68d53dc5a9
ADB-centered row-level access control across heterogeneous DB sources
(AWS RDS Postgres + MySQL) using Oracle VPD + Data Redaction +
Secure Application Context, packaged as a one-click demo.
Mechanism:
- LOGON trigger calls ctx_pkg.init once per session to load the user's
allowed regions from the permission mapping tables into a Secure App
Context (VPD_CTX, USING ctx_pkg).
- VPD policy function vpd_region_filter reads SYS_CONTEXT and returns
an IN-list predicate (or '1=0' for fail-closed, NULL for '*'),
which Oracle injects into every SELECT on the protected views.
- Data Redaction reuses the same context to mask PII (email, full_name)
when the allowed-regions value is not '*'.
- 5 documented bypass attempts (direct DB link SELECT, SET_CONTEXT
spoof, DBMS_RLS drop, mapping table SELECT) all blocked by GRANT
scoping + DEFINER rights on ctx_pkg.
One-click entrypoint:
- ./run.sh {prereq|source|adb|tests|audit|all|teardown}
- Source DDL (Postgres + MySQL customers + 12-row seed each) is
applied via local psql/mysql; ADB-side setup via sqlplus with .env
values injected as SQL*Plus DEFINE substitutions.
Verified E2E on ADB 26ai + AWS RDS PG + RDS MySQL (mysql_community
gateway) on 2026-05-26: VPDUSER_A sees only APAC rows (PG 2 / MySQL 6,
PII masked), VPDUSER_B sees all (PG 12 / MySQL 17, PII unmasked).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
47 lines
2.3 KiB
Plaintext
47 lines
2.3 KiB
Plaintext
# ============================================================
|
|
# .env.example → cp .env.example .env 후 값 채워서 사용
|
|
# 모든 run.sh / scripts 가 이 파일을 source 합니다.
|
|
# 절대 .env 자체를 git 에 올리지 마세요 (.gitignore 등록됨).
|
|
# ============================================================
|
|
|
|
# --- (1) 클라이언트 도구 경로 ---
|
|
# Oracle Instant Client (sqlplus) 가 PATH 에 있어야 함.
|
|
# macOS 예: /Users/<you>/devkit/instantclient
|
|
# Linux 예: /opt/oracle/instantclient_21_12
|
|
export PATH="${HOME}/devkit/instantclient:${PATH}"
|
|
|
|
# Oracle wallet 디렉토리 (cwallet.sso, tnsnames.ora 포함된 풀린 경로)
|
|
export TNS_ADMIN="" # 예: /Users/you/devkit/Wallet_D8AUKRO81636MON0
|
|
|
|
# --- (2) ADB 접속 ---
|
|
export ADB_TNS="" # tnsnames.ora alias (예: d8aukro81636mon0_tp)
|
|
export ADB_USER="admin"
|
|
export ADB_PASSWORD="" # 비워두면 run.sh 가 read -s 로 프롬프트
|
|
# 편의: sqlplus 한 줄 connect 문자열 (자동 합성됨; 직접 안 건드려도 됨)
|
|
# export ADB_CONN="${ADB_USER}/${ADB_PASSWORD}@${ADB_TNS}"
|
|
|
|
# --- (3) 데모용 ADB 엔드유저 비밀번호 (sql/adb/07_end_users.sql 에서 사용) ---
|
|
# ADB 비번 정책: 12자 이상, 대/소/숫자/특수 조합.
|
|
export VPDUSER_A_PASSWORD="RowFilter#A2026"
|
|
export VPDUSER_B_PASSWORD="RowFilter#B2026"
|
|
|
|
# --- (4) 원격 Postgres (AWS RDS, Cloud SQL, ...) ---
|
|
# sql/source/postgres_setup.sql 가 여기로 customers 테이블/seed 생성.
|
|
# ADB 의 RDS_POSTGRES_LINK 가 이 인스턴스를 가리킴.
|
|
export PG_HOST="" # 예: vpd-poc.xxxxx.ap-northeast-2.rds.amazonaws.com
|
|
export PG_PORT="5432"
|
|
export PG_DB="vpdpoc" # CREATE DATABASE 미리 되어 있어야 함
|
|
export PG_USER="postgres"
|
|
export PG_PASSWORD=""
|
|
|
|
# --- (5) 원격 MySQL ---
|
|
export MY_HOST=""
|
|
export MY_PORT="3306"
|
|
export MY_DB="ecommerce_poc" # CREATE DATABASE 미리 되어 있어야 함
|
|
export MY_USER="admin"
|
|
export MY_PASSWORD=""
|
|
|
|
# --- (6) ADB → 원격 DB Link 이름 (관례적으로 고정 — 굳이 안 바꿔도 됨) ---
|
|
export DBLINK_PG_NAME="RDS_POSTGRES_LINK"
|
|
export DBLINK_MY_NAME="RDS_LINK"
|