vic. Trong trng hp ng dng kt ni ti c s d liu nh mt ngi dng duy nht i vi c s d liu, ta vn c th p dng gii php Oracle VPD cho vic kim sot quyn truy nhp ca mi ngi dng. V d nh cc ng dng web thng c rt nhiu ngi dng v kt ni ti c s d liu vi mt ngi dng duy nht, thm ch cc kt ni cn c m li tng hiu qu cho vic truy xut thng tin v th mi kt ni ti c s d liu. Do trong trng hp ny khi mun p dng VPD, ng dng s phi chu trch nhim vic thay i thng tin trong ng cnh ng dng (nh danh ngi dng hin ti). Oracle cho h tr cho vic phn bit ngi dng ng dng khc nhau (cng dng duy nht mt 6

Ti liu gii php Oracle Virtual Private Database ngi dng c s d liu) thng qua trng thng tin CLIENT_IDENTIFIER v CLIENT_INFO trong ng cnh ng dng mc nh USERENV.

2.2.5 Cc bc p dng
p dng Oracle VPD ta cn phi thc hin mt s cc bc chnh nh sau: Bc 1: Xc nh ng cnh ng dng v cc thng tin cn dng trong ng cnh ca ng dng Bc 2: To cc hm thc hin cc chnh sch an ton cho cc i tng, loi thao tc cn kim sot Bc 3: To cc chnh sch an ton v gn cc chnh sch ny vo cc i tng c th thc hin vic kim sot truy cp Cc mc tip theo ta s i su vo cc bc 2 v bc 3.

2.3 To hm thc hin cc chnh sch an ton ca VPD

2.4 Ci t VPD mc dng

2.5 Ci t VPD mc ct

2.6 Nhm cc chnh sch an ton

2.7 Nhng li th v hn ch khi p dng VPD


2.7.1 Li th 2.7.2 Nhc im Yu cu nh danh ngi dng i: Vic thc hin VPD yu cu mi ngi dng kt ni n c s d liu phi c nh danh duy nht (d l dng chung mt ngi dng c s d liu th ng dng s phi chu trch nhim xc nh nh danh ca ngi dng v thay i trong phin lm vic) t lm tng thm phc tp ca ng dng Kh thng k: Do vic phi xc nh r nh danh ca tng ngi dng c th nn vic thng k li cc truy vn ca tng ngi dng s phc tp trong trng hp ng dng phi ch trch nhim xc nh nh danh ngi dng. 7

Ti liu gii php Oracle Virtual Private Database

3. p dng gii php Oracle Private Database cho d n V-Tracking 4. Thng tin tham kho

You might also like