12.2 multitenant new security features clarify devops … · multitenant new security features...

Multitenant New Security Features

Infrastructure at your Service.

12.2 Multitenant New Security Features Clarify DevOps and DBA role separation

Multitenant New Security Features 15.11.2016

Infrastructure at your Service.

About me

Franck Pachot

Principal consultant

Oracle Technology Leader

Mobile +41 79 963 27 22

[email protected]

www.dbi-services.com

mailto:[email protected]

http://www.dbi-services.com/


Experts At Your Service

> 50 specialists in IT infrastructure

> Certified, experienced, passionate

Based In Switzerland

> 100% self-financed Swiss company

> Over CHF6 mio. turnover

Leading In Infrastructure Services

> More than 120 customers in CH, D, & F

> Over 40 SLAs dbi FlexService contracted

15.11.2016

dbi servicesWho we are


1. DevOps

2. Common and local users

3. Lockdown profiles and PDB isolation

4. Resource manager and PDB parameters

5. Conclusion

Agenda

15.11.2016

12.2 Multitenant New Security Features


At operations our goal is stability

> Run same old things for years

> Don't touch anything when it works

> We keep the keys of the system so that nobody breaks it

At development our goal is evolution

> What is ok today will be obsolete tomorrow

> When it works we need to do better

> We need to do it fast: agile

> We can't depend on Ops: fast provisioning, fast refresh, Cloud

What is DevOps, What is Agile, What is Cloud?

15.11.2016

DevOps


Each operation requires

> several manual steps

> from multiple teams

Today we need

> More automation

> Faster provisioning

> Less roundtrips between Dev and Ops

> Ops provision an isolated database

> Then give all rights it to Dev

> And automation to clone, refresh,…

Roundrips between Dev and Ops is too long

15.11.2016

DevOps


Need to create databases faster?

> CREATE PLUGGABLE DATABASE

Need to refresh databases faster?

> Snapshots, Thin Clones, refreshable PDBs …

Dev and Ops must communicate

> Set the rules before arguing each request

> Define clearly the Dev privileges:

> Full power on his PDB only

> No side effect on other PDBS

Roundtrips between Dev and Ops is too long

15.11.2016

DevOps

Multitenant

Thin Clones

DevOps

Lockdown profilesResource manager

Agile

For whatever reason this is called "CLOUD"


The first Oracle Cloud Service

> Was: Schema as a Service

> Focused at developers (goal was APEX)

At OOW16 Oracle has released a new service for developers:> PDB as a Service rather than Schema as a Service

> A PDB is a database (public objects, multiple schemas)

> Provisioned in minutes - focused at developers: they are granted DBA

> The CDB is managed by Oracle

So can we give DBA rights to a developer on his PDB without compromising the system?

> Yes, with multitenant architecture, in Oracle Database 12c Release 2

Exadata Express Cloud Service

15.11.2016

DevOps


Exadata Express lockdown & restrictions

15.11.2016

DevOps

Admin privileges on the PDB But no access to the system


Exadata Express lockdown & restrictions

15.11.2016

DevOps

Admin privileges on the PDB But using only allocated resources


1. DevOps




5. Other features

6. Conclusion

Agenda

15.11.2016



Local users are created in the PDB> Are known in local container only

> Created in one container with container=current

Common users are created in the CDB> Are known in all containers

> Created in CDB$ROOT with container=all

> Can change current container with alter session

Common and local users

15.11.2016

Users and privileges

CDB1

CDB$ROOTPDB$SEEDPDB_APP1

Local user

Common user


Local users are for Dev> Application schemas

> Application users

> Application admins

Common users are for Ops> system administrator

> Oracle maintained

> Monitoring,…

Multitenant architecture vs. non-CDB: separation of roles

Common and local users

15.11.2016


§

CDB1

CDB$ROOTPDB$SEEDPDB_APP1

SYSTEMAPPLICATION


Local roles and privileges> Granted to local or common user on local container

Common roles and privileges > From CDB$ROOT with container=common

> Granted to common users on all containers

So you can grant DBA locally to the PDB local admin

> But are you sure that his rights are limited to the PDB?

Common and local roles and privileges

15.11.2016


SQL> alter session set current_CONTAINER=PDB;

SQL> grant DBA to MY_DEVELOPER container=current;


Common user: CDB administrator

Local user: PDB administrator

Demo

15.11.2016


SQL> alter session set container=PDB1;

Session altered.

SQL> create user PDBDBA identified by dev container=current;

User created.

SQL> grant DBA to PDBDBA identified by dev container=current;

Grant succeeded.

SQL> show parameter prefix

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

common_user_prefix string C##

SQL> create user C##CDBDBA identified by ops container=all;

User created.


1. DevOps




5. Other features

6. Conclusion

Agenda

15.11.2016



You want to delegate some DBA roles to a PDB owner

> You need a finer level than system privileges

With lockdown profiles you can lockdown local users

> disable database options, features, access to system files, network

> control what can be done by some powerful commands:

> ALTER SYSTEM, ALTER SESSION, ALTER [PLUGGABLE] DATABASE

15.11.2016

Lockdown profiles

SQL> create lockdown profile X20;

Lockdown Profile created.

SQL> select * from DBA_LOCKDOWN_PROFILES;

PROFILE_NAME RULE_TYPE RULE CLAUSE CLAUSE_OPT OPTION_VAL STATUS

------------- --------- ------------ ------ ---------- ---------- ------

APPDBA_PROF DISABLE

SQL> alter session set container=PDB1;

Session altered.

SQL> alter system set pdb_lockdown=X20;

System altered.


CDB disables some options

Local user: PDB administrator

Demo - disable option

15.11.2016

Lockdown profiles

SQL> create table TEST(c char) partition by hash(c) partitions 2;

create table TEST(c char) partition by hash(c) partitions 2

*

ERROR at line 1:

ORA-00439: feature not enabled: Partitioning

SQL> select banner from v$version;

BANNER

--------------------------------------------------------------------------------

Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> alter lockdown profile DEMO_LOCKDOWN DISABLE option = ('Partitioning');

Lockdown Profile altered.

SQL> select * from dba_lockdown_profiles;

PROFILE_NAME RULE_TYPE RULE CLAUSE

CLAUSE_OPTION STATUS

------------- --------- ------------------------- ------------ -------------- -------

DEMO_LOCKDOWN OPTION PARTITIONING DISABLE


You want to disable options (cf. V$OPTION):

> Database queuing (also known as Advanced Queuing)

> Oracle Data Guard

> Partitioning

> Real Application Clusters

for a PDB

> … disable option all;

> … disable option all except=(…);

disable option

15.11.2016

Lockdown profiles

SQL> alter lockdown profile APPDBA_PROF disable option = ('Partitioning');




------------- --------- ------------ ------ ---------- ---------- ------

APPDBA_PROF OPTION PARTITIONING DISABLE


Did you ever

> so that they can kill their sessions?

> That’s a quite powerful privilege

Alternative:

> Great encapsulation, but how does it work with TOAD ‘kill’ button?

In 12cR2 Multitenant, there is a solution: lockdown profiles

> available in Multitenant, also in Single-Tenant, but not in non-CDB

> to control PDB local users beyond privileges

disable alter system

15.11.2016

Lockdown profiles

SQL> grant ALTER SYSTEM to MY_DEVELOPER;

SQL> create procedure kill_session (…) as begin

if … /* check if session USERNAME */

execute immediate 'alter system kill session …'

…

SQL> grant EXECUTE on kill_session to MY_DEVELOPER;


You want to disable:

> Some ALTER SYSTEM commands

> But not revoke whole ALTER SYSTEM privilege

for a PDB

> Any user will get an ‘ORA-01031: insufficient privileges’ for any ALTER SYSTEM command, except an ALTER SYSTEM KILL SESSION


15.11.2016

Lockdown profiles

SQL> alter lockdown profile APPDBA_PROF disable statement = ('ALTER SYSTEM')

clause all except = ('KILL SESSION');



------------- --------- ------------ ----------- ---------- ---------- -------

APPDBA_PROF STATEMENT ALTER SYSTEM DISABLE

APPDBA_PROF STATEMENT ALTER SYSTEM KILL SESSION ENABLE



> Some ALTER SYSTEM commands

> Allow ALTER SYSTEM SET, but for some parameters only


15.11.2016

Lockdown profiles

SQL> alter lockdown profile APPDBA_PROF disable statement = ('ALTER SYSTEM')

clause = ('SET');


SQL> alter lockdown profile APPDBA_PROF enable statement = ('ALTER SYSTEM') clause =

('SET') option = ('undo_retention', 'temp_undo_enabled', 'resumable_timeout',

'cursor_sharing', 'session_cached_cursors', 'heat_map', 'resource_manager_plan',

'optimizer_dynamic_sampling');


SQL> select * from DBA_LOCKDOWN_PROFILES where profile_name='APPDBA_PROF';

PROFILE_NAME RULE_TYPE RULE CLAUSE CLAUSE_OPTION STATUS

------------- --------- ------------ ------- ------------------------- -------

APPDBA_PROF STATEMENT ALTER SYSTEM SET DISABLE

APPDBA_PROF STATEMENT ALTER SYSTEM SET CURSOR_SHARING ENABLE

…


CDB administrator disables ALTER SYSTEM

PDB administrator cannot do any ALTER SYSTEM

CDB administrator makes an exception for KILL SESSION

PDB administrator can use ALTER SYSTEM only to kill sessions

Demo - alter system

15.11.2016

Lockdown profiles

SQL> alter lockdown profile DEMO_LOCKDOWN

2 enable statement = ('ALTER SYSTEM') clause = ('KILL SESSION');

SQL> alter system kill session '395,37488'

alter system kill session '395,37488'

*

ERROR at line 1:

ORA-01031: insufficient privileges


2 disable statement = ('ALTER SYSTEM');

SQL> alter system kill session '395,37488'

System altered.


Example:

When disabling, we can set the value, a list of value, or a min/max value:

> Sets the value to in spfile

> (re)start the PDB after setting the lockdown profile


15.11.2016

Lockdown profiles

SQL> alter system set optimizer_dynamic_sampling=4;

System altered.

SQL> alter system set optimizer_index_cost_adj=1;

alter system set optimizer_index_cost_adj=1

*

ERROR at line 1:


alter lockdown profile APPDBA_PROF disable statement=('ALTER SYSTEM') clause=('SET')

option=('cursor_sharing') value=('EXACT');


ALTER SYSTEM SET PDB_LOCKDOWN can be set only by a common user

ALTER SYSTEM RESET

> is also disabled by clause=('SET')

Other statements:

> ALTER SESSION (same clause/option than ALTER SYSTEM)

> ALTER DATABASE

> ALTER PLUGGABLE DATABASE


15.11.2016

Lockdown profiles

18:39:35 SQL> show parameter lockdown

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

pdb_lockdown string DEMO_LOCKDOWN

18:39:43 SQL> alter session set pdb_lockdown='';

ERROR:

ORA-02097: parameter cannot be modified because specified value is invalid




> Network access

> DBMS_DEBUG_JDWP, UTL_HTTP, UTL_INADDR, UTL_SMTP, UTL_TCP

> XDB (the native XML storage in database)

> COMMON_SCHEMA_ACCESS through proxy users

> Such as connect LOCALUSER[C##COMMONUSER]/oracle@//localhost/PDB1

for a PDB

> ‘NETWORK_ACCESS’ disables all networking packages

> ‘OS_ACCESS’ disables all file manipulation

> DROP_TABLESPACE_KEEP_DATAFILES needed to drop a tablespace without 'including datafiles' with non-OMF datafile

> 'AWR_ACCESS' needed to create snapshot…

disable features

15.11.2016

Lockdown profiles

SQL> alter lockdown profile APPDBA_PROF disable feature =

('UTL_HTTP','UTL_SMTP','UTL_TCP');


Not all documented:

disable features

15.11.2016

Lockdown profiles

strings $ORACLE_HOME/bin/oracle

NETWORK_ACCESS

COMMON_SCHEMA_ACCESS

UTL_TCP

UTL_HTTP

UTL_SMTP

UTL_INADDR

XDB_PROTOCOLS

CTX_PROTOCOLS

CTX_LOGGING

OS_ACCESS

UTL_FILE

EXTERNAL_PROCEDURES

JAVA_OS_ACCESS

JAVA_RUNTIME

TRACE_VIEW_ACCESS

AQ_PROTOCOLS

EXTERNAL_AND_GLOBAL_AUTHENTICATION

CONNECTIONS

LOCAL_SYSOPER_RESTRICTED_MODE_CONNECT

COMMON_USER_CONNECT

FILE_TRANSFER

AWR_ACCESS

COMMON_USER_LOCAL_SCHEMA_ACCESS

LOCAL_USER_COMMON_SCHEMA_ACCESS

EXTERNAL_FILE_ACCESS

DROP_TABLESPACE_KEEP_DATAFILES

LOB_FILE_ACCESS

ADR_ACCESS


CDB administrator disables some features

PDB user has insufficient privileges even when having DBA role

> "ORA-01031: insufficient privileges" is the only info. Lockdown rules are not exposed

Demo - disable features

15.11.2016

Lockdown profiles


2 disable feature = ('DROP_TABLESPACE_KEEP_DATAFILES');



2 disable feature = ('AWR_ACCESS');


SQL> drop tablespace USERS

*

ERROR at line 1:


SQL> drop tablespace USERS including contents and datafiles;

Tablespace dropped.


We want to limit the access to filesystems by a PDB

In 12.1

> PATH_PREFIX for directories

In 12.2

> CREATE_FILE_DEST for directories

PATH_PREFIX and CREATE_FILE_DEST

15.11.2016

PDB isolation on OS

SQL> create pluggable database PDB1

admin user admin identified by password

create_file_dest='/u02/app/oracle/oradata/CDB2/PDB1';

Pluggable database created.

…

SQL> create tablespace APPDATA datafile '/tmp/appdata.dbf' size 5M;

create tablespace APPDATA datafile '/tmp/appdata.dbf' size 5M

*

ERROR at line 1:

ORA-65250: invalid path specified for file - /tmp/appdata.dbf


A user can run a program on the host through

> dbms_scheduler

> external procedure

You don’t want it to run with the oracle user

You create the credential for another OS user

And limit a PDB to use this user:

PDB_OS_CREDENTIALS

15.11.2016

PDB isolation on OS

exec dbms_credential.create_credential(

credential_name=>'PDB1_OS_USER', username=>'limitedUser', password=>'secret'

);

alter session set container=PDB1;

alter system set pdb_os_credential=CDB_PDB_OS_USER scope=spfile;


1. DevOps




5. Other features

6. Conclusion

Agenda

15.11.2016



Which resources?

> CPU, Parallel servers, Exadata I/O

Define SHARES to guarantee a minimum

> Ensures that all PDBs get their part

> When all CDB resources are used

> DBs that use more that their share will wait

Define UTILIZATION_LIMIT to throttle usage

> In percentage of CDB resources

> PDB that use more than a percentage of CDB resource wait

> Parallel_utilization_limit is a % of parallel_servers_target

Controls PDB usage of CDB resources

15.11.2016

Resource Manager


Which resources?

> Memory (PGA, Buffer Cache and Shared Pool)

Define MEMORY_MIN for minimum allocation> Percentage scaled to 100% -> similar to shares

> PDB using more is preferred for releasing memory

> PDB using less is preferred for memory allocation

Define MEMORY_LIMIT for maximum allocation> In percentage of CDB memory

> PDB that use more than a percentage need to release before allocating

New in 12.2: memory usage

15.11.2016

Resource Manager


For rapid provisioning (cloud)> A CDB can define multiple profiles

A CDB plan defines the profile

PDBs sets its performance profile

New in 12.2: Performance categories

15.11.2016

Resource Manager

DBMS_RESOURCE_MANAGER.create_cdb_profile_directive(

plan => 'PDBAAS_CDB_PLAN',

profile=> 'X20', shares=> 2, utilization_limit=> 20, memory_limit=> 20);

alter lockdown profile &&prof_name

disable statement=('ALTER SYSTEM') clause=('SET')

option=('db_performance_profile') value=('X20');


Fixed minimum and maximum size at PDB level

> Only if you use ASMM for CDB, not AMM

PGA_AGGREGATE_TARGET> Soft limit for PGA tunable size (workarea, goes to TEMP when reached)

PGA_AGGREGATE_LIMIT> Hard limit for PGA. Aborts calls or session when limit is reached

SGA_MIN_SIZE> Minimum SGA size for the PDB

SGA_TARGET > Maximum SGA size for the PDB

DB_CACHE_SIZE, SHARED_POOL_SIZE> Minimums at PDB levels

PDB memory parameters

15.11.2016

Resource Manager


Throttles I/O done to PDB datafile (non-Exadata only)

> Wait event "I/O rate limit"

> At CDB level they act as a default for all PDBs

CPU_COUNT

> Instance caging at PDB level: sets maximum threads

> Replaces UTILIZATION_LIMIT for CPU

PDB I/O and CPU parameters

15.11.2016

Resource Manager

SQL> select * from v$parameter where name like 'max_____' or name='cpu_count';

NAME DESCRIPTION ISPDB

------------ ---------------------------------------------------- -----

max_iops MAX IO per second TRUE

max_mbps MAX MB per second TRUE

cpu_count number of CPUs for this instance TRUE


1. DevOps




5. Conclusion

Agenda

15.11.2016



Authors

> Anton Els

> Vít Špinka

> Franck Pachot

Reviewers

> Deiby Gómez

> Arup Nanda

> Mike Donovan

When?

> Pre-order now on Amazon

> Delivered 2 weeks after 12.2

How to learn it?

15.11.2016

12c Multitenant


Agility is not only fast and automated provisioning

> You must give more privileges to avoid roundtrips between Dev and Ops

> But you must establish detailed rules to control and isolate what Dev can do

Lockdown options and features, control resource usage

> In addition to fast provisioning:

> Consolidate safely and keep agility

> Provide only options/features required

Core Message

15.11.2016

12c Multitenant

Any questions? Please do ask.


Let’s meet at booth 242

12.2 multitenant new security features clarify devops … · multitenant new security features...

Documents