合 如何限定特定IP访问Oracle数据库
👉 本文共约7375个字,系统预计阅读时间或需28分钟。
目录
前言部分
导读和注意事项
各位技术爱好者,看完本文后,你可以掌握如下的技能,也可以学到一些其它你所不知道的知识,\~O(∩_∩)O\~:
① 限定IP访问Oracle数据库的3种方法(重点)
② 如何将信息写入到Oracle的告警日志中
③ RAISE_APPLICATION_ERROR不能抛出错误到客户端环境
④ 系统触发器
⑤ 隐含参数:_system_trig_enabled
本文简介
本文详细介绍了3种限制IP地址登录Oracle数据库的办法。
本文实验环境介绍
| 项目 | source db |
|---|---|
| db 类型 | RAC |
| db version | 11.2.0.3.0 |
| db 存储 | ASM |
| OS版本及kernel版本 | RHEL 6.5 |
| 数据库服务器IP地址 | 192.168.59.130 |
| 客户端IP地址 | 192.168.59.1或192.168.59.129 |
限定IP访问Oracle数据库的3种办法
利用登录触发器
简单版
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | SYS@orclasm > CREATE OR REPLACE TRIGGER CHK_IP_LHR 2 AFTER LOGON ON DATABASE 3 DECLARE 4 V_IPADDR VARCHAR2(30); 5 V_LOGONUSER VARCHAR2(60); 6 BEGIN 7 SELECT SYS_CONTEXT('USERENV', 'IP_ADDRESS'), 8 SYS_CONTEXT('USERENV', 'SESSION_USER') 9 INTO V_IPADDR, V_LOGONUSER 10 FROM DUAL; 11 IF V_IPADDR LIKE ('192.168.59.%') THEN 12 RAISE_APPLICATION_ERROR('-20001', 'User '||V_LOGONUSER||' is not allowed to connect from '||V_IPADDR); 13 END IF; 14 END; 15 / Trigger created. SYS@orclasm > create user lhr8 identified by lhr; User created. SYS@orclasm > grant resource,connect to lhr8; Grant succeeded. |
客户端登录:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | D:\Users\xiaomaimiao>ipconfig 以太网适配器 VMware Network Adapter VMnet8: 连接特定的 DNS 后缀 . . . . . . . : 本地链接 IPv6 地址. . . . . . . . : fe80::850a:3293:c7fb:75e1%24 IPv4 地址 . . . . . . . . . . . . : 192.168.59.1 子网掩码 . . . . . . . . . . . . : 255.255.255.0 D:\Users\xiaomaimiao>sqlplus lhr8/lhr@orclasm SQL*Plus: Release 11.2.0.1.0 Production on Sat Mar 18 17:29:27 2017 Copyright (c) 1982, 2010, Oracle. All rights reserved. ERROR: ORA-00604: error occurred at recursive SQL level 1 ORA-20001: User LHR8 is not allowed to connect from 192.168.59.1 ORA-06512: at line 10 Enter user-name: |
告警日志无输出。
复杂版
复杂版就是需要记录登录日志,并把报错信息输出到告警日志中。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 | CREATE TABLE XB_AUDIT_LOGON_LHR( ID NUMBER PRIMARY KEY, INST_ID NUMBER, OPER_DATE DATE, OS_USER VARCHAR2(255), CLIENT_IP VARCHAR2(20), CLIENT_HOSTNAME VARCHAR2(30), DB_SCHEMA VARCHAR2(30), SID NUMBER, SERIAL# NUMBER, SPID NUMBER, SESSION_TYPE VARCHAR2(1000), DATABASE_NAME VARCHAR2(255) ) NOLOGGING PARTITION BY RANGE(OPER_DATE) INTERVAL(NUMTOYMINTERVAL(1,'MONTH')) SUBPARTITION BY HASH(INST_ID) SUBPARTITION TEMPLATE ( SUBPARTITION SP1 , SUBPARTITION SP2 ) (PARTITION P201610 VALUES LESS THAN(TO_DATE('201610','YYYYMM'))); CREATE SEQUENCE S_XB_AUDIT_DDL_LHR START WITH 1 INCREMENT BY 1 CACHE 2000; SELECT S_XB_AUDIT_DDL_LHR.NEXTVAL FROM DUAL; CREATE INDEX IND_AUDIT_DDL_OS_USER ON XB_AUDIT_LOGON_LHR(OS_USER) LOCAL NOLOGGING; CREATE INDEX IND_AUDIT_DDL_SID ON XB_AUDIT_LOGON_LHR(SID,SERIAL#) LOCAL NOLOGGING; GRANT SELECT ON XB_AUDIT_LOGON_LHR TO PUBLIC; CREATE OR REPLACE PROCEDURE PRO_TRI_DDL_INSET_LHR AUTHID CURRENT_USER AS SP_XB_AUDIT_DDL_LHR XB_AUDIT_LOGON_LHR%ROWTYPE; V_COUNT NUMBER; V_TMP VARCHAR2(255); V_MODULE VARCHAR2(4000); V_ACTION VARCHAR2(4000); V_MESSAGE VARCHAR2(4000); BEGIN BEGIN SELECT A.SID, A.SERIAL#, (SELECT B.SPID FROM GV$PROCESS B WHERE B.ADDR = A.PADDR AND B.INST_ID = USERENV('INSTANCE')) SPID, UPPER(A.OSUSER) OSUSER, A.MACHINE || '--' || A.PROGRAM || '--' || A.MODULE || '--' || A.ACTION SESSION_TYPE, A.USERNAME, A.INST_ID INTO SP_XB_AUDIT_DDL_LHR.SID, SP_XB_AUDIT_DDL_LHR.SERIAL#, SP_XB_AUDIT_DDL_LHR.SPID, SP_XB_AUDIT_DDL_LHR.OS_USER, SP_XB_AUDIT_DDL_LHR.SESSION_TYPE, SP_XB_AUDIT_DDL_LHR.DB_SCHEMA, SP_XB_AUDIT_DDL_LHR.INST_ID FROM GV$SESSION A WHERE A.AUDSID = USERENV('SESSIONID') AND A.INST_ID = USERENV('INSTANCE'); --job 信息 不同的数据库这里的os_user需要修改 IF UPPER(SYS_CONTEXT('USERENV', 'OS_USER')) = 'ORACLE' THEN SELECT COUNT(1) INTO V_COUNT FROM DBA_JOBS_RUNNING A, DBA_JOBS B WHERE A.JOB = B.JOB AND A.SID = SP_XB_AUDIT_DDL_LHR.SID AND A.INSTANCE = USERENV('INSTANCE'); IF V_COUNT > 0 THEN SELECT '【DBA_JOBS:' || B.JOB || '--' || B.WHAT || '】' INTO V_TMP FROM DBA_JOBS_RUNNING A, DBA_JOBS B WHERE A.JOB = B.JOB AND A.SID = SP_XB_AUDIT_DDL_LHR.SID AND A.INSTANCE = USERENV('INSTANCE'); ELSE SELECT '--' || B.JOB_TYPE || '--' || B.JOB_ACTION INTO V_TMP FROM DBA_SCHEDULER_RUNNING_JOBS A, DBA_SCHEDULER_JOBS B WHERE A.JOB_NAME = B.JOB_NAME AND A.SESSION_ID = SP_XB_AUDIT_DDL_LHR.SID AND A.RUNNING_INSTANCE = USERENV('INSTANCE'); END IF; END IF; EXCEPTION WHEN OTHERS THEN NULL; END; BEGIN --v_module is much useful, "plsqldev.exe" DBMS_APPLICATION_INFO.READ_MODULE(V_MODULE, V_ACTION); V_MESSAGE := TO_CHAR(SYSDATE, 'yyyy-mm-dd hh24:mi:ss') || ' (User ' || SYS.LOGIN_USER || ' logon denied from [IP:' || ORA_CLIENT_IP_ADDRESS || ', ' || UPPER(SYS_CONTEXT('USERENV', 'OS_USER')) || '] with ' || V_MODULE || ' ' || V_ACTION || ')'; --write alert.log SYS.DBMS_SYSTEM.KSDWRT(2, V_MESSAGE); EXCEPTION WHEN OTHERS THEN NULL; END; INSERT INTO XB_AUDIT_LOGON_LHR (ID, INST_ID, OPER_DATE, OS_USER, CLIENT_IP, CLIENT_HOSTNAME, DB_SCHEMA, SID, SERIAL#, SPID, SESSION_TYPE, DATABASE_NAME) VALUES (S_XB_AUDIT_DDL_LHR.NEXTVAL, USERENV('INSTANCE'), -- sp_xb_audit_ddl_lhr.INST_ID ora_instance_num SYSDATE, UPPER(SYS_CONTEXT('USERENV', 'OS_USER')), -- sp_xb_audit_ddl_lhr.os_user SYS_CONTEXT('userenv', 'ip_address'), --ora_client_ip_address SYS_CONTEXT('userenv', 'terminal'), --sys_context('userenv', 'host') NVL2(ORA_LOGIN_USER, SYS_CONTEXT('USERENV', 'SESSION_USER'), SP_XB_AUDIT_DDL_LHR.DB_SCHEMA), -- SYS_CONTEXT('USERENV', 'SESSION_USER') sys.login_user SP_XB_AUDIT_DDL_LHR.SID, ---- SYS_CONTEXT('USERENV', 'SID'), SP_XB_AUDIT_DDL_LHR.SERIAL#, SP_XB_AUDIT_DDL_LHR.SPID, SP_XB_AUDIT_DDL_LHR.SESSION_TYPE || V_TMP, ORA_DATABASE_NAME --sys_context('USERENV', 'DB_NAME') ); COMMIT; EXCEPTION WHEN OTHERS THEN ROLLBACK; END PRO_TRI_DDL_INSET_LHR; / CREATE OR REPLACE TRIGGER CHK_IP_LHR AFTER LOGON ON DATABASE DECLARE V_IPADDR VARCHAR2(30); V_LOGONUSER VARCHAR2(60); V_MODULE VARCHAR2(4000); V_ACTION VARCHAR2(4000); V_MESSAGE VARCHAR2(4000); BEGIN SELECT SYS_CONTEXT('USERENV', 'IP_ADDRESS'), SYS_CONTEXT('USERENV', 'SESSION_USER') INTO V_IPADDR, V_LOGONUSER FROM DUAL; V_MESSAGE := TO_CHAR(SYSDATE, 'yyyy-mm-dd hh24:mi:ss') || ' (User ' || SYS.LOGIN_USER || ' logon denied from [IP:' || ORA_CLIENT_IP_ADDRESS || ', ' || UPPER(SYS_CONTEXT('USERENV', 'OS_USER')) || '] with ' || V_MODULE || ' ' || V_ACTION || ')'; IF V_IPADDR LIKE ('192.168.59.%') THEN PRO_TRI_DDL_INSET_LHR; RAISE_APPLICATION_ERROR('-20001', V_MESSAGE); END IF; END; / |
客户端登录:
告警日志:
查询日志表:
SELECT * FROM XB_AUDIT_LOGON_LHR;
注意事项
需要注意的问题:
- 触发的对象类型可以为DATABASE,也可以为“用户名.SCHEMA”,如:
AFTER LOGON ON DATABASE
AFTER LOGON ON SCOTT.SCHEMA
- 当触发的对象类型为DATABASE的时候,登录用户不能拥有“ADMINISTER DATABASE TRIGGER”的系统权限;当触发的对象类型为“用户名.SCHEMA”的时候,登录用户不能拥有“ALTER ANY TRIGGER”的系统权限。否则,这些用户还是会正常登录到数据库,只是将相应的报错信息写入到告警日志中。所以,拥有IMP_FULL_DATABASE和DBA角色的用户以及SYS和EXFSYS用户将不能通过这种方式限制登录。
- 隐含参数“_SYSTEM_TRIG_ENABLED”的默认值是TRUE,即允许DDL和系统触发器。当设置隐含参数“_SYSTEM_TRIG_ENABLED”为FALSE的时候,将禁用DDL和系统触发器。所以,当该值设置为FALSE的时候将不能通过这种方式限制登录。
测试第二点
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | 第二点测试如下: SYS@orclasm > grant ADMINISTER DATABASE TRIGGER to lhr8; Grant succeeded. 客户端登录: D:\Users\xiaomaimiao>sqlplus lhr8/lhr@orclasm SQL*Plus: Release 11.2.0.1.0 Production on Sat Mar 18 18:33:13 2017 Copyright (c) 1982, 2010, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, Automatic Storage Management, OLAP, Data Mining and Real Application Testing options LHR8@orclasm> 告警日志: Sat Mar 18 18:33:13 2017 2017-03-18 18:33:13 (User LHR8 logon denied from [IP:192.168.59.1, XIAOMAIMIAO] with sqlplus.exe ) Errors in file /u01/app/oracle/diag/rdbms/orclasm/orclasm/trace/orclasm_ora_33505.trc: ORA-00604: error occurred at recursive SQL level 1 ORA-20001: 2017-03-18 18:33:13 (User LHR8 logon denied from [IP:192.168.59.1, XIAOMAIMIAO] with ) ORA-06512: at line 21 继续测试: SYS@orclasm > revoke ADMINISTER DATABASE TRIGGER from lhr8; Revoke succeeded. SYS@orclasm > GRANT ALTER ANY TRIGGER TO LHR8; Grant succeeded. SYS@orclasm > |
客户端继续登录,发现不能正常登录。将触发器中的AFTER LOGON ON DATABASE修改为AFTER LOGON ON LHR8.SCHEMA,其他不变,继续测试:
发现可以正常登录了,告警日志:
测试第三点
将触发器中的AFTER LOGON ON LHR8.SCHEMA修改为AFTER LOGON ON DATABASE,其他不变,继续测试:
不能正常登录,下面禁用系统触发器:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | SYS@orclasm > set pagesize 9999 SYS@orclasm > set line 9999 SYS@orclasm > col NAME format a40 SYS@orclasm > col KSPPDESC format a50 SYS@orclasm > col KSPPSTVL format a20 SYS@orclasm > SELECT a.INDX, 2 a.KSPPINM NAME, 3 a.KSPPDESC, 4 b.KSPPSTVL 5 FROM x$ksppi a, 6 x$ksppcv b 7 WHERE a.INDX = b.INDX 8 and lower(a.KSPPINM) like lower('%¶meter%'); Enter value for parameter: _system_trig_enabled old 8: and lower(a.KSPPINM) like lower('%¶meter%') new 8: and lower(a.KSPPINM) like lower('%_system_trig_enabled%') INDX NAME KSPPDESC KSPPSTVL ---------- ---------------------------------------- -------------------------------------------------- -------------------- 1750 _system_trig_enabled are system triggers enabled TRUE SYS@orclasm > alter system set "_system_trig_enabled"=false; System altered. SYS@orclasm > |
进行登录:
发现可以正常登录了。将参数"_system_trig_enabled"修改回原值。
1 2 3 4 5 6 7 8 9 10 | SYS@orclasm > alter system set "_system_trig_enabled"=true; System altered. SYS@orclasm > alter system reset "_system_trig_enabled" scope=spfile sid='*'; System altered. SYS@orclasm > |
利用登录触发器实现时间段登录
Use Event Triggers
------------------
If you allow the users to log in the database only from Monday to Friday included,
and from 8AM to 6PM, create an event trigger that checks after logon on
database for each user (except the DBA users) that the connection occurs only
within this timeframe.
Example 1
-------
1. No check set up yet: any ordinary user can log into the database:
SQL> connect test_trigger/test_trigger
Connected.
2. The DBA creates an event trigger that checks if the connection occurs
between Monday and Friday , and within working hours: 8AM to 6PM.
1 2 3 4 5 6 7 8 9 10 11 12 | SQL> connect system/manager Connected. SQL> create or replace trigger logon_trg after logon on database begin if (to_char(sysdate,'D') not between '2' and '6') or (to_char(sysdate, 'HH24') not between '08' and '18') then RAISE_APPLICATION_ERROR(-20001, 'You are not allowed to log into database now.'); end if; end; / |
Trigger created.
3. It is Friday 5PM : an ordinary user can log into the database:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | SQL> connect test_trigger/test_trigger Connected. It is Monday 7AM : an ordinary user cannot log into the database It is Saturday 9AM : an ordinary user cannot log into the database: SQL> connect test_trigger/test_trigger ERROR: ORA-00604: error occurred at recursive SQL level 1 ORA-20001: You are not allowed to log into database now. ORA-06512: at line 3 Warning: You are no longer connected to ORACLE. SQL> |
Example 2
本人提供Oracle(OCP、OCM)、MySQL(OCP)、PostgreSQL(PGCA、PGCE、PGCM)等数据库的培训和考证业务,私聊QQ646634621或微信db_bao,谢谢!
