68d53dc5a9
ADB-centered row-level access control across heterogeneous DB sources
(AWS RDS Postgres + MySQL) using Oracle VPD + Data Redaction +
Secure Application Context, packaged as a one-click demo.
Mechanism:
- LOGON trigger calls ctx_pkg.init once per session to load the user's
allowed regions from the permission mapping tables into a Secure App
Context (VPD_CTX, USING ctx_pkg).
- VPD policy function vpd_region_filter reads SYS_CONTEXT and returns
an IN-list predicate (or '1=0' for fail-closed, NULL for '*'),
which Oracle injects into every SELECT on the protected views.
- Data Redaction reuses the same context to mask PII (email, full_name)
when the allowed-regions value is not '*'.
- 5 documented bypass attempts (direct DB link SELECT, SET_CONTEXT
spoof, DBMS_RLS drop, mapping table SELECT) all blocked by GRANT
scoping + DEFINER rights on ctx_pkg.
One-click entrypoint:
- ./run.sh {prereq|source|adb|tests|audit|all|teardown}
- Source DDL (Postgres + MySQL customers + 12-row seed each) is
applied via local psql/mysql; ADB-side setup via sqlplus with .env
values injected as SQL*Plus DEFINE substitutions.
Verified E2E on ADB 26ai + AWS RDS PG + RDS MySQL (mysql_community
gateway) on 2026-05-26: VPDUSER_A sees only APAC rows (PG 2 / MySQL 6,
PII masked), VPDUSER_B sees all (PG 12 / MySQL 17, PII unmasked).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
71 lines
2.6 KiB
MySQL
71 lines
2.6 KiB
MySQL
-- ============================================================
|
|
-- 03_secure_ctx.sql
|
|
-- Secure application context. ONLY ctx_pkg can SET vpd_ctx.*
|
|
-- End-users cannot spoof their identity / region list.
|
|
--
|
|
-- The package is AUTHID DEFINER so it can read permission tables
|
|
-- without granting end-users direct SELECT on those tables.
|
|
-- It uses SYS_CONTEXT('USERENV','SESSION_USER') to identify the
|
|
-- *invoker*, so even if an end-user calls it directly they only
|
|
-- ever load their OWN permissions.
|
|
-- ============================================================
|
|
SET ECHO OFF
|
|
SET FEEDBACK ON
|
|
|
|
PROMPT === Creating context package spec ===
|
|
CREATE OR REPLACE PACKAGE ctx_pkg AUTHID DEFINER AS
|
|
-- Called from the LOGON trigger (or manually).
|
|
-- Loads the connecting user's allowed regions per object into vpd_ctx.
|
|
PROCEDURE init;
|
|
END ctx_pkg;
|
|
/
|
|
|
|
PROMPT === Creating context package body ===
|
|
CREATE OR REPLACE PACKAGE BODY ctx_pkg AS
|
|
PROCEDURE init IS
|
|
v_user app_user.db_username%TYPE := SYS_CONTEXT('USERENV','SESSION_USER');
|
|
v_uid app_user.user_id%TYPE;
|
|
BEGIN
|
|
-- Look up app_user by Oracle session username (always uppercased).
|
|
BEGIN
|
|
SELECT user_id INTO v_uid
|
|
FROM app_user
|
|
WHERE db_username = v_user
|
|
AND active = 'Y';
|
|
EXCEPTION WHEN NO_DATA_FOUND THEN
|
|
-- Not an app user; leave context empty -> policy will return impossible predicate.
|
|
RETURN;
|
|
END;
|
|
|
|
-- For each object the user has permission on, aggregate allowed_regions
|
|
-- across all groups the user belongs to.
|
|
-- '*' wins over any specific list.
|
|
FOR r IN (
|
|
SELECT p.object_name,
|
|
CASE WHEN MAX(CASE WHEN p.allowed_regions='*' THEN 1 ELSE 0 END) = 1
|
|
THEN '*'
|
|
ELSE LISTAGG(p.allowed_regions, ',') WITHIN GROUP (ORDER BY p.allowed_regions)
|
|
END AS regions
|
|
FROM permission p
|
|
JOIN user_group ug ON ug.group_id = p.group_id
|
|
WHERE ug.user_id = v_uid
|
|
GROUP BY p.object_name
|
|
) LOOP
|
|
-- Attribute name = object name (e.g. V_CUSTOMERS_PG), value = CSV of regions.
|
|
DBMS_SESSION.SET_CONTEXT('VPD_CTX', r.object_name, r.regions);
|
|
END LOOP;
|
|
|
|
-- Also store the user_id for auditing / future use.
|
|
DBMS_SESSION.SET_CONTEXT('VPD_CTX', 'USER_ID', TO_CHAR(v_uid));
|
|
END init;
|
|
END ctx_pkg;
|
|
/
|
|
|
|
PROMPT === Binding secure context to ctx_pkg ===
|
|
-- This is the critical line: only code running INSIDE admin.ctx_pkg
|
|
-- can call DBMS_SESSION.SET_CONTEXT on the VPD_CTX namespace.
|
|
CREATE OR REPLACE CONTEXT vpd_ctx USING ctx_pkg;
|
|
|
|
PROMPT === Secure context ready ===
|
|
EXIT;
|