KingbaseES之列级强访问控制
上周一直在项目搞数据迁移,没发文章.但在现场测试强访问控制的时候遇到了一个问题,今天尝试复现下.
KingbaseES版本:V009R001C002B0014(Oracle模式)
测试验证范围:"KingbaseES安全指南"--"第8章 标记和强访问控制"--列级强访问控制
1.加载插件
[V9R1C2B14@192-168-218-217 bin]$ vi ~/ES/V8/data/kingbase.conf
[V9R1C2B14@192-168-218-217 bin]$ grep -r "shared_preload_libraries" ~/ES/V8/data/kingbase.conf
shared_preload_libraries = 'sysmac'2.重启数据库后,并开启强访问控制
[V9R1C2B14@192-168-218-217 bin]$ sys_ctl -D /home/V9R1C2B14/ES/V8/data/ restart
...
...
...
server started
[V9R1C2B14@192-168-218-217 bin]$ ksql test system
Password for user system:
Type "help" for help.
test=# show sysmac.enable_mac;
ERROR: must be sso to examine "sysmac.enable_mac"
test=# \c - sso
Password for user sso:
You are now connected to database "test" as userName "sso".
test=> show sysmac.enable_mac;
sysmac.enable_mac
-------------------
off
(1 row)
test=> alter system set sysmac.enable_mac to on;
ALTER SYSTEM
test=> show sysmac.enable_col_mac;
sysmac.enable_col_mac
-----------------------
off
(1 row)
test=> alter system set sysmac.enable_col_mac to on;
ALTER SYSTEM
test=> select sys_reload_conf();
sys_reload_conf
-----------------
t
(1 row)
test=> show sysmac.enable_col_mac;
sysmac.enable_col_mac
-----------------------
on
(1 row)
test=> show sysmac.enable_mac;
sysmac.enable_mac
-------------------
on
(1 row)
注意:需要使用SSO(安全)用户开启强访问控制,SSO用户默认密码为12345678ab
行级和对象级强访问控制,参考"KingbaseES安全指南"官文操作即可.此文特别复现下列级强访问控制的配置,看是否还会失败.
--sso登录创建策略、等级、范围、标记
test=> call sysmac.create_policy('p1','p1_column',false);
test=> call sysmac.create_level('p1','l1',10);
test=> call sysmac.create_level('p1','l2',20);
test=> call sysmac.create_level('p1','l3',30);
test=> call sysmac.create_compartment('p1','c1',100);
test=> call sysmac.create_compartment('p1','c2',200);
test=> call sysmac.create_compartment('p1','c3',300);
test=> call sysmac.create_label('p1','l1:c1',50);
test=> call sysmac.create_label('p1','l2:c1',60);
test=> call sysmac.create_label('p1','l3:c1',70);
--system登录创建用户, sso登录设置用户标记
test=> \c - system
test=# create user u_mac1 with password '12345678ab';
test=# create user u_mac2 with password '12345678ab';
test=# \c - sso
test=> call sysmac.set_user_labels('p1','u_mac1','l3:c1','l3:c1','l2:c1','l2:c1','l2:c1');
test=> call sysmac.set_user_labels('p1','u_mac2','l1:c1','l1:c1','l1:c1','l1:c1','l1:c1');
--system登录创建表并授权, sso登录设置列级强防策略
test=> \c - system
test=# create table t_mac2(a int,b varchar(10));
test=# grant all on t_mac2 to u_mac1;
test=# grant all on t_mac2 to u_mac2;
test=# \c - sso
test=> call sysmac.set_column_label('p1', 'public','t_mac2','b','l2:c1');
--u_mac1登录执行成功; u_mac2登录访问b列失败,只访问a列成功
test=> \c - u_mac1
test=> insert into t_mac2 values(1,'1111');
test=> insert into t_mac2 values(2,'22222');
test=> update t_mac2 set b='3333' where a=2;
test=> delete from t_mac2 where a=1;
test=> select * from t_mac2;
test=> \c - u_mac2
test=> select a from t_mac2;
test=> delete from t_mac2 where a=1;
test=> update t_mac2 set b='3333' where a=2;
test=> insert into t_mac2 values(2,'22222');
test=> select a from t_mac2;
test=> insert into t_mac2(a) values(4);
test=> update t_mac2 set a=5;
test=> select a from t_mac2;
实操表明,在"正常模式"的版本中,是可以实现列级强访问控制的,但是在特殊模式的版本中是存在问题的,如:当前最新的
版本中,就存在列级强访问控制的bug.
总结:非特殊需求不要使用特殊模式的KingbaseES数据库版本,如若非要使用,建议"从简化"使用,避免为不负责任的测试岗位和文档编辑岗位的XX买单填坑.