CERN IT Department CH-1211 Genève 23 Switzerland t Messaging Systems for the Grid Daniel Rodrigues.
CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and...
-
Upload
madeleine-joseph -
Category
Documents
-
view
216 -
download
0
Transcript of CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and...
![Page 1: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/1.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Application security(behind Oracle roles and profiles)
Miguel Anjo
8th July 2008
Database Developers’ Workshop
![Page 2: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/2.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
DB Application security - 2
Abloy key
![Page 3: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/3.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Floor plan
DB Application security - 3
![Page 4: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/4.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Floor plan - 2
DB Application security - 4
![Page 5: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/5.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
3-Tier Application
DB Application security - 5
![Page 6: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/6.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Abloy + floor plan + 3-tier app
DB Application security - 6
![Page 7: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/7.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
FTS abloy key
• FTS application access
DB Application security - 7
![Page 8: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/8.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Dashboard abloy key 1
• Dashboard Writer application access
DB Application security - 8
![Page 9: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/9.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Dashboard abloy key 2
• Dashboard Reader application access
DB Application security - 9
![Page 10: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/10.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Developer abloy master key
• Developer
DB Application security - 10
![Page 11: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/11.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Application deployment
• “I would like to put FTS Dashboard in production”• “Here are 3 abloy keys, one master and two
configurable”
CREATE TABLE JOB;
CREATE TABLE SUMMARY;
• “Lets configure the other keys”GRANT SELECT ON JOB TO DASHBOARD_W;
GRANT INSERT ON SUMMARY TO DASHBOARD_W;
GRANT SELECT ON SUMMARY TO DASHBOARD_R;
DB Application security - 11
![Page 12: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/12.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Application deployment
• Necessary to tell who is room owner:• SELECT FROM JOB;
– ORA-00942: table or view does not exist
• SELECT FROM DASHBOARD.JOB;
• Possibility to create a mapping:• CREATE SYNONYM JOB FOR DASHBOARD.JOB;• SELECT FROM JOB; (SELECT FROM DASHBOARD.JOB)• Oracle bugs, might go to different house with same room
name…
DB Application security - 12
![Page 13: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/13.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Application deployment - summary
• Each application should use different key configuration
• Each key should have only minimum privileges
• Necessary to tell owner name (dashboard.job)
• Endings _R/_W are just proposals
DB Application security - 13
![Page 14: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/14.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Updatable View
DB Application security - 14
![Page 15: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/15.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Updatable View
DB Application security - 15
![Page 16: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/16.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Updatable View - example
• Window is filtered representation of a room• Different VOs different access rights• Tables structure all the same
• Build the window with right filters:
CREATE VIEW LHCB_ACLas SELECT … FROM ACL
WHERE VO=‘LHCB’
WITH CHECK OPTION;
• Add privilege to application key (application is LFC for LHCB – username VOMS_LHCB):
GRANT SELECT, INSERT on LHCB_ACL to LFC_LHCB;
DB Application security - 16
![Page 17: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/17.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Updatable View - example
• INSERT INTO LHCB_ACL(access,vo) VALUES (‘w’,‘CMS’);ORA-01402: view WITH CHECK OPTION where-clause violation
• INSERT INTO ACL(access,vo) VALUES (‘w’,‘CMS’);• COMMIT;
• SELECT * FROM LHCB_ACL;• no rows selected
• SELECT * FROM LHCB_ACL;• ORA-00942: table or view does not exist
DB Application security - 17
![Page 18: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/18.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Stored Procedures
DB Application security - 18
![Page 19: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/19.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Stored Procedures
• Robot does only programmed operation• Can perform complex operations• Privileges set who can call him• Based on PL/SQL procedural language
• create procedure summarize isbegin-- select some jobs-- if something do something else-- insert average on summarize just if something;end;
• grant execute on summarize to dashboard_w;
• exec dashboard.summarize;
DB Application security - 19
![Page 20: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/20.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Role based access
DB Application security - 20
![Page 21: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/21.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Role based access
• Hidden doors with ‘open sesame’ • Special privileges password protected• Allows to group privileges
• create role writer_role identified by x13y;• grant insert on summary to writer_role;
grant writer_role to dashboard_w;
• insert into summary values (…);ORA-00942: table or view does not exist
set role writer_role identified by x13y;
insert into summary values (…);1 row created.
DB Application security - 21
![Page 22: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/22.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Owner vs Application accounts
• The abloy keys are, in reality, Oracle accounts with different roles and profiles.– Owner – to be used by the developer
• Master key• Can create objects (tables, views, sequences) and
PL/SQL (functions, procedures, packages)• Responsible to configure application accounts• Maximum 10 simultaneous connections• Password expires after 1 year
– Application accounts• No initial privileges (_W/_R are suggestions)• Max 400 sessions per DB instance (variable)• No password expiration (but recommended to change)• Can create synonyms (not recommended)
– https://twiki.cern.ch/twiki/bin/view/PSSGroup/UserAccounts
DB Application security - 22
![Page 23: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/23.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Profile - Password
DB Application security - 23
• Prevention of brute force attacks – 1 minute locking after 5 failed attempts
• Expiration after 1 year No email warning
• Cannot reuse password• Follows CERN security recommendations
![Page 24: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/24.jpg)
CERN IT Department
CH-1211 Genève 23
Switzerlandwww.cern.ch/
it
Summary
• Separate applications = separate privileges• Give only minimum set of privileges• Enhanced security with:
– updatable views with check option– PL/SQL procedures– Password protected roles
• Avoid use of synonyms use FQN• Use different credentials in test/development• Request necessary application accounts to
your DBA• Check if you gave too many privileges
– Use USER_TAB_PRIVS view
DB Application security - 24
![Page 25: CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.](https://reader035.fdocuments.in/reader035/viewer/2022062421/56649f3e5503460f94c5f1e3/html5/thumbnails/25.jpg)
DB Application security - 25