Multitenant New Security Features Infrastructure at your Service. 12.2 Multitenant New Security Features Clarify DevOps and DBA role separation
Multitenant New Security Features
Infrastructure at your Service.
12.2 Multitenant New Security Features Clarify DevOps and DBA role separation
Multitenant New Security Features 15.11.2016
Infrastructure at your Service.
About me
Franck Pachot
Principal consultant
Oracle Technology Leader
Mobile +41 79 963 27 22
www.dbi-services.com
Page 2
Multitenant New Security Features
Experts At Your Service
> 50 specialists in IT infrastructure
> Certified, experienced, passionate
Based In Switzerland
> 100% self-financed Swiss company
> Over CHF6 mio. turnover
Leading In Infrastructure Services
> More than 120 customers in CH, D, & F
> Over 40 SLAs dbi FlexService contracted
15.11.2016
dbi servicesWho we are
Page 3
Multitenant New Security Features
1. DevOps
2. Common and local users
3. Lockdown profiles and PDB isolation
4. Resource manager and PDB parameters
5. Conclusion
Agenda
15.11.2016
12.2 Multitenant New Security Features
Page 4
Multitenant New Security Features
At operations our goal is stability
> Run same old things for years
> Don't touch anything when it works
> We keep the keys of the system so that nobody breaks it
At development our goal is evolution
> What is ok today will be obsolete tomorrow
> When it works we need to do better
> We need to do it fast: agile
> We can't depend on Ops: fast provisioning, fast refresh, Cloud
What is DevOps, What is Agile, What is Cloud?
15.11.2016Page 5
DevOps
Multitenant New Security Features
Each operation requires
> several manual steps
> from multiple teams
Today we need
> More automation
> Faster provisioning
> Less roundtrips between Dev and Ops
> Ops provision an isolated database
> Then give all rights it to Dev
> And automation to clone, refresh,…
Roundrips between Dev and Ops is too long
15.11.2016
DevOps
Multitenant New Security Features
Need to create databases faster?
> CREATE PLUGGABLE DATABASE
Need to refresh databases faster?
> Snapshots, Thin Clones, refreshable PDBs …
Dev and Ops must communicate
> Set the rules before arguing each request
> Define clearly the Dev privileges:
> Full power on his PDB only
> No side effect on other PDBS
Roundtrips between Dev and Ops is too long
15.11.2016Page 7
DevOps
Multitenant
Thin Clones
DevOps
Lockdown profilesResource manager
Agile
For whatever reason this is called "CLOUD"
Multitenant New Security Features
The first Oracle Cloud Service
> Was: Schema as a Service
> Focused at developers (goal was APEX)
At OOW16 Oracle has released a new service for developers:> PDB as a Service rather than Schema as a Service
> A PDB is a database (public objects, multiple schemas)
> Provisioned in minutes - focused at developers: they are granted DBA
> The CDB is managed by Oracle
So can we give DBA rights to a developer on his PDB without compromising the system?
> Yes, with multitenant architecture, in Oracle Database 12c Release 2
Exadata Express Cloud Service
15.11.2016Page 8
DevOps
Multitenant New Security Features
Exadata Express lockdown & restrictions
15.11.2016Page 9
DevOps
Admin privileges on the PDB But no access to the system
Multitenant New Security Features
Exadata Express lockdown & restrictions
15.11.2016Page 10
DevOps
Admin privileges on the PDB But using only allocated resources
Multitenant New Security Features
1. DevOps
2. Common and local users
3. Lockdown profiles and PDB isolation
4. Resource manager and PDB parameters
5. Other features
6. Conclusion
Agenda
15.11.2016
Multitenant New Security Features
Page 11
Multitenant New Security Features
Local users are created in the PDB> Are known in local container only
> Created in one container with container=current
Common users are created in the CDB> Are known in all containers
> Created in CDB$ROOT with container=all
> Can change current container with alter session
Common and local users
15.11.2016Page 12
Users and privileges
CDB1
CDB$ROOTPDB$SEEDPDB_APP1
Local user
Common user
Multitenant New Security Features
Local users are for Dev> Application schemas
> Application users
> Application admins
Common users are for Ops> system administrator
> Oracle maintained
> Monitoring,…
Multitenant architecture vs. non-CDB: separation of roles
Common and local users
15.11.2016Page 13
Users and privileges
§
CDB1
CDB$ROOTPDB$SEEDPDB_APP1
SYSTEMAPPLICATION
Multitenant New Security Features
Local roles and privileges> Granted to local or common user on local container
Common roles and privileges > From CDB$ROOT with container=common
> Granted to common users on all containers
So you can grant DBA locally to the PDB local admin
> But are you sure that his rights are limited to the PDB?
Common and local roles and privileges
15.11.2016Page 14
Users and privileges
SQL> alter session set current_CONTAINER=PDB;
SQL> grant DBA to MY_DEVELOPER container=current;
Multitenant New Security Features
Common user: CDB administrator
Local user: PDB administrator
Demo
15.11.2016Page 15
Users and privileges
SQL> alter session set container=PDB1;
Session altered.
SQL> create user PDBDBA identified by dev container=current;
User created.
SQL> grant DBA to PDBDBA identified by dev container=current;
Grant succeeded.
SQL> show parameter prefix
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
common_user_prefix string C##
SQL> create user C##CDBDBA identified by ops container=all;
User created.
Multitenant New Security Features
1. DevOps
2. Common and local users
3. Lockdown profiles and PDB isolation
4. Resource manager and PDB parameters
5. Other features
6. Conclusion
Agenda
15.11.2016
Multitenant New Security Features
Page 16
Multitenant New Security Features
You want to delegate some DBA roles to a PDB owner
> You need a finer level than system privileges
With lockdown profiles you can lockdown local users
> disable database options, features, access to system files, network
> control what can be done by some powerful commands:
> ALTER SYSTEM, ALTER SESSION, ALTER [PLUGGABLE] DATABASE
15.11.2016Page 17
Lockdown profiles
SQL> create lockdown profile X20;
Lockdown Profile created.
SQL> select * from DBA_LOCKDOWN_PROFILES;
PROFILE_NAME RULE_TYPE RULE CLAUSE CLAUSE_OPT OPTION_VAL STATUS
------------- --------- ------------ ------ ---------- ---------- ------
APPDBA_PROF DISABLE
SQL> alter session set container=PDB1;
Session altered.
SQL> alter system set pdb_lockdown=X20;
System altered.
Multitenant New Security Features
CDB disables some options
Local user: PDB administrator
Demo - disable option
15.11.2016Page 18
Lockdown profiles
SQL> create table TEST(c char) partition by hash(c) partitions 2;
create table TEST(c char) partition by hash(c) partitions 2
*
ERROR at line 1:
ORA-00439: feature not enabled: Partitioning
SQL> select banner from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
SQL> alter lockdown profile DEMO_LOCKDOWN DISABLE option = ('Partitioning');
Lockdown Profile altered.
SQL> select * from dba_lockdown_profiles;
PROFILE_NAME RULE_TYPE RULE CLAUSE
CLAUSE_OPTION STATUS
------------- --------- ------------------------- ------------ -------------- -------
DEMO_LOCKDOWN OPTION PARTITIONING DISABLE
Multitenant New Security Features
You want to disable options (cf. V$OPTION):
> Database queuing (also known as Advanced Queuing)
> Oracle Data Guard
> Partitioning
> Real Application Clusters
for a PDB
> … disable option all;
> … disable option all except=(…);
disable option
15.11.2016Page 19
Lockdown profiles
SQL> alter lockdown profile APPDBA_PROF disable option = ('Partitioning');
Lockdown Profile altered.
SQL> select * from DBA_LOCKDOWN_PROFILES;
PROFILE_NAME RULE_TYPE RULE CLAUSE CLAUSE_OPT OPTION_VAL STATUS
------------- --------- ------------ ------ ---------- ---------- ------
APPDBA_PROF OPTION PARTITIONING DISABLE
Multitenant New Security Features
Did you ever
> so that they can kill their sessions?
> That’s a quite powerful privilege
Alternative:
> Great encapsulation, but how does it work with TOAD ‘kill’ button?
In 12cR2 Multitenant, there is a solution: lockdown profiles
> available in Multitenant, also in Single-Tenant, but not in non-CDB
> to control PDB local users beyond privileges
disable alter system
15.11.2016Page 20
Lockdown profiles
SQL> grant ALTER SYSTEM to MY_DEVELOPER;
SQL> create procedure kill_session (…) as begin
if … /* check if session USERNAME */
execute immediate 'alter system kill session …'
…
SQL> grant EXECUTE on kill_session to MY_DEVELOPER;
Multitenant New Security Features
You want to disable:
> Some ALTER SYSTEM commands
> But not revoke whole ALTER SYSTEM privilege
for a PDB
> Any user will get an ‘ORA-01031: insufficient privileges’ for any ALTER SYSTEM command, except an ALTER SYSTEM KILL SESSION
disable alter system
15.11.2016Page 21
Lockdown profiles
SQL> alter lockdown profile APPDBA_PROF disable statement = ('ALTER SYSTEM')
clause all except = ('KILL SESSION');
SQL> select * from DBA_LOCKDOWN_PROFILES;
PROFILE_NAME RULE_TYPE RULE CLAUSE CLAUSE_OPT OPTION_VAL STATUS
------------- --------- ------------ ----------- ---------- ---------- -------
APPDBA_PROF STATEMENT ALTER SYSTEM DISABLE
APPDBA_PROF STATEMENT ALTER SYSTEM KILL SESSION ENABLE
Multitenant New Security Features
You want to disable:
> Some ALTER SYSTEM commands
> Allow ALTER SYSTEM SET, but for some parameters only
disable alter system
15.11.2016Page 22
Lockdown profiles
SQL> alter lockdown profile APPDBA_PROF disable statement = ('ALTER SYSTEM')
clause = ('SET');
Lockdown Profile altered.
SQL> alter lockdown profile APPDBA_PROF enable statement = ('ALTER SYSTEM') clause =
('SET') option = ('undo_retention', 'temp_undo_enabled', 'resumable_timeout',
'cursor_sharing', 'session_cached_cursors', 'heat_map', 'resource_manager_plan',
'optimizer_dynamic_sampling');
Lockdown Profile altered.
SQL> select * from DBA_LOCKDOWN_PROFILES where profile_name='APPDBA_PROF';
PROFILE_NAME RULE_TYPE RULE CLAUSE CLAUSE_OPTION STATUS
------------- --------- ------------ ------- ------------------------- -------
APPDBA_PROF STATEMENT ALTER SYSTEM SET DISABLE
APPDBA_PROF STATEMENT ALTER SYSTEM SET CURSOR_SHARING ENABLE
…
Multitenant New Security Features
CDB administrator disables ALTER SYSTEM
PDB administrator cannot do any ALTER SYSTEM
CDB administrator makes an exception for KILL SESSION
PDB administrator can use ALTER SYSTEM only to kill sessions
Demo - alter system
15.11.2016Page 23
Lockdown profiles
SQL> alter lockdown profile DEMO_LOCKDOWN
2 enable statement = ('ALTER SYSTEM') clause = ('KILL SESSION');
SQL> alter system kill session '395,37488'
alter system kill session '395,37488'
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> alter lockdown profile DEMO_LOCKDOWN
2 disable statement = ('ALTER SYSTEM');
SQL> alter system kill session '395,37488'
System altered.
Multitenant New Security Features
Example:
When disabling, we can set the value, a list of value, or a min/max value:
> Sets the value to in spfile
> (re)start the PDB after setting the lockdown profile
disable alter system
15.11.2016Page 24
Lockdown profiles
SQL> alter system set optimizer_dynamic_sampling=4;
System altered.
SQL> alter system set optimizer_index_cost_adj=1;
alter system set optimizer_index_cost_adj=1
*
ERROR at line 1:
ORA-01031: insufficient privileges
alter lockdown profile APPDBA_PROF disable statement=('ALTER SYSTEM') clause=('SET')
option=('cursor_sharing') value=('EXACT');
Multitenant New Security Features
ALTER SYSTEM SET PDB_LOCKDOWN can be set only by a common user
ALTER SYSTEM RESET
> is also disabled by clause=('SET')
Other statements:
> ALTER SESSION (same clause/option than ALTER SYSTEM)
> ALTER DATABASE
> ALTER PLUGGABLE DATABASE
disable alter system
15.11.2016Page 25
Lockdown profiles
18:39:35 SQL> show parameter lockdown
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
pdb_lockdown string DEMO_LOCKDOWN
18:39:43 SQL> alter session set pdb_lockdown='';
ERROR:
ORA-02097: parameter cannot be modified because specified value is invalid
ORA-01031: insufficient privileges
Multitenant New Security Features
You want to disable:
> Network access
> DBMS_DEBUG_JDWP, UTL_HTTP, UTL_INADDR, UTL_SMTP, UTL_TCP
> XDB (the native XML storage in database)
> COMMON_SCHEMA_ACCESS through proxy users
> Such as connect LOCALUSER[C##COMMONUSER]/oracle@//localhost/PDB1
for a PDB
> ‘NETWORK_ACCESS’ disables all networking packages
> ‘OS_ACCESS’ disables all file manipulation
> DROP_TABLESPACE_KEEP_DATAFILES needed to drop a tablespace without 'including datafiles' with non-OMF datafile
> 'AWR_ACCESS' needed to create snapshot…
disable features
15.11.2016Page 26
Lockdown profiles
SQL> alter lockdown profile APPDBA_PROF disable feature =
('UTL_HTTP','UTL_SMTP','UTL_TCP');
Multitenant New Security Features
Not all documented:
disable features
15.11.2016Page 27
Lockdown profiles
strings $ORACLE_HOME/bin/oracle
NETWORK_ACCESS
COMMON_SCHEMA_ACCESS
UTL_TCP
UTL_HTTP
UTL_SMTP
UTL_INADDR
XDB_PROTOCOLS
CTX_PROTOCOLS
CTX_LOGGING
OS_ACCESS
UTL_FILE
EXTERNAL_PROCEDURES
JAVA_OS_ACCESS
JAVA_RUNTIME
TRACE_VIEW_ACCESS
AQ_PROTOCOLS
EXTERNAL_AND_GLOBAL_AUTHENTICATION
CONNECTIONS
LOCAL_SYSOPER_RESTRICTED_MODE_CONNECT
COMMON_USER_CONNECT
FILE_TRANSFER
AWR_ACCESS
COMMON_USER_LOCAL_SCHEMA_ACCESS
LOCAL_USER_COMMON_SCHEMA_ACCESS
EXTERNAL_FILE_ACCESS
DROP_TABLESPACE_KEEP_DATAFILES
LOB_FILE_ACCESS
ADR_ACCESS
Multitenant New Security Features
CDB administrator disables some features
PDB user has insufficient privileges even when having DBA role
> "ORA-01031: insufficient privileges" is the only info. Lockdown rules are not exposed
Demo - disable features
15.11.2016Page 28
Lockdown profiles
SQL> alter lockdown profile DEMO_LOCKDOWN
2 disable feature = ('DROP_TABLESPACE_KEEP_DATAFILES');
Lockdown Profile altered.
SQL> alter lockdown profile DEMO_LOCKDOWN
2 disable feature = ('AWR_ACCESS');
Lockdown Profile altered.
SQL> drop tablespace USERS
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> drop tablespace USERS including contents and datafiles;
Tablespace dropped.
Multitenant New Security Features
We want to limit the access to filesystems by a PDB
In 12.1
> PATH_PREFIX for directories
In 12.2
> CREATE_FILE_DEST for directories
PATH_PREFIX and CREATE_FILE_DEST
15.11.2016Page 29
PDB isolation on OS
SQL> create pluggable database PDB1
admin user admin identified by password
create_file_dest='/u02/app/oracle/oradata/CDB2/PDB1';
Pluggable database created.
…
SQL> create tablespace APPDATA datafile '/tmp/appdata.dbf' size 5M;
create tablespace APPDATA datafile '/tmp/appdata.dbf' size 5M
*
ERROR at line 1:
ORA-65250: invalid path specified for file - /tmp/appdata.dbf
Multitenant New Security Features
A user can run a program on the host through
> dbms_scheduler
> external procedure
You don’t want it to run with the oracle user
You create the credential for another OS user
And limit a PDB to use this user:
PDB_OS_CREDENTIALS
15.11.2016Page 30
PDB isolation on OS
exec dbms_credential.create_credential(
credential_name=>'PDB1_OS_USER', username=>'limitedUser', password=>'secret'
);
alter session set container=PDB1;
alter system set pdb_os_credential=CDB_PDB_OS_USER scope=spfile;
Multitenant New Security Features
1. DevOps
2. Common and local users
3. Lockdown profiles and PDB isolation
4. Resource manager and PDB parameters
5. Other features
6. Conclusion
Agenda
15.11.2016
Multitenant New Security Features
Page 31
Multitenant New Security Features
Which resources?
> CPU, Parallel servers, Exadata I/O
Define SHARES to guarantee a minimum
> Ensures that all PDBs get their part
> When all CDB resources are used
> DBs that use more that their share will wait
Define UTILIZATION_LIMIT to throttle usage
> In percentage of CDB resources
> PDB that use more than a percentage of CDB resource wait
> Parallel_utilization_limit is a % of parallel_servers_target
Controls PDB usage of CDB resources
15.11.2016Page 32
Resource Manager
Multitenant New Security Features
Which resources?
> Memory (PGA, Buffer Cache and Shared Pool)
Define MEMORY_MIN for minimum allocation> Percentage scaled to 100% -> similar to shares
> PDB using more is preferred for releasing memory
> PDB using less is preferred for memory allocation
Define MEMORY_LIMIT for maximum allocation> In percentage of CDB memory
> PDB that use more than a percentage need to release before allocating
New in 12.2: memory usage
15.11.2016Page 33
Resource Manager
Multitenant New Security Features
For rapid provisioning (cloud)> A CDB can define multiple profiles
A CDB plan defines the profile
PDBs sets its performance profile
New in 12.2: Performance categories
15.11.2016Page 34
Resource Manager
DBMS_RESOURCE_MANAGER.create_cdb_profile_directive(
plan => 'PDBAAS_CDB_PLAN',
profile=> 'X20', shares=> 2, utilization_limit=> 20, memory_limit=> 20);
alter lockdown profile &&prof_name
disable statement=('ALTER SYSTEM') clause=('SET')
option=('db_performance_profile') value=('X20');
Multitenant New Security Features
Fixed minimum and maximum size at PDB level
> Only if you use ASMM for CDB, not AMM
PGA_AGGREGATE_TARGET> Soft limit for PGA tunable size (workarea, goes to TEMP when reached)
PGA_AGGREGATE_LIMIT> Hard limit for PGA. Aborts calls or session when limit is reached
SGA_MIN_SIZE> Minimum SGA size for the PDB
SGA_TARGET > Maximum SGA size for the PDB
DB_CACHE_SIZE, SHARED_POOL_SIZE> Minimums at PDB levels
PDB memory parameters
15.11.2016Page 35
Resource Manager
Multitenant New Security Features
Throttles I/O done to PDB datafile (non-Exadata only)
> Wait event "I/O rate limit"
> At CDB level they act as a default for all PDBs
CPU_COUNT
> Instance caging at PDB level: sets maximum threads
> Replaces UTILIZATION_LIMIT for CPU
PDB I/O and CPU parameters
15.11.2016Page 36
Resource Manager
SQL> select * from v$parameter where name like 'max_____' or name='cpu_count';
NAME DESCRIPTION ISPDB
------------ ---------------------------------------------------- -----
max_iops MAX IO per second TRUE
max_mbps MAX MB per second TRUE
cpu_count number of CPUs for this instance TRUE
Multitenant New Security Features
1. DevOps
2. Common and local users
3. Lockdown profiles and PDB isolation
4. Resource manager and PDB parameters
5. Conclusion
Agenda
15.11.2016
Multitenant New Security Features
Page 37
Multitenant New Security Features
Authors
> Anton Els
> Vít Špinka
> Franck Pachot
Reviewers
> Deiby Gómez
> Arup Nanda
> Mike Donovan
When?
> Pre-order now on Amazon
> Delivered 2 weeks after 12.2
How to learn it?
15.11.2016
12c Multitenant
Page 38
Multitenant New Security Features
Agility is not only fast and automated provisioning
> You must give more privileges to avoid roundtrips between Dev and Ops
> But you must establish detailed rules to control and isolate what Dev can do
Lockdown options and features, control resource usage
> In addition to fast provisioning:
> Consolidate safely and keep agility
> Provide only options/features required
Core Message
15.11.2016
12c Multitenant
Any questions? Please do ask.
Page 39
Multitenant New Security Features
Let’s meet at booth 242