10.5 Database Security in Multitenant Environment
Oracle Multitenant Isolation is a set of security principles implemented by the Oracle Multitenant Architecture. It is designed to guard each tenant's data and the overall performance integrity of all aspects of Oracle Database, on both On-Premise Database as well as on Oracle Cloud Infrastructure.
PDB isolation is a part of Oracle Multitenant Isolation feature, which defines what individual PDBs can perform. This release enhances the support for PDB isolation by Oracle JVM in the following ways:
Additional Flexibility in Specifying Oracle JVM OS Access Restrictions
The enhancements to the PDB isolation feature provides the following additional flexibility in specifying the Oracle JVM Operating System (OS) Access Restrictions in the PDB lockdown profiles:
New Role of JAVA_OS_ACCESS Lockdown Profile Feature
The existing JAVA_OS_ACCESS
lockdown
profile feature, which controls the
java.io.FilePermission
Java permission, is
assigned a new, closely-related role. It now controls the
file-access checks in the Oracle JVM run time. This new role blends
well with its existing role of controlling the file permissions.
The OS_ACCESS Lockdown Feature Bundle
You can still use the existing OS_ACCESS
Lockdown profile feature bundle to disable the file-access access in
the Oracle JVM run time as long as its constituent feature
JAVA_OS_ACCESS
is not configured to enable
the file-access checks of Oracle JVM.
Examples of Enhanced Oracle JVM OS Access Restrictions
This section describes how to take advantage of the enhanced Oracle JVM OS access restrictions:
Earlier, you used the following command to disable all OS access from Java:
ALTER LOCKDOWN PROFILE my_profile1 DISABLE FEATURE ('OS_ACCESS');
Now, you can use the following commands to disable all OS access from Java, except file access:
ALTER LOCKDOWN PROFILE my_profile2 DISABLE FEATURE ('OS_ACCESS');
ALTER LOCKDOWN PROFILE my_profile2 ENABLE FEATURE ('JAVA_OS_ACCESS');
Complete Example
This is a complete example that demonstrates the following:
- Creating a new PDB with the
PATH_REFIX
clause value set - Creating a new lockdown profile that disables all types of OS access, except for Java file operations
- Linking the new lockdown profile to the PDB
- Administering the users in the new PDB with the
ability to read and write files inside the
PATH_PREFIX
Example 10-6 Complete Example Demonstrating Oracle JVM OS Access Restrictions
- Create a PDB named
cdb1_pdb5
, while you connect as the rootSYS
user andcdb1_pdb0
is the CDB root:create pluggable database cdb1_pdb5 admin user admin identified by manager file_name_convert = ('cdb1_pdb0','cdb1_pdb5') path_prefix='/d1/pdbs/pdb5/'
- Create a lockdown profile and set it to disable the
OS_ACCESS
andNETWORK_ACCESS
features, and enable theJAVA_OS_ACCESS
feature:create lockdown profile java_profile; alter lockdown profile java_profile disable feature=('OS_ACCESS'); alter lockdown profile java_profile disable feature=('NETWORK_ACCESS'); alter lockdown profile java_profile enable feature=('JAVA_OS_ACCESS');
- Associate the
JAVA_PROFILE
with thepdb5
PDB:alter session set container = cdb1_pdb5; alter system set pdb_lockdown = java_profile ;
- Restart the database after altering the
system:
alter session set container = cdb1_pdb0; -- this is the root shutdown abort startup pfile = t_initvm1.ora alter pluggable database all open; alter session set container = cdb1_pdb5; grant create session, create procedure, create public synonym to admin; grant create table to admin; -- add other grants to the local PDB admin as required
- Grant permissions to user
ADMIN
for file access operations:call dbms_java.grant_permission('ADMIN', 'SYS:java.io.FilePermission', '/d1/pdbs/pdb5/-', 'read,write,delete');
- Create a regular user in
cdb1_pdb5
:create user juser identified by juser; grant create session to juser;
- Grant
juser
the permissions for file access operations:call dbms_java.grant_permission('JUSER', 'SYS:java.io.FilePermission', '/d1/pdbs/pdb5/file1.txt', 'read'); call dbms_java.grant_permission('JUSER', 'SYS:java.io.FilePermission', '/d1/pdbs/pdb5/file2.txt', 'read,write');
Additional Flexibility in the Oracle JVM Networking Access Restrictions
The enhancements to the PDB isolation feature provides the following additional flexibilities in specifying the Oracle JVM Networking Access Restrictions in the PDB lockdown profiles:
New Role of UTL_TCP Lockdown Profile Feature
The existing UTL_TCP
lockdown profile
feature that controls the PL/SQL TCP functionality, is assigned a
new, closely-related role. It now controls the TCP operations in the
Oracle JVM run time. This new role blends well with its existing
role of controlling the PL/SQL TCP connectivity.
New Role of UTL_HTTP Lockdown Profile Feature
The existing UTL_HTTP
lockdown profile
feature that controls the PL/SQL HTTP functionality, is assigned a
new, closely-related role. It now controls the HTTP connectivity in
the Oracle JVM run time. This new role blends well with its existing
role of controlling the PL/SQL HTTP connectivity.
The NETWORK_ACCESS Lockdown Profile Feature Bundle
You can still use the existing
NETWORK_ACCESS
lockdown profile feature
bundle to disable networking in the Oracle JVM run time as a
whole.
Important Notes for Database Administrators
This release further enhances the ability of CDB Database
Administrators to configure safe lockdowns for PDBs that allow file
access from Oracle JVM. For security and isolation, always use the
PATH_PREFIX
clause when any form of file
access is allowed for PDBs.
This section summarizes the important enhancements made to the PDB isolation feature for CDB administrators:
- Earlier, disabling the
OS_ACCESS
feature in a lockdown profile meant disabling all OS access from Java, including file operations. Now, a lockdown profile can enable only the Java file operations, while other types of OS access from Java remain disabled:ALTER LOCKDOWN PROFILE my_profile DISABLE FEATURE ('OS_ACCESS'); ALTER LOCKDOWN PROFILE my_profile ENABLE FEATURE ('JAVA_OS_ACCESS');
- Earlier, disabling the
NETWORK_ACCESS
feature in a lockdown profile meant disabling all network access from Java. Now, a lockdown profile can selectively enable HTTP connectivity (PL/SQL and Oracle JVM), while other types of networking remain disabled:ALTER LOCKDOWN PROFILE my_profile DISABLE FEATURE ('NETWORK_ACCESS'); ALTER LOCKDOWN PROFILE my_profile ENABLE FEATURE ('UTL_HTTP');
- Earlier, disabling the
NETWORK_ACCESS
feature in a lockdown profile meant disabling all network access from Java. Now, a lockdown profile can selectively enable TCP connectivity (PL/SQL and Oracle JVM), while other types of networking remain disabled:ALTER LOCKDOWN PROFILE my_profile DISABLE FEATURE ('NETWORK_ACCESS'); ALTER LOCKDOWN PROFILE my_profile ENABLE FEATURE ('UTL_TCP');
See Also:
- Oracle Multitenant Isolation White Paper
- ALTER LOCKDOWN PROFILE for description of PDB lockdown profile features
- CREATE
PLUGGABLE DATABASE for more information
about the
PATH_PREFIX
clause - PDB_OS_CREDENTIAL for more information
about the
PDB_OS_CREDENTIAL
initialization parameter