访问策略
Vastbase中只有自主访问控制(DAC)校验通过的情况下才能进行强制访问控制(MAC)校验,强制访问控制的读写规则如下。
表强制访问控制策略
插入(INSERT)策略
主体敏感等级标记小于等于表敏感等级标记,且主体敏感非等级标记是表敏感非等级标记子集则允许插入。
修改(UPDATE)策略
主体敏感标记与元组的敏感标记一致则允许修改元组。
删除(DELETE)策略
同修改(UPDATE)策略。
查询(SELECT)策略
主体敏感等级标记大于等于元组敏感等级标记,且主体敏感非等级标记是元组敏感非等级标记超集则允许查询。
示例
1. 登陆进入vastbase数据库,创建用户
create user user1 with password 'vastbase@123';
create user user2 with password 'vastbase@123';
create user user3 with password 'vastbase@123';
create user user4 with password 'vastbase@123';
create user user5 with password 'vastbase@123';
create user user6 with password 'vastbase@123';
create user user7 with password 'vastbase@123';
create user user8 with password 'vastbase@123';
create user user9 with password 'vastbase@123';
create table t1(c1 int,c2 varchar(50));
2. 给用户授权
GRANT ALL ON TABLE t1 TO user1;
GRANT ALL ON TABLE t1 TO user2;
GRANT ALL ON TABLE t1 TO user3;
GRANT ALL ON TABLE t1 TO user4;
GRANT ALL ON TABLE t1 TO user5;
GRANT ALL ON TABLE t1 TO user6;
GRANT ALL ON TABLE t1 TO user7;
GRANT ALL ON TABLE t1 TO user8;
GRANT ALL ON TABLE t1 TO user9;
3.创建标签并为主体和客体授予标签
CREATE SECURITY LABEL label1 'L12:G7,G2,G32,G15.G20';
CREATE SECURITY LABEL label2 'L5:G7,G2,G15.G20';
CREATE SECURITY LABEL label3 'L10:G2,G7';
CREATE SECURITY LABEL label4 'L15:G1,G2,G4,G7.G10,G32,G15.G20';
CREATE SECURITY LABEL label5 'L12:G1,G2,G7.G10,G32,G15.G20';
CREATE SECURITY LABEL label6 'L1:G7,G2,G32,G15.G20';
CREATE SECURITY LABEL label7 'L13:G2,G32,G15.G20';
4.对数据库对象设置敏感标记
SECURITY LABEL ON TABLE t1 IS 'label1';
SECURITY LABEL ON role user1 IS 'label2';
SECURITY LABEL ON role user2 IS 'label3';
SECURITY LABEL ON role user3 IS 'label4';
SECURITY LABEL ON role user4 IS 'label2';
SECURITY LABEL ON role user5 IS 'label3';
SECURITY LABEL ON role user6 IS 'label5';
SECURITY LABEL ON role user7 IS 'label6';
SECURITY LABEL ON role user8 IS 'label1';
5. 根据情况分别用user1,user2,user3,user4,user5,user6,user7,user8用户登数据库,对表t1中的记录进行增删改查操作
1)主体等级小于等于客体的等级,主体非等级是客体的非等级的子集时,主体(用户)对客体(表)insert数据
vastbase=# \c - user1
--首次切换至新角色(user1)需要更新密码(密码至少需要包含三种字符)。
--使用如下命令来更改密码:
vastbase=>ALTER ROLE user1 identified by 'vastbase@12' replace 'vastbase@123';
vastbase=> insert into t1 values(1,'aaa');
insert into t1 values(2,'bbb');
insert into t1 values(3,'ccc');
insert into t1 values(4,'ddd');
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
2)主体等级大于等于客体的等级,主体非等级是客体的非等级的超集时,主体(用户)对客体(表)进行select
vastbase=#\c - user6
vastbase=>ALTER ROLE user6 identified by 'vastbase@12' replace 'vastbase@123';
ALTER ROLE
vastbase=> select * from t1;
c1 | c2
----+-----
1 | aaa
2 | bbb
3 | ccc
4 | ddd
(4 rows)
3)主体等级等于客体的等级,主体非等级等于客体的非等级时,主体(用户)对客体(表)进行update操作
vastbase=#\c - user7
vastbase=> ALTER ROLE user7 identified by 'vastbase@12' replace 'vastbase@123';
ALTER ROLE
vastbase=> update t1 set c2='mmm';
UPDATE 0
vastbase=> select * from t1;
c1 | c2
----+-----
1 | mmm
2 | mmm
3 | mmm
4 | mmm
(4 rows)
4)主体等级等于客体的等级,主体非等级等于客体的非等级时,主体(用户)对客体(表)进行delete操作
vastbase=#\c - user8
vastbase=> ALTER ROLE user8 identified by 'vastbase@12' replace 'vastbase@123';
ALTER ROLE
vastbase=>delete from t1 where c1=4;
DELETE 1
vastbase=>select * from t1;
c1 | c2
----+-----
1 | mmm
2 | mmm
3 | mmm
(3 rows)
存储过程和触发器强制访问控制策略
当主体安全等级标记等于函数/存储过程安全等级标记,且主体安全非等级标记是函数/存储过程安全非等级标记超集则允许执行。
示例
1.创建存储过程
CREATE OR REPLACE PROCEDURE prc_add
(
param1 IN INTEGER,
param2 IN OUT INTEGER
)
AS
BEGIN
param2:= param1 + param2;
dbms_output.put_line('result is: '||to_char(param2));
END;
/
2.创建安全标签
CREATE SECURITY LABEL label_pro 'L5:G7,G2';
3.设置安全标签
SECURITY LABEL ON PROCEDURE prc_add IS 'label_pro';
1.创建触发器
CREATE TABLE test_trigger_src_tbl(id1 INT, id2 INT, id3 INT);
CREATE TABLE test_trigger_des_tbl(id1 INT, id2 INT, id3 INT);
CREATE OR REPLACE FUNCTION tri_insert_func() RETURNS TRIGGER AS
$$
DECLARE
BEGIN
INSERT INTO test_trigger_des_tbl VALUES(NEW.id1, NEW.id2, NEW.id3);
RETURN NEW;
END
$$ LANGUAGE PLPGSQL;
CREATE TRIGGER insert_trigger
BEFORE INSERT ON test_trigger_src_tbl
FOR EACH ROW
EXECUTE PROCEDURE tri_insert_func();
2.创建安全标签
CREATE SECURITY LABEL label_tri 'L5:G7,G2,G15.G21';
3.设置安全标签
SECURITY LABEL ON TRIGGER insert_trigger OF test_trigger_src_tbl IS 'label_tri';