should invoker rights be used?
DESCRIPTION
How can you ensure users use only their data and not someone elses. How can you do this with minimal effort? How can you get rid of multiple codebases. How can you (partially) protect yourself against SQL Injection. In this session we explore the use of the different authentication models in the Oracle database. When do you use the Definer Rights model and when could, or should, you use the Invoker Rights model?TRANSCRIPT
![Page 2: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/2.jpg)
About me…
• Patrick Barel
• Working with Oracle since 1997
• Working with PL/SQL since 1999
• Playing with APEX since 2003 (mod_plsql)
• ACE since 2011
• OCA since December 20th 2012
![Page 3: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/3.jpg)
Read me…
http://blog.bar-solutions.com
http://technology.amis.nl
http://allthingsoracle.com
![Page 4: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/4.jpg)
Download me…
Plugins for PL/SQL Developer
http://bar-solutions.com
Plugins for Apex
http://apex-plugin.com
![Page 5: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/5.jpg)
Watch me…
![Page 7: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/7.jpg)
Steven Feuerstein Masterclass
Anti-Pattern PL/SQL Programming +
Oracle Database 12c New PL/SQL Features
12/13 December. AMIS, Nieuwegein
• Steven will present examples of "bad code"
(anti-patterns) and features of PL/SQL that
address them.
• Students working in pairs then use their
laptops to fix the anti-patterns.
• Steven then walks entire class through
optimal solutions.
![Page 8: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/8.jpg)
![Page 9: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/9.jpg)
Definer Rights Model
Invoker Rights Model
� Prior to Oracle8i, whenever you executed a stored
program, it ran under the privileges of the account in
which the program was defined.
� This is called the …
� With Oracle8i, you can now decide at compilation time whether your program or package will execute in the definer's schema (the default) or the schema of the invokerof the code.
� This is called the …
Definer Rights vs Invoker Rights
![Page 10: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/10.jpg)
Patrick Mitchell
Code Invoke
R
e
f
Relations Relations
Definer Rights
![Page 11: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/11.jpg)
Patrick Mitchell
Code Invoke
Relations Relations
Invoker Rights
![Page 12: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/12.jpg)
�Allows you to centralizeaccess to and control ofunderlying data structures.
�Uses roles and doesn’t relyon directly-granted privileges.
�But it can be a source of confusion andarchitectural problems.
Note: Oracle built-in packages have long had the capability of running under the invoker's authority.
Invoker Rights
![Page 13: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/13.jpg)
What’s wrong with Definer Rights
� Deployment & maintenance
� Must install module in all schemas where needed
� In some databases, each user has own copy of table(s), requiring copy of stored module
� Security
� No declarative way to restrict privileges on certain modules in a package -- it's all or nothing, unless you write code in the package to essentially recreate roles programmatically.
� Difficult to audit privileges
� Sure would be nice to have a choice...and now you do!
![Page 14: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/14.jpg)
� Deployment & maintenance
� Must install module in all schemas where needed
� In some databases, each user has own copy of table(s), requiring copy of stored module
� Security
� No declarative way to restrict privileges on certain modules in a package -- it's all or nothing, unless you write code in the package to essentially recreate roles programmatically.
� Difficult to audit privileges
� Sure would be nice to have a choice...and now you do!
What’s wrong with Definer Rights
![Page 15: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/15.jpg)
CREATE [ OR REPLACE ] <module type>
[ AUTHID { DEFINER | CURRENT_USER } ]
AS ...
Invoker Rights
�For top level modules:
�For modules with separate spec and
body, AUTHID goes only in spec, and
must be at the package level.
�Holds true for packages and object types.
![Page 16: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/16.jpg)
Emp
begin
x.foo;
end;package x
authid
definer
Emp Emp
package y
authid
definer
package z
authid
definer
Overview of Definer Rights
![Page 17: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/17.jpg)
Emp
begin
x.foo;
end;package x
authid
current_user
Emp Emp
package y
authid
definer
package z
authid
current_user
Overview of Invoker Rights
![Page 18: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/18.jpg)
Emp
begin
x.foo;
end;
package x
authid
current_user
Emp Emp
package y
authid
definer
package z
authid
current_user
Emp
begin
x.foo;
end;
Overview of Invoker Rights
![Page 19: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/19.jpg)
Mock objects
To compile code you still need the structure of the objects.
![Page 20: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/20.jpg)
begin
x.foo;
end;
begin
x.foo;
end;package x
authid
current_user
Col1` Col2 Col3 Col4
Col1 Col2 Col3 Col4
A.val1 A.val2 A.val3 A.val4
A.val5 A.val6 A.val7 A.val8
A.val9 A.val10 A.val11 A.val12
A.val13 A.val14 A.val15 A.val16
Col1 Col2 Col3 Col4
B.val1 B.val2 B.val3 B.val4
B.val5 B.val6 B.val7 B.val8
B.val9 B.val10 B.val11 B.val12
B.val13 B.val14 B.val15 B.val16
Execute Execute
Mock objects
![Page 21: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/21.jpg)
![Page 22: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/22.jpg)
Definer Rights
Definer rights
Single codebase
SQL Injection
![Page 23: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/23.jpg)
Definer Rights
� Use a single codebase for multiple users
� (a bit of) Protection from SQL Injection
![Page 24: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/24.jpg)
Single codebase
User1 User2
App
![Page 25: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/25.jpg)
User1 User2
App
Mock objects
Single codebase
![Page 26: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/26.jpg)
User1 User2
App
Code
Single codebase
![Page 27: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/27.jpg)
User1 User2
App
Single codebase
![Page 28: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/28.jpg)
User1 User2
App
Application code in a central schema (with mock objects)
Single codebase
![Page 29: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/29.jpg)
User1 User2
App
Each user has it’s own set of tables, views and sequences
Single codebase
![Page 30: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/30.jpg)
User1 User2
App
Columns can be different in each schema
Single codebase
demo_ir.sqldemo_ir.sql
![Page 31: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/31.jpg)
Advantages
�One time development
�Specific code in user schema
� (partial) Protection from SQL Injection
![Page 32: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/32.jpg)
Drawbacks
�Debugging can be hard
�Support can be hard
![Page 33: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/33.jpg)
SQL Injection
� Dynamic SQL
� Modification (drop) of objects
– You cannot drop what is not there
� Modification of records
– Will only affect current users data
� You should always use binding
instead of concatenating in
Dynamic SQL Statements
![Page 34: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/34.jpg)
Definer Rights Model
Invoker Rights Model
Rules and Restrictions
• AUTHID DEFINER
– Uses directly granted
privileges
– Default, so no need to change current code
• AUTHID CURRENT_USER
– Uses ROLEs
– On entire objects
– Need for ‘mock’ objects– (at compile time it’s Definer Rights)
![Page 35: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/35.jpg)
![Page 36: Should Invoker Rights be used?](https://reader034.vdocuments.net/reader034/viewer/2022051816/546f9eefb4af9f1c0b8b460b/html5/thumbnails/36.jpg)