10.5 Database Security in a Multitenant Environment
Oracle Multitenant Isolation is a set of security principles implemented by the Oracle Multitenant Architecture. It is designed to guard each tenant's data, and the overall performance integrity of all aspects of Oracle Database, on both On-Premises Database as well as on Oracle Cloud Infrastructure.
Oracle Multitenant Isolation is
supported with PDB lockdown profiles and PDB initialization options, such as
PATH_PREFIX
and PDB_OS_CREDENTIAL
. Oracle JVM supports
Multitenant Isolation since Oracle Database Release 12c. This section describes the
PDB lockdown profile features and PDB initialization parameters that Oracle JVM currently
supports.
Supported PDB Lockdown Profile Features
Feature or Bundle Name | Description |
---|---|
JAVA |
Disables or enables Java in the Database as a whole. |
OS_ACCESS (Bundle)
|
Disables or enables all kinds of OS access from Java. |
JAVA_RUNTIME |
Disables or enables Java operations that require
java.lang.RuntimePermission . It disables risky operations like
creating or retrieving class loaders, replacing the security manager, and so
on.
|
JAVA_OS_ACCESS |
Disables or enables JVM file operations as well as the ability to
grant Java permissions of type java.io.FilePermission , which
basically disables the ability to access files using Java. It is a feature under the
OS_ACCESS bundle.Foot 1
|
NETWORK_ACCESS (Bundle)
|
Disables or enables all networking to and from Java. |
JAVA_TCP |
Disables or enables Java TCP operations. It is a feature under the
NETWORK_ACCESS bundle. Refer to the following section for more
information.
|
JAVA_HTTP |
Disables or enables Java HTTP operations. It is a feature under the
NETWORK_ACCESS bundle. Refer to the following section for more
information.
|
Footnote 1 The name of the feature is historical and may be confusing. This feature is related only to file access and not all Java OS operations. Refer to the following section for details about enabling Java file operations, while disabling other kinds of OS operations.
Supported PDB Initialization Parameters and Clauses
Name | Description |
---|---|
PATH_PREFIX (Clause of the
|
Confines the OS file access to paths within the
PATH_PREFIX directory, regardless of the file access permission
grants that are in effect.
|
PDB_OS_CREDENTIAL (Initialization Parameter) |
Forces Oracle JVM to use the specified OS user identity, and not
the Oracle user identity, when forking OS processes through
Runtime.exec() .
|
Starting from the current release, Oracle JVM enhances the support for PDB lockdown profiles, providing more flexibility as described in the following section:
Note:
The enhancements described in the following section are also available in Oracle Database Release 19c and 21c through backports.Additional Flexibility in Specifying Oracle JVM OS Access Restrictions
The enhancements to the PDB isolation feature provides the following additional flexibility in specifying the Oracle JVM Operating System (OS) Access Restrictions in the PDB lockdown profiles:
New Role of JAVA_OS_ACCESS Lockdown Profile Feature
The existing
JAVA_OS_ACCESS
lockdown profile
feature, which controls the
java.io.FilePermission
Java
permission, is assigned a new, closely-related
role. It now controls the file-access checks in
the Oracle JVM run time. This new role blends well
with its existing role of controlling the file
permissions.
The OS_ACCESS Lockdown Feature Bundle
You can still use the existing
OS_ACCESS
Lockdown profile
feature bundle to disable the file-access access
in the Oracle JVM run time as long as its
constituent feature
JAVA_OS_ACCESS
is not configured
to enable the file-access checks of Oracle
JVM.
Examples of Enhanced Oracle JVM OS Access Restrictions
This section describes how to take advantage of the enhanced Oracle JVM OS access restrictions:
Earlier, you used the following command to disable all OS access from Java:
ALTER LOCKDOWN PROFILE my_profile1 DISABLE FEATURE ('OS_ACCESS');
Now, you can use the following commands to disable all OS access from Java, except file access:
ALTER LOCKDOWN PROFILE my_profile2 DISABLE FEATURE ('OS_ACCESS');
ALTER LOCKDOWN PROFILE my_profile2 ENABLE FEATURE ('JAVA_OS_ACCESS');
Complete Example
This is a complete example that demonstrates the following:
- Creating a new PDB with the
PATH_REFIX
clause value set - Creating a new lockdown profile that disables all types of OS access, except for Java file operations
- Linking the new lockdown profile to the PDB
- Administering the users in the
new PDB with the ability to read and write files
inside the
PATH_PREFIX
Example 10-6 Complete Example Demonstrating Oracle JVM OS Access Restrictions
- Create a PDB named
cdb1_pdb5
, while you connect as the rootSYS
user andcdb1_pdb0
is the CDB root:create pluggable database cdb1_pdb5 admin user admin identified by manager file_name_convert = ('cdb1_pdb0','cdb1_pdb5') path_prefix='/d1/pdbs/pdb5/'
- Create a lockdown profile and set
it to disable the
OS_ACCESS
andNETWORK_ACCESS
features, and enable theJAVA_OS_ACCESS
feature:create lockdown profile java_profile; alter lockdown profile java_profile disable feature=('OS_ACCESS'); alter lockdown profile java_profile disable feature=('NETWORK_ACCESS'); alter lockdown profile java_profile enable feature=('JAVA_OS_ACCESS');
- Associate the
JAVA_PROFILE
with thepdb5
PDB:alter session set container = cdb1_pdb5; alter system set pdb_lockdown = java_profile ;
- Restart the database after
altering the
system:
alter session set container = cdb1_pdb0; -- this is the root shutdown abort startup pfile = t_initvm1.ora alter pluggable database all open; alter session set container = cdb1_pdb5; grant create session, create procedure, create public synonym to admin; grant create table to admin; -- add other grants to the local PDB admin as required
- Grant permissions to user
ADMIN
for file access operations:call dbms_java.grant_permission('ADMIN', 'SYS:java.io.FilePermission', '/d1/pdbs/pdb5/-', 'read,write,delete');
- Create a regular user in
cdb1_pdb5
:create user juser identified by juser; grant create session to juser;
- Grant
juser
the permissions for file access operations:call dbms_java.grant_permission('JUSER', 'SYS:java.io.FilePermission', '/d1/pdbs/pdb5/file1.txt', 'read'); call dbms_java.grant_permission('JUSER', 'SYS:java.io.FilePermission', '/d1/pdbs/pdb5/file2.txt', 'read,write');
Additional Flexibility in the Oracle JVM Networking Access Restrictions
The enhancements to the PDB isolation feature provides the following additional flexibilities in specifying the Oracle JVM Networking Access Restrictions in the PDB lockdown profiles:
New Lockdown Profile Feature JAVA_TCP
The existing
NETWORK_ACCESS
lockdown profile
feature bundle receives a new feature
JAVA_TCP
that controls the TCP
operations in the Oracle JVM run time. It is
analogous to the existing UTL_TCP
lockdown profile feature that controls the PL/SQL
TCP functionality.
New Lockdown Profile Feature JAVA_HTTP
The existing
NETWORK_ACCESS
lockdown profile
feature bundle receives a new
featureJAVA_HTTP
that controls
the HTTP operations in the Oracle JVM run time. It
is analogous to the existing
UTL_HTTP
lockdown profile feature
that controls the PL/SQL HTTP functionality.
The NETWORK_ACCESS Lockdown Profile Feature Bundle
You can still use the existing
NETWORK_ACCESS
lockdown profile
feature bundle to disable networking in the Oracle
JVM run time as a whole.
Important Notes for Database Administrators
This release further enhances the
ability of CDB Database Administrators to
configure safe lockdowns for PDBs that allow file
access from Oracle JVM. For security and
isolation, always use the
PATH_PREFIX
clause when any form
of file access is allowed for PDBs.
This section summarizes the important enhancements made to the PDB isolation feature for CDB administrators:
- Earlier, disabling the
OS_ACCESS
feature in a lockdown profile meant disabling all OS access from Java, including file operations. Now, a lockdown profile can enable only the Java file operations, while other types of OS access from Java remain disabled:ALTER LOCKDOWN PROFILE my_profile DISABLE FEATURE ('OS_ACCESS'); ALTER LOCKDOWN PROFILE my_profile ENABLE FEATURE ('JAVA_OS_ACCESS');
- Earlier, disabling the
NETWORK_ACCESS
feature in a lockdown profile meant disabling all network access from Java. Now, a lockdown profile can selectively enable HTTP connectivity for Oracle JVM, while other types of networking remain disabled:ALTER LOCKDOWN PROFILE my_profile DISABLE FEATURE ('NETWORK_ACCESS'); ALTER LOCKDOWN PROFILE my_profile ENABLE FEATURE ('JAVA_HTTP');
- Earlier, disabling the
NETWORK_ACCESS
feature in a lockdown profile meant disabling all network access from Java. Now, a lockdown profile can selectively enable TCP connectivity for Oracle JVM, while other types of networking remain disabled:ALTER LOCKDOWN PROFILE my_profile DISABLE FEATURE ('NETWORK_ACCESS'); ALTER LOCKDOWN PROFILE my_profile ENABLE FEATURE ('JAVA_TCP');
See Also:
- Oracle Multitenant Isolation White Paper
- ALTER LOCKDOWN PROFILE for description of PDB lockdown profile features
- CREATE
PLUGGABLE DATABASE for more information
about the
PATH_PREFIX
clause - PDB_OS_CREDENTIAL for more information
about the
PDB_OS_CREDENTIAL
initialization parameter