1

IBM DB2 有很好的 LBAC(基于标签的访问控制)策略。从查询浏览器中创建或使用这些策略时,我没有遇到问题。但是,我的要求有点不同。假设我使用 LBAC 创建了所需的安全标签并将它们分配给数据库表中的列和行。现在,给定用户的访问控制,我想知道该用户是否可以访问特定标签。

DB2 将在内部解决它并产生所需的结果,但是我需要一些解决方案来告诉我用户是否可以访问特定的列/行,如果我被赋予了用户的访问级别以及每列的安全标签/排。我需要一些执行以下操作的方法:

  1. 找出列的安全标签[我可以这样做]
  2. 找出允许用户使用的访问控制 [我可以这样做]
  3. 告诉用户是否可以访问这些安全标签[我不知道如何实现]

考虑这个例子:

我的示例组件:

/*Create the component*/ 
CREATE SECURITY LABEL COMPONENT ORG_DIVISIONS
TREE ('ORGANIZATION_ADMIN' ROOT, --The admin will have the complete access
      'SALES' UNDER 'ORGANIZATION_ADMIN', --The sales department will have acess to the financial information for each unit
      'RESEARCH' UNDER 'ORGANIZATION_ADMIN', --The research division will have access to technical specs and design along with certain financial information
      'RSM1' UNDER 'RESEARCH', --The research manager 1 will have access to certain design and technical specs and certain financial information (depending on the project he is undertaking)
      'RS_ENGG1' UNDER 'RSM1', --The research engineer 1 will have access to certain technical specs (depending on the project he is undertaking)
      'MANUFACTURING' UNDER 'ORGANIZATION_ADMIN', --The manufacturing unit will have access to design along with certain financial information
      'MFM1' UNDER 'MANUFACTURING', --The manufacturing division manager 1 will have access to certain designs along with certain financial information (depending on the project he is undertaking)
      'MF_ENGG1' UNDER 'MFM1' --The manufacturing division engineer 1 will have access to certain designs (depending on the project he is undertaking)
)

我的组件示例策略:

/*Create the policy*/ 
CREATE SECURITY POLICY ORGANIZATION_POLICY
COMPONENTS ORG_DIVISIONS
WITH DB2LBACRULES
RESTRICT NOT AUTHORIZED WRITE SECURITY LABEL

我的标签样本集:

/*Create the labels from the policy components*/ 
CREATE SECURITY LABEL ORGANIZATION_POLICY.ORGANIZATION_ADMIN
COMPONENT ORG_DIVISIONS 'ORGANIZATION_ADMIN'

CREATE SECURITY LABEL ORGANIZATION_POLICY.SALES
COMPONENT ORG_DIVISIONS 'SALES';

CREATE SECURITY LABEL ORGANIZATION_POLICY.RESEARCH
COMPONENT ORG_DIVISIONS 'RESEARCH';

CREATE SECURITY LABEL ORGANIZATION_POLICY.RSM1
COMPONENT ORG_DIVISIONS 'RSM1';

CREATE SECURITY LABEL ORGANIZATION_POLICY.RS_ENGG1
COMPONENT ORG_DIVISIONS 'RS_ENGG1';

CREATE SECURITY LABEL ORGANIZATION_POLICY.MFM1
COMPONENT ORG_DIVISIONS 'MFM1';

CREATE SECURITY LABEL ORGANIZATION_POLICY.MF_ENGG1
COMPONENT ORG_DIVISIONS 'MF_ENGG1';

我的示例用户:

/*Use the defined policies and grant accesses to the users*/ 
GRANT SECURITY LABEL ORGANIZATION_POLICY.RSM1
TO USER someone FOR ALL ACCESS;

现在,由于我定义了一个组件,用户某人将有权访问标记为 RSM1 或其子标签(本例中为 RS_ENGG1)的实体。DB2 知道这一点,如果以用户某人身份登录并触发查询,它将向我显示相关结果。但问题是,我(作为管理员)如何知道用户某人可以访问哪些列/行?是否可以从某个安全表中检索此信息或以某种方式找出这些信息?

问候,

萨利尔乔希

4

1 回答 1

0

我找不到这个问题的任何解决方案。我最终所做的是找出“树”和“数组”类型的安全组件,列出它们的组件,并在 Java 中重新构建等效的树。

1)找出授予用户的标签

SELECT 
   A.grantee
  ,B.secpolicyname
  ,c.seclabelname 
FROM 
   syscat.securitylabelaccess A
  ,syscat.securitypolicies B
  ,syscat.securitylabels C 
WHERE 
   A.seclabelid = C.seclabelid 
   AND A.secpolicyid = B.secpolicyid 
   AND B.secpolicyid = C.secpolicyid

2)找出数组和树组件元素:

对于树木:

SELECT 
   D.secpolicyname
  ,B.elementvalue
  ,B.parentelementvalue 
FROM 
   syscat.securitylabelcomponents A
  ,syscat.securitylabelcomponentelements B
  ,syscat.securitypolicycomponentrules C
  ,syscat.securitypolicies D 
WHERE 
   A.compid = B.compid 
   AND A.comptype = 'T' 
   AND A.compid = C.secpolicyid 
   AND C.secpolicyid = D.secpolicyid

对于数组(注意:我找不到元素在数组中插入的顺序,但发现选择(select *)而不是投影(select A.a, B.b, ...)在这里有帮助。欢迎任何更好的解决方案):

SELECT * 
FROM 
   syscat.securitylabelcomponents A
  ,syscat.securitylabelcomponentelements B
  ,syscat.securitypolicycomponentrules C
  ,syscat.securitypolicies D 
WHERE 
   A.compid = B.compid 
   AND A.comptype = 'A' 
   AND A.compid = C.compid 
   AND C.secpolicyid = D.secpolicyid

3) 使用上述结构生成允许用户使用的标签列表。

这里的一个小问题是组件元素和从它们创建的标签可能没有相同的名称,我找不到它们的任何映射。我已经在这里发布了这个问题。

于 2013-03-30T03:58:36.690 回答