CREATE MASKING POLICY¶
说明¶
创建脱敏策略
参数¶
policy_name
脱敏策略名称,需要唯一,不可重复。
label_name
资源标签名称。
masking_clause
指出使用何种脱敏函数对被 label_name 标签标记的数据库资源进行脱敏。
masking_function
指的是预置的八种脱敏方式(MASKALL、RANDOMMASKING、CREDITCARDMASKING、BASICEMAILMASKING、FULLEMAILMASKING、SHUFFLEMASKING、ALLDIGITSMASKING、REGEXPMASKING)。
policy_filter
指出该脱敏策略对何种身份的用户生效,若为空表示对所用用户生效。
filter_value
指具体过滤信息内容(具体的用户名)。
ENABLE | DISABLE
可以打开或关闭脱敏策略。若不指定时默认为 ENABLE。
示例¶
示例1: 创建脱敏策略(不指定过滤器)
-- 清理环境
DROP TABLE tab_mask1 CASCADE;
CREATE TABLE tab_mask1(col1 TEXT, col2 TEXT);
CONNECT syssecure/szoscar55;
-- 清理环境
DROP MASKING POLICY policy_mask1;
DROP MASKING POLICY policy_mask2;
DROP MASKING POLICY policy_mask3;
DROP RESOURCE LABEL label_mask1;
DROP RESOURCE LABEL label_mask2;
-- 创建资源标签
CREATE RESOURCE LABEL label_mask1 ADD COLUMN(sysdba.tab_mask1.col1);
CREATE RESOURCE LABEL label_mask2 ADD COLUMN(sysdba.tab_mask1.col2);
-- 创建脱敏策略,多个标签使用同一脱敏方式
CREATE MASKING POLICY policy_mask1 MASKALL ON LABEL(label_mask1, label_mask2);
SELECT MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED FROM SYS_MASK_POLICY WHERE MASKPOLNAME = 'POLICY_MASK1' ORDER BY MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED;
MASKPOLNAME(name) |MASKPOLCOMMENTS(name) |MASKPOLENABLED(boolean) |
-------------------------------------------------------------------------------
POLICY_MASK1 | |true |
总数目:1
SELECT MASKPOLNAME, MASKLABELNAME, MASKFUNCTION, MASKACTPARAMS FROM SYS_MASK_POLICY_LABEL, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_LABEL.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK1' ORDER BY MASKLABELNAME, MASKPOLNAME, MASKFUNCTION, MASKACTPARAMS;
MASKPOLNAME(name) |MASKLABELNAME(name) |MASKFUNCTION(name) |MASKACTPARAMS(name) |
-------------------------------------------------------------------------------------------------
POLICY_MASK1 |LABEL_MASK1 |MASKALL | |
-------------------------------------------------------------------------------------------------
POLICY_MASK1 |LABEL_MASK2 |MASKALL | |
总数目:2
SELECT MASKPOLNAME, MASKLOGICALOPERATOR FROM SYS_MASK_POLICY_FILTERS, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_FILTERS.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK1' ORDER BY MASKPOLNAME, MASKLOGICALOPERATOR;
MASKPOLNAME(name) |MASKLOGICALOPERATOR(text) |
总数目:0
-- 删除脱敏策略
DROP MASKING POLICY policy_mask1;
-- 创建脱敏策略,多个标签使用不同脱敏方式
CREATE MASKING POLICY policy_mask2 MASKALL ON LABEL(label_mask1), RANDOMMASKING ON LABEL(label_mask2);
SELECT MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED FROM SYS_MASK_POLICY WHERE MASKPOLNAME = 'POLICY_MASK2' ORDER BY MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED;
MASKPOLNAME(name) |MASKPOLCOMMENTS(name) |MASKPOLENABLED(boolean) |
-------------------------------------------------------------------------------
POLICY_MASK2 | |true |
总数目:1
SELECT MASKPOLNAME, MASKLABELNAME, MASKFUNCTION, MASKACTPARAMS FROM SYS_MASK_POLICY_LABEL, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_LABEL.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK2' ORDER BY MASKLABELNAME, MASKPOLNAME, MASKFUNCTION, MASKACTPARAMS;
MASKPOLNAME(name) |MASKLABELNAME(name) |MASKFUNCTION(name) |MASKACTPARAMS(name) |
-------------------------------------------------------------------------------------------------
POLICY_MASK2 |LABEL_MASK1 |MASKALL | |
-------------------------------------------------------------------------------------------------
POLICY_MASK2 |LABEL_MASK2 |RANDOMMASKING | |
总数目:2
SELECT MASKPOLNAME, MASKLOGICALOPERATOR FROM SYS_MASK_POLICY_FILTERS, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_FILTERS.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK2' ORDER BY MASKPOLNAME, MASKLOGICALOPERATOR;
MASKPOLNAME(name) |MASKLOGICALOPERATOR(text) |
总数目:0
-- 删除脱敏策略
DROP MASKING POLICY policy_mask2;
-- 创建脱敏策略,指定为不启动
CREATE MASKING POLICY policy_mask3 MASKALL ON LABEL(label_mask1) DISABLE;
SELECT MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED FROM SYS_MASK_POLICY WHERE MASKPOLNAME = 'POLICY_MASK3' ORDER BY MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED;
MASKPOLNAME(name) |MASKPOLCOMMENTS(name) |MASKPOLENABLED(boolean) |
-------------------------------------------------------------------------------
POLICY_MASK3 | |false |
总数目:1
SELECT MASKPOLNAME, MASKLABELNAME, MASKFUNCTION, MASKACTPARAMS FROM SYS_MASK_POLICY_LABEL, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_LABEL.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK3' ORDER BY MASKLABELNAME, MASKPOLNAME, MASKFUNCTION, MASKACTPARAMS;
MASKPOLNAME(name) |MASKLABELNAME(name) |MASKFUNCTION(name) |MASKACTPARAMS(name) |
-------------------------------------------------------------------------------------------------
POLICY_MASK3 |LABEL_MASK1 |MASKALL | |
总数目:1
SELECT MASKPOLNAME, MASKLOGICALOPERATOR FROM SYS_MASK_POLICY_FILTERS, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_FILTERS.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK3' ORDER BY MASKPOLNAME, MASKLOGICALOPERATOR;
MASKPOLNAME(name) |MASKLOGICALOPERATOR(text) |
总数目:0
-- 删除脱敏策略
DROP MASKING POLICY policy_mask3;
-- 删除资源标签
DROP RESOURCE LABEL label_mask1;
DROP RESOURCE LABEL label_mask2;
CONNECT sysdba/szoscar55;
DROP TABLE tab_mask1 CASCADE;
示例2: 创建脱敏策略(指定过滤器)
-- 清理环境
DROP TABLE tab_mask2 CASCADE;
CREATE TABLE tab_mask2(col3 TEXT, col4 TEXT);
CONNECT syssecure/szoscar55;
-- 清理环境
DROP MASKING POLICY policy_mask4;
DROP MASKING POLICY policy_mask5;
DROP MASKING POLICY policy_mask6;
DROP RESOURCE LABEL label_mask3;
-- 创建资源标签
CREATE RESOURCE LABEL label_mask3 ADD COLUMN(sysdba.tab_mask2.col3);
-- 创建脱敏策略,指定单一过滤器
CREATE MASKING POLICY policy_mask4 MASKALL ON LABEL(label_mask3) FILTER ON USER('SYSDBA');
SELECT MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED FROM SYS_MASK_POLICY WHERE MASKPOLNAME = 'POLICY_MASK4' ORDER BY MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED;
MASKPOLNAME(name) |MASKPOLCOMMENTS(name) |MASKPOLENABLED(boolean) |
-------------------------------------------------------------------------------
POLICY_MASK4 | |true |
总数目:1
SELECT MASKPOLNAME, MASKLABELNAME, MASKFUNCTION, MASKACTPARAMS FROM SYS_MASK_POLICY_LABEL, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_LABEL.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK4' ORDER BY MASKLABELNAME, MASKPOLNAME, MASKFUNCTION, MASKACTPARAMS;
MASKPOLNAME(name) |MASKLABELNAME(name) |MASKFUNCTION(name) |MASKACTPARAMS(name) |
-------------------------------------------------------------------------------------------------
POLICY_MASK4 |LABEL_MASK3 |MASKALL | |
总数目:1
SELECT MASKPOLNAME, MASKLOGICALOPERATOR FROM SYS_MASK_POLICY_FILTERS, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_FILTERS.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK4' ORDER BY MASKPOLNAME, MASKLOGICALOPERATOR;
MASKPOLNAME(name) |MASKLOGICALOPERATOR(text) |
------------------------------------------------------
POLICY_MASK4 |user[1] |
总数目:1
-- 删除脱敏策略
DROP MASKING POLICY policy_mask4;
-- 创建脱敏策略,指定多过滤器
CREATE MASKING POLICY policy_mask5 MASKALL ON LABEL(label_mask3) FILTER ON USER('SYSDBA', 'SYSSECURE'), USER('SYSAUDIT');
SELECT MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED FROM SYS_MASK_POLICY WHERE MASKPOLNAME = 'POLICY_MASK5' ORDER BY MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED;
MASKPOLNAME(name) |MASKPOLCOMMENTS(name) |MASKPOLENABLED(boolean) |
-------------------------------------------------------------------------------
POLICY_MASK5 | |true |
总数目:1
SELECT MASKPOLNAME, MASKLABELNAME, MASKFUNCTION, MASKACTPARAMS FROM SYS_MASK_POLICY_LABEL, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_LABEL.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK5' ORDER BY MASKLABELNAME, MASKPOLNAME, MASKFUNCTION, MASKACTPARAMS;
MASKPOLNAME(name) |MASKLABELNAME(name) |MASKFUNCTION(name) |MASKACTPARAMS(name) |
-------------------------------------------------------------------------------------------------
POLICY_MASK5 |LABEL_MASK3 |MASKALL | |
总数目:1
SELECT MASKPOLNAME, MASKLOGICALOPERATOR FROM SYS_MASK_POLICY_FILTERS, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_FILTERS.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK5' ORDER BY MASKPOLNAME, MASKLOGICALOPERATOR;
MASKPOLNAME(name) |MASKLOGICALOPERATOR(text) |
------------------------------------------------------
POLICY_MASK5 |*user[1,2]user[4] |
总数目:1
-- 删除脱敏策略
DROP MASKING POLICY policy_mask5;
-- 创建脱敏策略,指定多过滤器
CREATE MASKING POLICY policy_mask6 MASKALL ON LABEL(label_mask3) FILTER ON USER('SYSDBA') AND USER('SYSSECURE') OR USER('SYSAUDIT');
SELECT MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED FROM SYS_MASK_POLICY WHERE MASKPOLNAME = 'POLICY_MASK6' ORDER BY MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED;
MASKPOLNAME(name) |MASKPOLCOMMENTS(name) |MASKPOLENABLED(boolean) |
-------------------------------------------------------------------------------
POLICY_MASK6 | |true |
总数目:1
SELECT MASKPOLNAME, MASKLABELNAME, MASKFUNCTION, MASKACTPARAMS FROM SYS_MASK_POLICY_LABEL, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_LABEL.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK6' ORDER BY MASKLABELNAME, MASKPOLNAME, MASKFUNCTION, MASKACTPARAMS;
MASKPOLNAME(name) |MASKLABELNAME(name) |MASKFUNCTION(name) |MASKACTPARAMS(name) |
-------------------------------------------------------------------------------------------------
POLICY_MASK6 |LABEL_MASK3 |MASKALL | |
总数目:1
SELECT MASKPOLNAME, MASKLOGICALOPERATOR FROM SYS_MASK_POLICY_FILTERS, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_FILTERS.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK6' ORDER BY MASKPOLNAME, MASKLOGICALOPERATOR;
MASKPOLNAME(name) |MASKLOGICALOPERATOR(text) |
------------------------------------------------------
POLICY_MASK6 |+*user[1]user[2]user[4] |
总数目:1
-- 删除脱敏策略
DROP MASKING POLICY policy_mask6;
-- 创建脱敏策略,指定APP过滤器
CREATE MASKING POLICY policy_mask7 MASKALL ON LABEL(label_mask3) FILTER ON APP('isql');
SELECT MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED FROM SYS_MASK_POLICY WHERE MASKPOLNAME = 'POLICY_MASK7' ORDER BY MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED;
MASKPOLNAME(name) |MASKPOLCOMMENTS(name) |MASKPOLENABLED(boolean) |
-------------------------------------------------------------------------------
POLICY_MASK7 | |true |
总数目:1
SELECT MASKPOLNAME, MASKLABELNAME, MASKFUNCTION, MASKACTPARAMS FROM SYS_MASK_POLICY_LABEL, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_LABEL.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK7' ORDER BY MASKLABELNAME, MASKPOLNAME, MASKFUNCTION, MASKACTPARAMS;
MASKPOLNAME(name) |MASKLABELNAME(name) |MASKFUNCTION(name) |MASKACTPARAMS(name) |
-------------------------------------------------------------------------------------------------
POLICY_MASK7 |LABEL_MASK3 |MASKALL | |
总数目:1
SELECT MASKPOLNAME, MASKLOGICALOPERATOR FROM SYS_MASK_POLICY_FILTERS, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_FILTERS.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK7' ORDER BY MASKPOLNAME, MASKLOGICALOPERATOR;
MASKPOLNAME(name) |MASKLOGICALOPERATOR(text) |
------------------------------------------------------
POLICY_MASK7 |app[isql] |
总数目:1
-- 删除脱敏策略
DROP MASKING POLICY policy_mask7;
-- 创建脱敏策略,指定IP过滤器
-- 单一 IP
CREATE MASKING POLICY policy_ip_single MASKALL ON LABEL(label_mask3) FILTER ON IP('192.168.1.72');
-- 范围 IP
CREATE MASKING POLICY policy_ip_range MASKALL ON LABEL(label_mask3) FILTER ON IP('192.168.1.1-192.168.1.10');
-- 网段 IP
CREATE MASKING POLICY policy_ip_cidr MASKALL ON LABEL(label_mask3) FILTER ON IP('192.168.1.128/25');
-- 掩码 IP
CREATE MASKING POLICY policy_ip_mask MASKALL ON LABEL(label_mask3) FILTER ON IP('192.168.2.128/255.255.255.128');
-- 存在冲突
CREATE MASKING POLICY policy_ip_conflict MASKALL ON LABEL(label_mask3) FILTER ON IP('192.168.1.128/255.255.255.0');
ERROR, 当前策略与现有策略冲突: POLICY_IP_SINGLE
SELECT MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED FROM SYS_MASK_POLICY WHERE MASKPOLNAME = 'POLICY_IP_SINGLE' OR MASKPOLNAME = 'POLICY_IP_RANGE' OR MASKPOLNAME = 'POLICY_IP_CIDR' OR MASKPOLNAME = 'POLICY_IP_MASK' ORDER BY MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED;
MASKPOLNAME(name) |MASKPOLCOMMENTS(name) |MASKPOLENABLED(boolean) |
-------------------------------------------------------------------------------
POLICY_IP_CIDR | |true |
-------------------------------------------------------------------------------
POLICY_IP_MASK | |true |
-------------------------------------------------------------------------------
POLICY_IP_RANGE | |true |
-------------------------------------------------------------------------------
POLICY_IP_SINGLE | |true |
总数目:4
SELECT MASKPOLNAME, MASKLABELNAME, MASKFUNCTION, MASKACTPARAMS FROM SYS_MASK_POLICY_LABEL, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_LABEL.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND (MASKPOLNAME = 'POLICY_IP_SINGLE' OR MASKPOLNAME = 'POLICY_IP_RANGE' OR MASKPOLNAME = 'POLICY_IP_CIDR' OR MASKPOLNAME = 'POLICY_IP_MASK') ORDER BY MASKLABELNAME, MASKPOLNAME, MASKFUNCTION, MASKACTPARAMS;
MASKPOLNAME(name) |MASKLABELNAME(name) |MASKFUNCTION(name) |MASKACTPARAMS(name) |
-------------------------------------------------------------------------------------------------
POLICY_IP_CIDR |LABEL_MASK3 |MASKALL | |
-------------------------------------------------------------------------------------------------
POLICY_IP_MASK |LABEL_MASK3 |MASKALL | |
-------------------------------------------------------------------------------------------------
POLICY_IP_RANGE |LABEL_MASK3 |MASKALL | |
-------------------------------------------------------------------------------------------------
POLICY_IP_SINGLE |LABEL_MASK3 |MASKALL | |
总数目:4
SELECT MASKPOLNAME, MASKLOGICALOPERATOR FROM SYS_MASK_POLICY_FILTERS, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_FILTERS.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND (MASKPOLNAME = 'POLICY_IP_SINGLE' OR MASKPOLNAME = 'POLICY_IP_RANGE' OR MASKPOLNAME = 'POLICY_IP_CIDR' OR MASKPOLNAME = 'POLICY_IP_MASK') ORDER BY MASKPOLNAME, MASKLOGICALOPERATOR;
MASKPOLNAME(name) |MASKLOGICALOPERATOR(text) |
------------------------------------------------------
POLICY_IP_CIDR |ip[192.168.1.128/25] |
------------------------------------------------------
POLICY_IP_MASK |ip[192.168.2.128/255.255.255.12|
|8] |
------------------------------------------------------
POLICY_IP_RANGE |ip[192.168.1.1-192.168.1.10] |
------------------------------------------------------
POLICY_IP_SINGLE |ip[192.168.1.72] |
总数目:4
-- 删除脱敏策略
DROP MASKING POLICY policy_ip_mask;
DROP MASKING POLICY policy_ip_cidr;
DROP MASKING POLICY policy_ip_range;
DROP MASKING POLICY policy_ip_single;
-- 删除资源标签
DROP RESOURCE LABEL label_mask3;
CONNECT sysdba/szoscar55;
DROP TABLE tab_mask2 CASCADE;
示例3: 创建脱敏策略(使用用户自定义函数)
-- 清理环境
DROP TABLE tab_mask3 CASCADE;
drop function f1;
CREATE TABLE tab_mask3(col5 TEXT, col6 TEXT);
create or replace function f1(a text,b text) return text is
r text;
begin
r := a || b;
return r;
end;
/
CONNECT syssecure/szoscar55;
-- 清理环境
DROP MASKING POLICY policy_mask9;
DROP RESOURCE LABEL label_mask4;
-- 创建资源标签
CREATE RESOURCE LABEL label_mask4 ADD COLUMN(sysdba.tab_mask3.col5);
-- 创建脱敏策略 (使用自定义函数)
create masking policy policy_mask9 sysdba.f1('qwe') on label(label_mask4);
SELECT MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED FROM SYS_MASK_POLICY WHERE MASKPOLNAME = 'POLICY_MASK9' ORDER BY MASKPOLNAME, MASKPOLCOMMENTS, MASKPOLENABLED;
MASKPOLNAME(name) |MASKPOLCOMMENTS(name) |MASKPOLENABLED(boolean) |
-------------------------------------------------------------------------------
POLICY_MASK9 | |true |
总数目:1
SELECT MASKPOLNAME, MASKLABELNAME, MASKFUNCTION, MASKACTPARAMS FROM SYS_MASK_POLICY_LABEL, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_LABEL.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK9' ORDER BY MASKLABELNAME, MASKPOLNAME, MASKFUNCTION, MASKACTPARAMS;
MASKPOLNAME(name) |MASKLABELNAME(name) |MASKFUNCTION(name) |MASKACTPARAMS(name) |
-------------------------------------------------------------------------------------------------
POLICY_MASK9 |LABEL_MASK4 |SYSDBA.F1 |s:qwe |
总数目:1
SELECT MASKPOLNAME, MASKLOGICALOPERATOR FROM SYS_MASK_POLICY_FILTERS, SYS_MASK_POLICY WHERE SYS_MASK_POLICY_FILTERS.MASKPOLOID = SYS_MASK_POLICY.MASKPOLOID AND MASKPOLNAME = 'POLICY_MASK9' ORDER BY MASKPOLNAME, MASKLOGICALOPERATOR;
MASKPOLNAME(name) |MASKLOGICALOPERATOR(text) |
总数目:0
-- 删除脱敏策略
DROP MASKING POLICY policy_mask9;
-- 删除资源标签
DROP RESOURCE LABEL label_mask4;
CONNECT sysdba/szoscar55;
drop function f1;
DROP TABLE tab_mask3 CASCADE;