一个简单的Oracle Redaction实验

本实验包含了:

  • 简单的Oracle Redaction演示
  • 针对指定用户的Redaction

实验环境

假设有一个19c多租户数据库,PDB名为orclpdb1。

我们将在orclpdb1中建立2个用户:

  • redact_user: redact管理员
  • schema_user: schema用户

基础实验

首先进入数据库orclpdb1,创建用户redact_user:

sql 复制代码
alter session set container=orclpdb1;
create user redact_user identified by oracle;
grant connect, resource, unlimited tablespace to redact_user;
grant select on Sys.redaction_policies to redact_user;
grant select on Sys.redaction_columns to redact_user;
grant execute on dbms_redact to redact_user;

然后再创建一个普通用户schema_user:

sql 复制代码
alter session set container=orclpdb1;
create user schema_user identified by oracle;
grant connect, resource, unlimited tablespace to schema_user;

以schema_user用户登录,并创建表和插入数据:

sql 复制代码
connect schema_user/oracle@orclpdb1
CREATE TABLE "EMPLOYEES" ("EMPLOYEE_ID" NUMBER(6,0), "FIRST_NAME" VARCHAR2(20), "LAST_NAME" VARCHAR2(25), "SOCIAL_SECURITY" VARCHAR2(11), "SALARY" NUMBER(4,0));
insert into EMPLOYEES (EMPLOYEE_ID,FIRST_NAME,LAST_NAME,SOCIAL_SECURITY,SALARY) values (100,'Steven','King','247-85-9056',7000);
insert into EMPLOYEES (EMPLOYEE_ID,FIRST_NAME,LAST_NAME,SOCIAL_SECURITY,SALARY) values (101,'Neena','Kochhar','334-08-6578',5000);
commit;

以redact_user登入,定义redact策略:

sql 复制代码
connect redact_user/oracle@orclpdb1

BEGIN
DBMS_REDACT.ADD_POLICY (
   object_schema          => 'SCHEMA_USER',
   object_name            => 'EMPLOYEES',
   policy_name            => 'redact_policy',
   column_name            => 'SOCIAL_SECURITY',
   function_type          => DBMS_REDACT.RANDOM,
   expression             => '1=1',
   enable                 => TRUE
   );
END;
/

注意,此时redact_user对于schema_user中的表是没有读取权限的:

sql 复制代码
SQL> show user
USER is "REDACT_USER"
SQL> select * from schema_user.employees;
select * from schema_user.employees
                          *
ERROR at line 1:
ORA-00942: table or view does not exist

此时schema_user查看SOCIAL_SECURITY列,策略生效:

sql 复制代码
SQL> connect schema_user/oracle@orclpdb1
Connected.
SQL> select social_security from employees;

SOCIAL_SECU
-----------
z8e.SQ<Y#@m
qP/uDj(&yX7

赋予redact_user对表的读取权限:

sql 复制代码
grant select on employees to redact_user;
connect redact_user/oracle@orclpdb1

SQL> select social_security from schema_user.employees;

SOCIAL_SECU
-----------
Q*NCEmtLY2V
E,8FG0#gM4@

可以看到,目前redact策略对redact_user也是生效的。

扩展实验

在此实验中,我们将实现选择性的redaction。即redact policy仅对schema_user生效。

这时通过redact expresion实现的。

查看DBMS_REDACT的帮助。其语法为:

sql 复制代码
DBMS_REDACT.ADD_POLICY (
   object_schema                IN    VARCHAR2 := NULL,
   object_name                  IN    VARCHAR2,
   policy_name                  IN    VARCHAR2,
   column_name                  IN    VARCHAR2 := NULL,
   function_type                IN    BINARY_INTEGER := DBMS_REDACT.FULL,
   function_parameters          IN    VARCHAR2 := NULL,
   expression                   IN    VARCHAR2,
   enable                       IN    BOOLEAN := TRUE,
   regexp_pattern               IN    VARCHAR2 := NULL,
   regexp_replace_string        IN    VARCHAR2 := NULL,
   regexp_position              IN    BINARY_INTEGER := 1,
   regexp_occurrence            IN    BINARY_INTEGER := 0,
   regexp_match_parameter       IN    VARCHAR2 := NULL,
   policy_description           IN    VARCHAR2 := NULL,
   column_description           IN    VARCHAR2 := NULL);

其expression参数的作用为:

Default boolean expression for the table or view. If this expression is used, then redaction takes place only if this policy expression evaluates to TRUE.

现在要做的就是修改策略:

sql 复制代码
connect redact_user/oracle@orclpdb1

BEGIN
DBMS_REDACT.ALTER_POLICY (
   object_schema          => 'SCHEMA_USER',
   object_name            => 'EMPLOYEES',
   policy_name            => 'redact_policy',
   column_name            => 'SOCIAL_SECURITY',
   action                 => DBMS_REDACT.MODIFY_EXPRESSION,
   expression             => 'SYS_CONTEXT ( ''USERENV'',''SESSION_USER'' ) =''SCHEMA_USER'''
);
END;
/

现在不同的用户查看的结果就不一样了:

sql 复制代码
SQL> connect redact_user/oracle@orclpdb1
Connected.
SQL> select social_security from schema_user.employees;

SOCIAL_SECU
-----------
247-85-9056
334-08-6578

SQL> connect schema_user/oracle@orclpdb1
Connected.
SQL> select social_security from schema_user.employees;

SOCIAL_SECU
-----------
9NbODS\?AVj
PAOj4FtYXIW

清理:

sql 复制代码
connect redact_user/oracle@orclpdb1

BEGIN
DBMS_REDACT.DROP_POLICY (
   object_schema          => 'SCHEMA_USER',
   object_name            => 'EMPLOYEES',
   policy_name            => 'redact_policy'
   );
END;
/

alter session set container=orclpdb1;
drop user schema_user cascade;
drop user redact_user cascade;

参考

相关推荐
ClouGence9 天前
Oracle 数据同步为什么会出现数据不一致?长事务是常被忽略的原因
数据库·后端·oracle
ClouGence15 天前
Oracle CDC 架构优化:从主库直连到 DataGuard 备库同步
数据库·后端·oracle
曹牧16 天前
Oracle EXPLAIN PLAN
数据库·oracle
贤时间16 天前
codex 助力oracle ebs 开发
数据库·oracle
秉承初心16 天前
PostgreSQL 数据性能瓶颈突破实战
数据库·postgresql·oracle
Curvatureflight16 天前
MySQL 深分页越来越慢?从 LIMIT OFFSET 改成游标分页
数据库·oracle
XZ-07000116 天前
MySQL事务
数据库·mysql·oracle
tiancaijiben16 天前
阿里云函数计算FC如何实现网站的定时任务与自动化
数据库·oracle·dba
xfhuangfu16 天前
Oracle 19c 多租户体系架构介绍
数据库·oracle·架构
杨云龙UP16 天前
Spotlight 接入 Oracle 数据库监控操作指南 2026-06-16
数据库·oracle·性能监控·预警·阈值·spotlight·瓶颈分析