|Oracle® Cloud Using Oracle Database Cloud Service
Part Number E27038-03
|PDF · Mobi · ePub|
The Oracle Database Cloud is a multi-tenant environment, based on schema isolation. To ensure the security of each tenant's data, as well as the overall performance integrity of the entire Oracle Database Cloud environment, some aspects of the Oracle Database, Enterprise Edition, have to be curtailed or completely eliminated.
The limitations required to protect security and performance integrity are detailed in this section. None of the limitations listed in this section were put in place as an attempt to limit the functionality of the Oracle Database Cloud. Virtually all standard SQL and PL/SQL syntax and constructs used with the Oracle Database work in the Oracle Database Cloud.
A Database Cloud Service is an individual Service within the Oracle Database Cloud. Data within an individual Database Cloud Service is completely separated from data in all other Services in the Oracle Database Cloud, as described in more detail below.
Database Cloud Service administrators can define users for the Services that they administer. Database Cloud Service users can be defined with the Cloud Identity Manager or within the Administration area of the development platform for the Database Cloud Service itself. If a user is defined with the Cloud Identity Manager, they must use the same tool to manage their profile; if a user is defined through the Administration area of the development platform, they must manage their profile through that platform. Administrators and developers for a Database Cloud Service must be defined with the Cloud Identity Manager and given the appropriate security role, as described below.
There are several types of threats which could be used to compromise the Oracle Database Cloud and some specifics areas that are potential security weaknesses.
Any interaction with the operating system or file system.
This includes the use of BFILEs or external LOBs, operating system ACLs, database DIRECTORY capabilities and any option, feature or supplied PL/SQL package that allow file handling (UTIL_FILE, DBFS, XDB, etc.)
Any native interaction with the network.
This includes any database capabilities that provides access to TCP sockets, HTTP or SMTP requests, hostname or IP address lookup, Oracle Streams or Advanced Queues, database links, replication operations, network ACLs or other option, feature or supplied PL/SQL that have network access or permissions. Inbound and outbound Web Service requests are allowed through the use of inbound RESTful Web Services or using the APEX Web Services APIs for calling external services. Sending email is also allowed using the APEX Mail API, within limits described below.
Database operations that might allow one tenant user to access another tenant's data or code.
This includes any GRANTs on anything to anyone. Or any option, feature or supplied PL/SQL that provides granted access to PUBLIC, ANONYMOUS or APEX_PUBLIC_USER.
Tenant users with objects with "coded identifiers" that could allow cross-schema access.
Any database view that may allow a tenant user to access any information about another tenant. (For example; all DBA_% or V$% data dictionary views and some ALL_% data dictionary views).
Database operations that might impact the integrity of the service or another user.
This is the control of a tenant's use of any shared system resources, where the tenant could reduce the availability these resources either accidentally or maliciously. These shared resources include CPU, I/O, memory or any internal objects or handles that use CPU, I/O and memory. This also includes anything stored in the SYSTEM tablespace, TEMP or UNDO tablespaces.
Database operations that might be used to launch a denial of service (DoS) attack on the database service itself or on some other system.
This consists of many of the threats already mentioned, but specifically includes code that can easily create an attack, like job scheduling.
This section outlines the Oracle Database Cloud Service specifications.
The current version of the Oracle Database Cloud Service is based on Oracle Database 11g Release 2, Enterprise Edition with each quarterly security patch set applied. The only option included in the Oracle Database Cloud Service is the Partitioning Option.
The following features and components are not part of the current version of the Oracle Database Cloud Service:
Oracle Database Extensions for .NET
Oracle Database Vault
Oracle Java VM
Oracle Label Security
Oracle Warehouse Builder
The following schemas and data are not accessible in the Oracle Database Cloud:
Local Enterprise Manager repository
Oracle Data Mining RDBMS APIs for file access
The following sections describe various SQL syntax in the Oracle Database Cloud Service.
CREATE statements have a broad range of syntax and options. The appendices for this paper list all allowed statements, but this list includes the most common allowed CREATE statements in an Oracle Database Cloud Service:
The following SQL statements cannot be used in an Oracle Database Cloud Service:
CREATE JOB (Background jobs can be created through the CLOUD_SCHEDULER package)
CREATE MATERIALIZED VIEW
CREATE DATABASE LINK
Some ALTER SESSION options, although most session level changes for NLS or character sets are still allowed
Additionally, parallel operations are not supported on the Oracle Database Cloud, so any SQL DDL clauses that allow for parallel operations are not supported.
Oracle Database 11g Release 2 includes many PL/SQL packages to deliver extended functionality. The following sections list the PL/SQL packages that are part of the Oracle Database Cloud Service and some prominent packages which are not included.
The following PL/SQL packages and types are included in the Oracle Database Cloud Service:
All DBMS_XML% packages and types
All DBMS_XQUERY% packages and types
All ODCI% packages and types
All OWA% packages and types
All UTL_NLA% packages and types
All XQ% packages and types
All packages not listed here are not available in the Oracle Database Cloud Service.
By default, all Application Express applications and RESTful Web Services execute with the privileges of the schema owner. You can create users within the Application Express environment and use authentication schemes to limit access to application objects at all levels in your application through Application Express.
You cannot use a GRANT command to assign access to another user, since other schema owners are not allowed to access your schema objects in the schema-isolation multi-tenant environment of the Oracle Database Cloud.
You can also assign security across multiple dimensions, including origin, application and users, for any RESTful Web Services. Please refer to the white paper on Oracle Database Cloud security for more details on these topics.
The following limitations apply to DDL, Data Definition Language, syntax: You cannot use any PARALLEL syntax in defining tables.
You cannot use quoted identifiers with special characters.
You cannot define BFILEs or external LOBs.
You cannot use external tables.
You cannot specify any caching for database objects.
By default, you can use all Oracle SQL syntax for SQL statements used against your Oracle Database Cloud Service. The following limitations apply to SQL queries:
No PARALLEL hints allowed
The core of the Oracle Database Cloud development environment is Application Express, which is also a no-cost option for all versions of the Oracle Database since Oracle Database 10g Release 2. There are three areas of functionality which are limited when used for applications within the Oracle Database Cloud environment:
Background Jobs - An Oracle Database Cloud Service will be able to submit jobs, but are limited to a maximum of 10 defined jobs and 5 jobs running or scheduled at any one time. Jobs will be subject to resource limitations imposed by Database Resource Manager, similar to the way overall resources are limited and described below. These limits and conditions will be implemented through a PL/SQL package called CLOUD_SCHEDULER.
E-mails - An Oracle Database Cloud Service will be limited to 5,000 emails in a 24 hour period.
Outbound Web Service calls - An Oracle Database Cloud Service application can make outbound Web Service calls through the APEX_WEB_SERVICE PL/SQL package. These calls can only use HTTPS or SSL and will use a proxy server from within the Oracle Database Cloud.
Access to standard data dictionary objects in the Oracle Database is limited, since the security requirements of schema isolation prevent any user from seeing or knowing the existence of other schemas.
The following data dictionary views and synonyms are accessible from an Oracle Database Cloud Service:
All USER_% views
You can also view schema objects in both SQL Developer and the SQL section of the Application Express development environment.
The Oracle Database excels at managing shared resources among thousands of database users. The Oracle Database Cloud Service uses this proven ability to distribute machine resources among tenants.
The Oracle Database Cloud uses Database Resource Manager consumer groups to prevent any tenant from impacting the performance of others tenants. All tenant operations are initially placed in a consumer group with maximum access to resources. If a user exceeds the resource limitations of this initial consumer group, their user process is pushed to a lower priority user group, with a much longer limit on resource consumption, but a lower priority. If a user process exceeds this limit, they are pushed to a lower priority group with a much higher resource limit.
If a user process should exceed this last limit, the process may be terminated. Please be aware that this lowest consumer group allows for the consumption of up to 30 seconds of dedicated CPU time, a threshold which is normally only crossed by runaway processes.