logo - 跳到首页

VastbaseG100

基于openGauss内核开发的企业级关系型数据库。

Menu

访问策略

Vastbase中只有自主访问控制(DAC)校验通过的情况下才能进行强制访问控制(MAC)校验,强制访问控制的读写规则如下。

表强制访问控制策略

  • 插入(INSERT)策略

    主体敏感等级标记小于等于表敏感等级标记,且主体敏感非等级标记是表敏感非等级标记子集则允许插入。

  • 修改(UPDATE)策略

    主体敏感标记与元组的敏感标记一致则允许修改元组。

  • 删除(DELETE)策略

    同修改(UPDATE)策略。

  • 查询(SELECT)策略

    主体敏感等级标记大于等于元组敏感等级标记,且主体敏感非等级标记是元组敏感非等级标记超集则允许查询。

示例

1. 登陆进入vastbase数据库,创建用户
create user user1 with password 'vastbase@123';
create user user2 with password 'vastbase@123';
create user user3 with password 'vastbase@123';
create user user4 with password 'vastbase@123';
create user user5 with password 'vastbase@123';
create user user6 with password 'vastbase@123';
create user user7 with password 'vastbase@123';
create user user8 with password 'vastbase@123';
create user user9 with password 'vastbase@123';
create table t1(c1 int,c2 varchar(50));
2. 给用户授权
GRANT ALL ON TABLE t1 TO user1;
GRANT ALL ON TABLE t1 TO user2;
GRANT ALL ON TABLE t1 TO user3;
GRANT ALL ON TABLE t1 TO user4;
GRANT ALL ON TABLE t1 TO user5;
GRANT ALL ON TABLE t1 TO user6;
GRANT ALL ON TABLE t1 TO user7;
GRANT ALL ON TABLE t1 TO user8;
GRANT ALL ON TABLE t1 TO user9;
3.创建标签并为主体和客体授予标签
CREATE SECURITY LABEL label1 'L12:G7,G2,G32,G15.G20';
CREATE SECURITY LABEL label2 'L5:G7,G2,G15.G20';
CREATE SECURITY LABEL label3 'L10:G2,G7';
CREATE SECURITY LABEL label4 'L15:G1,G2,G4,G7.G10,G32,G15.G20';
CREATE SECURITY LABEL label5 'L12:G1,G2,G7.G10,G32,G15.G20';
CREATE SECURITY LABEL label6 'L1:G7,G2,G32,G15.G20';
CREATE SECURITY LABEL label7 'L13:G2,G32,G15.G20';
4.对数据库对象设置敏感标记
SECURITY LABEL ON TABLE t1 IS 'label1';
SECURITY LABEL ON role user1 IS 'label2';
SECURITY LABEL ON role user2 IS 'label3';
SECURITY LABEL ON role user3 IS 'label4';
SECURITY LABEL ON role user4 IS 'label2';
SECURITY LABEL ON role user5 IS 'label3';
SECURITY LABEL ON role user6 IS 'label5';
SECURITY LABEL ON role user7 IS 'label6';
SECURITY LABEL ON role user8 IS 'label1';
5. 根据情况分别用user1,user2,user3,user4,user5,user6,user7,user8用户登数据库,对表t1中的记录进行增删改查操作

1)主体等级小于等于客体的等级,主体非等级是客体的非等级的子集时,主体(用户)对客体(表)insert数据
vastbase=# \c - user1
--首次切换至新角色(user1)需要更新密码(密码至少需要包含三种字符)。
--使用如下命令来更改密码:
vastbase=>ALTER ROLE user1 identified by 'vastbase@12' replace 'vastbase@123';
vastbase=> insert into t1 values(1,'aaa');
insert into t1 values(2,'bbb');
insert into t1 values(3,'ccc');
insert into t1 values(4,'ddd');
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1

2)主体等级大于等于客体的等级,主体非等级是客体的非等级的超集时,主体(用户)对客体(表)进行select
vastbase=#\c - user6 
vastbase=>ALTER ROLE user6 identified by 'vastbase@12' replace 'vastbase@123';
ALTER ROLE
vastbase=> select * from t1;
 c1 | c2  
----+-----
  1 | aaa
  2 | bbb
  3 | ccc
  4 | ddd
(4 rows)

3)主体等级等于客体的等级,主体非等级等于客体的非等级时,主体(用户)对客体(表)进行update操作
vastbase=#\c - user7
vastbase=> ALTER ROLE user7 identified by 'vastbase@12' replace 'vastbase@123';
ALTER ROLE
vastbase=> update t1 set c2='mmm';
UPDATE 0
vastbase=> select * from t1;
 c1 | c2  
----+-----
  1 | mmm
  2 | mmm
  3 | mmm
  4 | mmm
(4 rows)

4)主体等级等于客体的等级,主体非等级等于客体的非等级时,主体(用户)对客体(表)进行delete操作
vastbase=#\c - user8
vastbase=> ALTER ROLE user8 identified by 'vastbase@12' replace 'vastbase@123';
ALTER ROLE
vastbase=>delete from t1 where c1=4;
DELETE 1
vastbase=>select * from t1;
 c1 | c2  
----+-----
  1 | mmm
  2 | mmm
  3 | mmm
(3 rows)

存储过程和触发器强制访问控制策略

当主体安全等级标记等于函数/存储过程安全等级标记,且主体安全非等级标记是函数/存储过程安全非等级标记超集则允许执行。

示例

1.创建存储过程
CREATE OR REPLACE PROCEDURE prc_add
(
param1 IN INTEGER,
param2 IN OUT INTEGER
)
AS
BEGIN
param2:= param1 + param2;
dbms_output.put_line('result is: '||to_char(param2));
END;
/
2.创建安全标签
CREATE SECURITY LABEL label_pro 'L5:G7,G2';
3.设置安全标签
SECURITY LABEL ON PROCEDURE prc_add IS 'label_pro';

1.创建触发器
CREATE TABLE test_trigger_src_tbl(id1 INT, id2 INT, id3 INT);
CREATE TABLE test_trigger_des_tbl(id1 INT, id2 INT, id3 INT);

CREATE OR REPLACE FUNCTION tri_insert_func() RETURNS TRIGGER AS
$$
DECLARE
BEGIN
INSERT INTO test_trigger_des_tbl VALUES(NEW.id1, NEW.id2, NEW.id3);
RETURN NEW;
END
$$ LANGUAGE PLPGSQL;

CREATE TRIGGER insert_trigger
BEFORE INSERT ON test_trigger_src_tbl
FOR EACH ROW
EXECUTE PROCEDURE tri_insert_func();
2.创建安全标签
CREATE SECURITY LABEL label_tri 'L5:G7,G2,G15.G21';
3.设置安全标签
SECURITY LABEL ON TRIGGER insert_trigger OF test_trigger_src_tbl IS 'label_tri';