(19c)
-- 前提: パスワードファイル作成済
orapwd file=orapworcl password=oracle format=12
-- 1. インストール(CDB)
conn / as sysdba
@$ORACLE_HOME/rdbms/admin/catols.sql
@$ORACLE_HOME/rdbms/admin/catmac.sql SYSAUX TEMP
-- 2. 初期設定(CDB)
conn / as sysdba
GRANT CREATE SESSION, SET CONTAINER TO c##dbv_owner IDENTIFIED BY oracle CONTAINER = ALL;
GRANT CREATE SESSION, SET CONTAINER TO c##dbv_owner_backup IDENTIFIED BY oracle CONTAINER = ALL;
GRANT CREATE SESSION, SET CONTAINER TO c##dbv_acctmgr IDENTIFIED BY oracle CONTAINER = ALL;
GRANT CREATE SESSION, SET CONTAINER TO c##dbv_acctmgr_backup IDENTIFIED BY oracle CONTAINER = ALL;
BEGIN
CONFIGURE_DV (
dvowner_uname => 'c##dbv_owner',
dvacctmgr_uname => 'c##dbv_acctmgr',
force_local_dvowner => FALSE);
END;
/
-- 無効化されたオブジェクトを再コンパイル
-- 関連するすべてのPDBがこのデータベースでDatabase Vaultを有効にする
conn c##dbv_owner/oracle
EXEC DBMS_MACADM.ENABLE_DV (strict_mode => 'y');
conn / as sysdba
SHUTDOWN IMMEDIATE
STARTUP
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;
GRANT DV_OWNER TO c##dbv_owner_backup WITH ADMIN OPTION CONTAINER=ALL;
GRANT DV_ACCTMGR TO c##dbv_acctmgr_backup WITH ADMIN OPTION CONTAINER=ALL;
SELECT PARAMETER,VALUE FROM V$OPTION WHERE PARAMETER in ( 'Oracle Label Security','Oracle Database Vault' );
-- 3. インストール(PDB)
CONNECT SYS@pdb1 AS SYSDBA
@$ORACLE_HOME/rdbms/admin/catols.sql
@$ORACLE_HOME/rdbms/admin/catmac.sql SYSAUX TEMP
-- 4. 初期設定(PDB)
CONNECT SYS@pdb1 AS SYSDBA
GRANT CREATE SESSION, SET CONTAINER,RESTRICTED SESSION TO dbv_owner IDENTIFIED BY oracle;
GRANT CREATE SESSION, SET CONTAINER,RESTRICTED SESSION TO dbv_owner_backup IDENTIFIED BY oracle;
GRANT CREATE SESSION, SET CONTAINER,RESTRICTED SESSION TO dbv_acctmgr IDENTIFIED BY oracle;
GRANT CREATE SESSION, SET CONTAINER,RESTRICTED SESSION TO dbv_acctmgr_backup IDENTIFIED BY oracle;
BEGIN
CONFIGURE_DV (
dvowner_uname => 'dbv_owner',
dvacctmgr_uname => 'dbv_acctmgr');
END;
/
-- 無効化されたオブジェクトを再コンパイル
conn dbv_owner/oracle@pdb1
EXEC DBMS_MACADM.ENABLE_DV;
conn / as sysdba
ALTER PLUGGABLE DATABASE pdb1 CLOSE IMMEDIATE;
ALTER PLUGGABLE DATABASE pdb1 OPEN;
CONNECT SYS@pdb1 AS SYSDBA
SELECT * FROM DBA_DV_STATUS;
conn dbv_owner/oracle@pdb1
GRANT DV_OWNER TO dbv_owner_backup WITH ADMIN OPTION;
conn dbv_acctmgr/oracle@pdb1
GRANT DV_ACCTMGR TO dbv_acctmgr_backup WITH ADMIN OPTION;
SELECT PARAMETER,VALUE FROM V$OPTION WHERE PARAMETER in ( 'Oracle Label Security','Oracle Database Vault' );
-- 5. 動作確認
-- テスト用ユーザ作成
conn dbv_acctmgr/oracle@pdb1
create user user1 identified by user1;
create user user2 identified by user2;
create user user3 identified by user3;
CONNECT SYS@pdb1 AS SYSDBA
grant dba to user1;
grant dba to user2;
grant dba to user3;
conn user1/user1@pdb1
create table tab1(col1 int);
insert into tab1 values(1);
commit;
select * from tab1;
conn user2/user2@pdb1
create table tab2(col1 int);
insert into tab2 values(1);
commit;
select * from tab2;
-- レルムの作成
conn dbv_owner/oracle@pdb1
BEGIN
DBMS_MACADM.CREATE_REALM(
realm_name => 'realm1',
description => 'realm1',
enabled => DBMS_MACUTL.G_YES,
audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + DBMS_MACUTL.G_REALM_AUDIT_SUCCESS,
realm_type => 1);
END;
/
BEGIN
DBMS_MACADM.ADD_OBJECT_TO_REALM(
realm_name => 'realm1',
object_owner => 'user1',
object_name => '%',
object_type => '%');
END;
/
BEGIN
DBMS_MACADM.ADD_AUTH_TO_REALM(
realm_name => 'realm1',
grantee => 'user1',
auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER);
END;
/
BEGIN
DBMS_MACADM.ADD_AUTH_TO_REALM(
realm_name => 'realm1',
grantee => 'user2',
auth_options => DBMS_MACUTL.G_REALM_AUTH_PARTICIPANT);
END;
/
select * from DVSYS.DBA_DV_REALM where NAME='realm1';
select * from DVSYS.DBA_DV_REALM_OBJECT where REALM_NAME='realm1';
select * from DVSYS.DBA_DV_REALM_AUTH where REALM_NAME='realm1';
-- 動作確認
user1,user2はuser1.tab1を参照できるが、user3は参照できない
conn user1/user1@pdb1
select * from user1.tab1;
conn user2/user2@pdb1
select * from user1.tab1;
conn user3/user3@pdb1
select * from user1.tab1;
-- レルムの削除
conn dbv_owner/oracle@pdb1
BEGIN
DBMS_MACADM.DELETE_REALM(
realm_name => 'realm1');
END;
/
select * from DVSYS.DBA_DV_REALM where NAME='realm1';
select * from DVSYS.DBA_DV_REALM_OBJECT where REALM_NAME='realm1';
select * from DVSYS.DBA_DV_REALM_AUTH where REALM_NAME='realm1';