db2 introduction - 04 database security.ppt

8/9/2019 DB2 Introduction - 04 Database Security.ppt

http://slidepdf.com/reader/full/db2-introduction-04-database-securityppt 1/41

IBM Software Group

Olaf Depper ([email protected]) October 2004 © 2004 IBM Corporation

Introduction To IBM Universal Database or!inu"# U$I% &nd 'indows

4( Database Securit)



IBM Software Group

© 200* IBM CorporationIntroduction to DB2 + 4( Database ,ctober 2004

&-enda

Database Securit)

+ &ut.entication

+ &ut.orities

+ /rivile-es



IBM Software Group


DB2 Securit) Mec.aniss

T.ere are t.ree ain ec.aniss wit.in DB2 t.at allow a DB& to

ipleent a database securit) plan1

+ Authentication

DB2 aut.entication wor3s closel) wit. t.e securit) features of t.e

underl)in- operatin- s)ste to verif) user IDs and passwords

+ Authorization

&ut.oriation involves deterinin- t.e operations t.at users and5or

-roups can perfor# and t.e data ob6ects t.at t.e) a) access + Privileges

/rivile-es .elp define t.e ob6ects t.at a user can create or drop( T.e)

also define t.e coands t.at a user can use to access ob6ects



IBM Software Group


DB2 &ut.entication



IBM Software Group


DB2 uses a cobination of1

+ 7"ternal securit) service

+ Internal access control inforation

&ut.entication

+ Identif) t.e user

C.ec3 entered usernae and password

+ Done b) securit) facilit) outside DB2 8/art of t.e ,S# DC7# 9erberos :;

&ut.oriation + C.ec3 if aut.enticated user a) perfor re<uested operation

+ Done b) DB2 facilities

Inforation stored in DB2 catalo-# DBM confi-uration file

DB2 &ut.entication =s( &ut.oriation

)Table

db2 connect to mydb

user linda using pwd

db2 "select * from mytable"

Authorization:

Does !inda .ave an

aut.oriation to perfor

S7!7CT on )Table>

Authentication:

Is pwd t.e

correct password

for linda>



IBM Software Group


DB2 &ut.entication

DB2 aut.entication controls t.e followin- aspects of a database

securit) plan1

+ '.o is allowed access to t.e instance and5or database

+ '.ere and .ow a user?s password will be verified

It does t.is wit. t.e .elp of t.e underl)in- operatin- s)ste

securit) features w.enever an attach or connect coand is

issued

+ &n attac. coand is used to connect to t.e DB2 instance

+ & connect coand is used to connect to a database wit.in a

DB2 instance



IBM Software Group


DB2 &ut.entication T)pes

&ut.entication t)pes are used b) DB2 to deterine w.ere

aut.entication is to ta3e place

T.e followin- table suaries t.e available DB2 aut.entication

t)pes

Types Description

S7@=7@ Authentication takes place on the server

S7@=7@A7$C@/T Authentication takes place on the server.Passwords are encrypted on the client beforebeing sent to the server

C!I7$T Authentication takes place on the client machine97@B7@,S Authentication is performed by the Kerberos

security software

9@BAS7@=7@A7$C@/T Authentication is performed by Kerberossecurity software if the client settingKERER!". !therwise# "ER$ER%E&'R(P) isused

* e f au l t f o r " AP



IBM Software Group


Settin- &ut.entication ,n T.e Server

&ut.entication is set on t.e database server wit.in t.e Database

Mana-er Confi-uration 8DBM CG; file usin- t.e

&UT7$TIC&TI,$ paraeter

7"aple1

+ To view t.e aut.entication paraeter in t.e confi-uration file

db2 get dbm cfg

+ To alter t.e aut.entication paraeter to S7@=7@A7$C@/T1

db2 update dbm cfg using authenticationSERVER_ENCRYPT

db2stop

db2start



IBM Software Group


Settin- &ut.entication ,n T.e Client

T.e client aut.entication settin- ust atc. t.at of t.e database

server to w.ic. t.e client is connectin-

+ 8wit. t.e e"ception of 9@BAS7@=7@A7$C@/T;

Client aut.entication is set usin- t.e catalo- database coand

7"aple1

+ !et?s assue t.e server aut.entication t)pe is set to S7@=7@( T.e

followin- coand would t.en be issued to catalo- t.e server

database naed sample:db2 catalog database sample at node nd1

authentication serer

+ If t.e aut.entication t)pe is not specified# t.e client will tr) to use

S7@=7@A7$C@/T b) default



IBM Software Group


Dealin- 'it. Untrusted Clients

If t.e server or -atewa) ac.ine .as aut.entication set to C!I7$T# t.is

iplies t.at t.e client is e"pected to aut.enticate a user?s ID and

password

owever# soe client ac.ines a) not .ave operatin- s)stes wit.

native securit) features

+ Suc. untrusted clients include DB2 clients runnin- on 'indows E

T.ere are two additional paraeters in t.e DBM CG file used to

deterine w.ere aut.entication s.ould ta3e place w.en t.e server or

-atewa) aut.entication et.od is set to C!I7$T and untrusted clientsare atteptin- to connect to t.e database or attac. to t.e DB2 instance

+ T@USTA&!!C!$TS

+ T@USTAC!$T&UT



IBM Software Group


Dealin- 'it. Untrusted Clients 8ContFd;

T@USTA&!!C!$TS

+ Decide w.et.er to trust all clients

7S1 &ll clients# w.et.er or not t.e) are trusted# are forced toaut.enticate at t.e client

$,1 &ll untrusted clients will be aut.enticated at t.e server 8eanin-t.at a user ID and password ust be provided; + all trusted clientswill be aut.enticated at t.e client ac.ine

D@D&,$!: Trust onl) clients t.at are runnin- on iSeries or Seriesplatfors 8i(e(# D@D& clients; + an) ot.er clients ust provide user

ID and password



IBM Software Group


Dealin- 'it. Untrusted Clients 8ContFd;

T@USTAC!$T&UT

+ '.ere will t.e aut.entication ta3e place w.en a user ID and passwordare supplied and aut.entication t)pe is C!I7$T

C!I7$T1 &ut.entication is done at t.e client a user ID and

password are not re<uired

S7@=7@1 &ut.entication is done at t.e server if a user ID andpassword are suppliedIf no user ID and password are supplied# t.e aut.entication will ta3eplace at t.e client



IBM Software Group


Database &ut.entication + 7"aple

!P"#TE "$% C&' !S(N' #!T)ENT(C#T(*N SERVER_ENCRYPT

+ db2 connect to sample

,nl) possible on database server

&ll clients will be aut.enticated at t.e Server + no connect possiblewit.out suppl)in- user ID and password fro a client ac.ineConnection data is send encr)pted fro t.e client to t.e server

!P"#TE "$% C&' !S(N' #!T)ENT(C#T(*N C+(ENT

T)R!ST_#++C+NTS N* + db2 connect to sample user ,ohn using pass

&ut.entication on trusted Client

&ll untrusted clients will be aut.enticated at t.e Server



IBM Software Group


Database &ut.entication + 7"aple


T)R!ST_#++C+NTS N* TR!ST_C+NT#!T) C+(ENT

+ db2 connect to sample user ,ohn using pass

&ut.entication on Client + db2 connect to sample

&ut.entication on Client


T)R!ST_#++C+NTS N* TR!ST_C+NT#!T) SERVER

+ db2 connect to sample user ,ohn using pass

&ut.entication on Server

+ db2 connect to sample

&ut.entication on Client



IBM Software Group


Database &ut.entication + 'indows

DB2 for 'indows e"ploits t.e native 'indows securit) s)ste to

aut.enticate users

DB2 uses 'indows to attept to aut.enticate a user in t.e followin-

order of user inforation1

H( !ocal Securit) &ccess Mana-er 8S&M;

2( Doain Controller

*( Trusted Doain Controller

+ 7"aple1

If t.e aut.entication t)pe is S7@=7@# t.e DB2 server attepts to aut.enticate t.e userat t.e server ac.ine

If t.e user is not defined in t.e server ac.ineFs S&M# t.e aut.entication will be

attepted on t.e doain controller

If t.e user is not defined on t.e doain controller# t.e doain controller of t.e trusted

doains is used

If t.e user is not defined in t.e trusted doain# t.e aut.entication will fail



IBM Software Group


&ut.entication In & S&/ 7nvironent

*atabase

"erver

DSCDB(C,$

dispJwor3(e"e

User:

<SID>ADM

'onnect to "+* user "AP,"+*- using PA""!R*

DSCDBU/

,SK&/I7ncr)ptK5Decr)pt

&l-orit.



IBM Software Group


&ut.entication In & S&/ 7nvironent 8ContFd;

In a S&/ environent# t.e dispJwor3 processes are connected to t.e

database as user sapr*5 sapLsid

+ Soe database operations are also perfored b) user Lsidad

Because an interactive lo-on is not possible# an encr)pted passwordfile is used to allow users access to t.e database

T.e password file is called dscdb(conf and is located in t.e -lobal

director) of t.e 5usr5sap file s)ste

+ T.e db2Lsid user needs read access to t.e password file

T.e password file is created b) usin- t.e dscdbup tool

+ /lease reeber1 ,nce )ou c.an-e t.e password of

sapr*5sapLsid and5or Lsidad on t.e operatin- s)ste level )ou

ust also update t.e dscdb(conf file



IBM Software Group


DB2 &ut.orities



IBM S f G



IBM Software Group


DB2 &ut.orities + ,verview 8ContFd;

&ut.orities are ade up of -roups of privile-es and .i-.erKlevel

database ana-er 8instanceKlevel; aintenance and utilit) operations

+ SS&DM# SSCT@! and SSM&I$T are instance-level authorities

T.ese aut.orities can onl) be assi-ned to an 8operatin- s)ste;

-roup )ou can do so t.rou-. t.e DBM CG file

+ T.e DB&DM and !,&D aut.orities are assi-ned to a user or -roup

for a particular database

T.is can be done e"plicitl) usin- t.e G@&$T coand

IBM S ft G



IBM Software Group


DB2 &ut.orities

Cannotaccess data

"("A*/

"("')R0

"("/A+&)

*A*/

Authorities

PR+$+0E1E"

Ownership (Control)

Individual

Implicit

0!A*

Can accessdata

IBM S ft G



IBM Software Group


,btainin- Database &ut.orities

InstanceKlevel aut.orities

+ T.e aut.orities SS&DM# SSCT@!# and SSM&I$T areassociated wit. -roups and are specified at t.e instance level

• !P"#TE "$% C&' !S(N' SYS#"%_'R*!P -'R*!P1.

ever) user ID t.at is a eber of -roupH will .ave SS&DMaut.orit) on t.is instance

• !P"#TE "$% C&' !S(N' SYSCTR+_'R*!P -'R*!P2.

• !P"#TE "$% C&' !S(N' SYS%#(NT_'R*!P -'R*!P/.

IBM S ft G



IBM Software Group


,btainin- Database &ut.orities 8ContFd;

DB&DM &ut.orit)

+ T.e creator of a database will autoaticall) .ave DB&DM aut.orit)for t.e new database ,t.er users a) be -ranted t.e DB&DMaut.orit) b) a SS&DM user1

•'R#NT "$#"% *N "#T#$#SE T* !SER -!SER1. !,&D &ut.orit)

+ ,nl) users wit. eit.er SS&DM or DB&DM aut.orit) are peritted to-rant or revo3e !,&D aut.orit) to users or -roups

•'R#NT +*#" *N "#T#$#SE T* !SER -!SER1.



IBM Software Group



IBM Software Group


Database &ut.orit) + 'indows Considerations

In a 'indows doain environent# a -roup list for t.e aut.enticated

user is enuerated at t.e ac.ine w.ere t.e aut.entication is done

T.e DB2AG@/A!,,9U/ re-istr) variable allows to specif) w.ere

t.e list of -roups a user belon-s to s.ould be enuerated1

+ !,C&!1 &t t.e DB2 server t.e list of -roups is enuerated usin-

t.e local S&M at t.e DB2 server

B) settin- t.is value# t.e database adinistrator does not need

to .ave t.e adinistrative aut.orit) for 'indows doains

+ D,M&I$1 DB2 will alwa)s enuerate -roups and validate useraccounts on t.e user accountFs 'indows doain

IBM Software Group



IBM Software Group


DB2 /rivile-es

IBM Software Group



IBM Software Group


&ut.orities &nd /rivile-es

SYSCTRL

SYSMAINT

+/P0+'+)%"'6E/A8*atabase9

)able space!wner

A00

A0)ER

*E0E)E

+&*E5

+&"ER)

RE3ERE&'E"

"E0E')

2P*A)E

'!&)R!08)ables9

"chema!wner

'REA)E)A8*atabase9

+&*A**8*atabase9

'!&&E')8*atabase9

'REA)E+&A0)ER+&*R!P+&

A00*E0E)E+&"ER)"E0E')2P*A)E

'!&)R!08$iews9

SYSADM

DBADM

( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (

Authorities

Privileges

'!&)R!08+nde:es9

2"E

0!A*8*atabase9

IBM Software Group



IBM Software Group


@esources1 /rivile-es @e<uired

Table (T)View (V)

'REA)E)A 8)9'!&)R!0 !R "E0E') 8$9

'!&)R!0"E0E') 8)4$9+&"ER) 8)4$9*E0E)E 8)4$92P*A)E 8)4$9A0)ER 8)9+&*E5 8)9RE3ERE&'E" 8)9

RS!"RC

Database

NDD T! CRAT

"("A*/"("')R0

NDD T! C!NTR!L

*A*/

!T#R $RIVIL%S

'!&&E')+&*A**'REA)E)A&!3E&'E+/P0+'+)%"'6E/A

$ac&a'e

Ine

+&*A**

+&*E5

'!&)R!0

'!&)R!0

+&*

E5E'2)E

none Alias +f schema differs from

current authid# re;uires*A*/# "("A*/

'!&)R!0 none

Sche*as 'REA)E+&A0)ER+&*R!P+&

"("A*/*A*/+/P0+'+)%"'6E/A

"chema !wner

IBM Software Group



IBM Software Group


Grant Coand + Table# =iew /rivile-es Support

#+TER

C*NTR*+

"E+ETE

(N"E0

(NSERT

RE&ERENCES

*N

1(T) 'R#NT *PT(*N

'R#NT #++

PR(V(+E'ES

2 column-name 3

2 column-name 3

4

4

4

4T#$+E

table-name

view-name

authorization-name

P!$+(C

T*

SE+ECT

!P"#TE

!SER

'R*!P

IBM Software Group



IBM Software Group


Grant 7"plicit /rivile-es

Grantin- a privile-e wit. -rant option allows t.e aut.oriation ID to

e"tend t.e specified privile-e to ot.ers

+ T.is option is onl) available to pac3a-e# routine# sc.ea# table#

table space# and view

&lt.ou-. t.e -rant privile-e is e"tended# t.e revo3e privile-e is not( If

privile-es are received t.rou-. t.e wit. -rant option# a user will not be

able to revo3e t.e privile-es fro ot.ers

7"aple

+ T.is stateent allows john to perfor select# update# or deleteoperations on t.e table employee and to -rant an) of t.ese

privile-es to ot.ers1

db2 grant select4 update4 delete on table employee

to user john 5ith grant option

IBM Software Group



IBM Software Group


7"aple + Controllin- Use ,f Sc.eas

Sc.eas are naed collection of ob6ects

+ ors .i-.Korder part of ob6ects wit. a two part nae

User wit. DB&DM aut.orit) creates sc.ea /& for user M7!

+ CRE#TE SC)E%# P#Y #!T)*R(6#T(*N %E+

Mel can create ob6ects in sc.ea pa)

+ CRE#TE T#$+E P#Y7T1 C*+1 (NT3

Mel can -rant privile-es to ot.er users1

+ 'R#NT CRE#TE(N *N SC)E%# P#Y T* !SER C#+

+'R#NT #+TER(N4 CRE#TE(N4 "R*P(N *N SC)E%# P#Y T*

+ 'R*!P '1 (T) 'R#NT *PT(*N

&c.ievin- -reater sc.ea control1

+ REV*8E (%P+(C(T_SC)E%# *N "#T#$#SE &R*% P!$+(C

+ 'R#NT (%P+(C(T_SC)E%# *N "#T#$#SE T* !SER 9*N

IBM Software Group



IBM Software Group


Individual IDs# Group IDs &nd /ublic

usr: melanie

staff: bill# ivo

Individual ID

ivo

bill

melanie

Group IDpublic1all users

SYST! C"T"#O$S

SSC&T(DB&UT

SSC&T(I$D7%&UT

SSC&T(/&C9&G7&UT

SSC&T(T&B&UT

SSC&T(C,!&UT

SSC&T(SC7M&U&T

*<

/UB!IC is a special DB2 -roup t.at

includes all users of a particular

database /UB!IC does not .ave to be

defined at t.e ,5S level

IBM Software Group



IBM Software Group


Group &nd User Support

1RA&) "E0E') !& )A0E E/P0!(EE )! 'A0 "70'!*E =>?@

"70

A

<

$er*itte( on Does the S+ste* ,now About-

N.A

%rou/ 0 cal "ser 0 cal

1RA&) "E0E') !& )A0E E/P0!(EE )! 'A0

1RA&) "E0E') !& )A0E E/P0!(EE )! 2"ER 'A0

1RA&) "E0E') !& )A0E E/P0!(EE )! 'A0

1RA&) "E0E') !& )A0E E/P0!(EE )! 1R!2P 'A0

0 or 0

0 or 0

%

2

*

B

5

!"4<or

.indows &)

2&+5 2ser = cal 1roup = cal

IBM Software Group



IBM Software Group


Iplicit /rivile-es

CRE#TE "#T#$#SE

+ Internal G@&$T of DB&DM aut.orit) wit. C,$$7CT# C@7&T7T&B#

+ BI$D&DD# C@7&T7A$,TA7$C7D# !,&D and IM/!ICITASC7M& privile-es to creator8SS&DM or SSCT@!;

+ Internal G@&$T of BI$D&DD# C@7&T7T&B# C,$$7CT and IM/!ICITASC7M& to /UB!IC

+ BI$D and 7%7CUT7 privile-e on eac. successfull) bound utilit) to /UB!IC

+ S7!7CT on s)ste catalo- tables and views to /UB!IC

+ US7 privile-e on US7@S/&C7H table space to /UB!IC

'R#NT "$#"%

+ Internal G@&$T of BI$D&DD# C@7&T7T&B# C,$$7CT# C@7&T7A$,TA7$C7D# !,&Dand IM/!ICITASC7M&

Create ob6ect 8table# inde"# pac3a-e;

+ Internal G@&$T of C,$T@,! to ob6ect creator

Create view

+ Internal G@&$T to intersection of creator?s privile-es on base tables to view creator

IBM Software Group



p


Indirect /rivile-es

/rivile-es can be obtained indirectl) w.en pac&a'es are e"ecuted b)

t.e database ana-er

+ & pac3a-e contains one or ore SN! stateents in an e"ecutable forat

+ If all t.e stateents in t.e pac3a-e are static# a user would onl) re<uire7%7CUT7 privile-e on t.e pac3a-e to successfull) e"ecute t.e stateents in

t.e pac3a-e

7"aple1 &ssue dpac&a'e% e"ecutes t.e followin- static SN!

stateents1

db2 select : from orgdb2 insert into test alues 14 24 /3

+ In t.is case# a user wit. 7%7CUT7 privile-e on dpac&a'e% would indirectl)

be -ranted S7!7CT privile-e on t.e table or- and I$S7@T privile-e on t.e

table test

IBM Software Group



p


Nuer) /rivile-es Granted To Current ID

db2 ;SE+ECT : &R*% SYSC#T7T#$#!T) )ERE 'R#NTEE (N !SER4 <P!$+(C<3;db2 get authori=ations

O@oundin- up /rivile-esO

IBM Software Group



p


Grant5@evo3e Scenarios H54

'R#NT "$#"% *N "#T#$#SE T* !SER S(1#"% 'et #uthori=ations

#dministratie #uthori=ations for Current !ser

"irect SYS#"% authorit> ? N*"irect SYSCTR+ authorit> ? N*"irect SYS%#(NT authorit> ? N*"irect "$#"% authorit> ? YES

"irect CRE#TET#$ authorit> ? YES"irect $(N"#"" authorit> ? YES"irect C*NNECT authorit> ? YES"irect CRE#TE_N*T_&ENC authorit> ? YES"irect (%P+(C(T_SC)E%# authorit> ? YES"irect +*#" authorit> ? YES

(ndirect SYS#"% authorit> ? N*(ndirect SYSCTR+ authorit> ? YES(ndirect SYS%#(NT authorit> ? N*(ndirect "$#"% authorit> ? N*(ndirect CRE#TET#$ authorit> ? N*(ndirect $(N"#"" authorit> ? N*(ndirect C*NNECT authorit> ? N*(ndirect CRE#TE_N*T_&ENC authorit> ? N*(ndirect (%P+(C(T_SC)E%# authorit> ? YES(ndirect +*#" authorit> ? N*

IBM Software Group



p


Grant5@evo3e Scenarios 254

REV*8E "$#"% *N "#T#$#SE &R*% !SER S("#"% 'et #uthori=ations


"irect SYS#"% authorit> ? N*"irect SYSCTR+ authorit> ? N*"irect SYS%#(NT authorit> ? N*"irect "$#"% authorit> ? N*



IBM Software Group




Grant5@evo3e Scenarios *54

REV*8E $(N"#"" *N "#T#$#SE &R*% !SER S("#"% 'et #uthori=ations


"irect SYS#"% authorit> ? N*"irect SYSCTR+ authorit> ? N*"irect SYS%#(NT authorit> ? N*"irect "$#"% authorit> ? N*

"irect CRE#TET#$ authorit> ? YES"irect $(N"#"" authorit> ? N*"irect C*NNECT authorit> ? YES"irect CRE#TE_N*T_&ENC authorit> ? YES"irect (%P+(C(T_SC)E%# authorit> ? YES"irect +*#" authorit> ? YES


IBM Software Group




Grant5@evo3e Scenarios 454

'R#NT "$#"% *N "#T#$#SE T* !SER S(1#"% 'et #uthori=ations


"irect SYS#"% authorit> ? N*"irect SYSCTR+ authorit> ? N*"irect SYS%#(NT authorit> ? N*"irect "$#"% authorit> ? YES



IBM Software Group



Nuer) '.o as '.ic. /rivile-es

Most of t.e inforation on aut.oriations is aintained in seven s)ste

catalo- tables1

+ SSC&T(DB&UT Database privile-es

+ SSC&T(C,!&UT Table and =iew Colun privile-es

+ SSC&T(I$D7%&UT Inde" privile-es

+ SSC&T(/&C9&G7&UT &ccess /ac3a-e privile-es

+ SSC&T(SC7M&&UT Sc.ea privile-es

+ SSC&T(T&B&UT Table and view privile-es

+ SSC&T(TBS/&C7&UT Table space privile-es

+ SS&DM# SSCT@! and SSM&I$T aut.orit) and -roup ebers.ip are

defined outside Database Mana-er and are t.erefore not reflected in s)ste

catalo-s

db2 introduction - 04 database security.ppt

Documents