DB2 2 Security
-
Upload
jen-ni-yumz -
Category
Documents
-
view
219 -
download
0
Transcript of DB2 2 Security
-
8/6/2019 DB2 2 Security
1/45
IBM DB2 9
2008 IBM Corporation
Govind Sidhu
Computer Engineer
Section -2) Security
-
8/6/2019 DB2 2 Security
2/45
IBM DB2 9
2
Section 2Section 2 -- Security (11%)Security (11%)
Knowledge of restricting data accessKnowledge of restricting data access
Knowledge of different authorities andKnowledge of different authorities and
privileges availableprivileges available
Knowledge of encryption options availableKnowledge of encryption options available
(data and network)(data and network)
Given a DCL SQL statement, ability to identifyGiven a DCL SQL statement, ability to identifyresults (GRANT, REVOKE, CONNECTresults (GRANT, REVOKE, CONNECT
statements)statements)
-
8/6/2019 DB2 2 Security
3/45
IBM DB2 9
3
Aspects of database security
A database security plan should define:
Who is allowed access to the instance and/or
database
Where and how a user's password is verified
What authority level a user is granted
What commands a user is allowed to run
What data a user is allowed to read and/or alter
What database objects a user is allowed to create,
alter, and/or drop
-
8/6/2019 DB2 2 Security
4/45
IBM DB2 9
4
Security - Authentication , Authorities and Privileges
DB2 Authentication controls the following aspects :
- Who is allowed access to the instance and/or DB
- Where and how a user'spassword will be verified
DB2 authoritiescontrol the following aspects of a database
security plan:-What authority level a user is granted
-What commands a user is allowed to run
-What data a user is allowed to read and/or alter
-What database objects a user is allowed to create, alter and/or drop
A privilege is the right to create or access a database object.
- Database-level privileges span all objects within the database
- Object-level privileges associated with a specific object
-
8/6/2019 DB2 2 Security
5/45
IBM DB2 9
5
Basic Client-Gateway-Host configuration
DB2server or
DB2 Connect Server
(Gateway)
Windows
AIX
Linux
DB2 on the host
DB2clients
-
8/6/2019 DB2 2 Security
6/45
IBM DB2 9
6
Security - Authentication
Verify user's identityDB2 will pass all user IDs and passwords to the operating
system or external security facility for verification.
Set the authentication parameter at both the DB2 server and
client to control where authentication takes place-At the DB2 server, authentication type is defined in the
database manager configuration file (DBM CFG) db2 "GET DBM CFG"
db2 "UPDATE DBM CFG USING AUTHENTICATION CLIENT"
-At the DB2 client, authentication type is specified when
cataloging a database db2 "CATALOG DATABASE sample AT NODE mynode
AUTHENTICATION SERVER"
-
8/6/2019 DB2 2 Security
7/45
IBM DB2 9
7
Authentication Types
Where DoesAuthentication Take Place?1. SERVER
2. SERVER_ENCRYPT
3. CLIENT4. KERBEROS
5. KRB_SERVER_ENCRYPT
6. DATA_ENCRYPT
7. DATA_ENCRYPT_CMP
8. GSSPLUGIN
9. GSS_SERVER_ENCRYPT
Authentication occurs
at the server workstation,
using the security facilityprovided by the server's
operating system.
By default, this is the
authentication type used
when an instance is first
created.
Same as SERVER
User Credentialsencrypted at the client
workstation before it is
sent to the server
workstation for validation.
Authentication occurs
at the client workstation,
using the security facility
provided by the client's
operating system.
Authentication occurs at the
server workstation, using a
security facility that supports theKerberos security protocol.
Supported only on clients and
servers that are using the
Windows 2000, Windows XP, orWindows .NET operating system.
Authentication occurs atthe server workstation, using
either the KERBEROS or the
SERVER_ENCRYPT
authentication method.
if the Kerberos
authentication service is
unavailable, the server acts
as if theSERVER_ENCRYPT was
specified
Same as
SERVER_ENCRYPT
authentication method.
In addition, all userdata is encrypted
before it is passed from
client to server and
from server to client.
Same as
DATA_ENCRYPTauthentication method.
In addition, this
authentication type provides
compatibility for down-levelproducts that do not support
the DATA_ENCRYPT
authentication type.
Authentication occurs at the serverworkstation, using a Generic Security
Service Application Program
Interface (GSS-API) plug-in.
If the client's authentication type isnot specified, the server returns a list
of server-supported plug-ins to the
client. If not supports any one then
use KERBEROS method
Authentication occurs at the server
workstation, using either the GSSPLUGIN
or the SERVER_ENCRYPT authentication
method.If the client does not support any of the
plug-ins found in the server-supported
plug-in list, then client tries KERBEROS
method. If its do not support then it useSERVER_ENCRYPT method.
-
8/6/2019 DB2 2 Security
8/45
IBM DB2 9
8
Trusted Clients versus Untrusted Clients
Clients that use an operating system that contains a tightlyintegrated security facility (for example, Windows NT,
Windows 2000, all supported versions of UNIX, MVS, OS/390,
VM, VSE, and AS/400) are classified as trusted clients.
Clients that use an operating system that does not provide an
integrated security facility (for example, Windows 95, Windows
98, and Windows Millennium Edition) are treated as untrusted
clients.
Whenever an untrusted client attempts to access an instance
or a database, user authentication always takes place at the
server. Iftrust_allclnts configuration parameter is setto DRDAONLY, only MVS, OS/390, VM, VSE, and OS/400
clients will be treated as trusted clients.
-
8/6/2019 DB2 2 Security
9/45
IBM DB2 9
9
Authorities
-
8/6/2019 DB2 2 Security
10/45
IBM DB2 9
10
System Administrator (SYSADM) authority
Highest level of administrative authority available.
Only SYSADM is allowed to perform these tasks:
-Migrate a database from a previous version to DB2 Ver 9.
-
Modify the parameter values of the DBM CFG fileassociated with an instance-including specifying which
groups have SYSDBA, SYSCTRL, SYSMAINT, and
SYSMON authority.
-Give (grant) / Revoke DBADM and SECADM authority to
individual users and/or groups.
Ex. Granting SYSADM authority to the group grp1:
-db2 "UPDATE DBM CFG USING SYSADM_GROUP grp1"
-
8/6/2019 DB2 2 Security
11/45
IBM DB2 9
11
System Control (SYSCTRL) authority
SYSCTRL users can perform all administrative andmaintenance commands within the instance.
Some tasks that only SYSCTRL & SYSADM can do
-Force users off the system.
-Create or destroy (drop) a database.
-Create, alter, or drop a table space.
Cannot access any data within the databases unless
they are granted the privileges.A SYSADM user can assign SYSCTRL to a group by:db2 "UPDATE DBM CFG USING SYSCTRL_GROUP grp2"
-
8/6/2019 DB2 2 Security
12/45
IBM DB2 9
12
System Maintenance (SYSMAINT) authority
SYSMAINT users can issue a subset of commands allowed forSYSCTRL authority tasks that are considered
maintenance related like::
-db2start/db2stop
-
db2 backup/restore/rollforward database-db2 runstats (against any table)
-db2 update db cfg for database dbname
Users with SYSMAINT cannot create or drop databases or
tablespaces.Cannot access any data within the databases.
A SYSADM user can assign SYSMAINT to a group by:
db2 "UPDATE DBM CFG USING SYSMAINT_GROUP grp3"
-
8/6/2019 DB2 2 Security
13/45
IBM DB2 9
13
Database Administrator (DBADM) authority
DBADM is a database-level authority and can beassigned by SYSADM to both users and groups.
-grant dbadm on database to useruser1
-grant dbadm on database to group group1
DBADM users have almost complete control over thedatabase but cannot perform maintenance or
administrative tasks
-drop database -- drop/create tablespace
-backup/restore database -- update db cfg for database
Can perform:
-create/drop table -- grant/revoke (any privilege)
-
8/6/2019 DB2 2 Security
14/45
IBM DB2 9
14
Load (LOAD) authority
LOAD authority is also considered a database-levelauthority, and can therefore be granted to both users
and groups.
LOAD authority allows users
-To issue the LOAD command against a table. The LOAD
command is typically used as a faster alternative to insert or
import commands when populating a table with large
amounts of data.
-Specific privileges on the table may also be required
Users with either SYSADM or DBADM authority can
grant or revoke LOAD authority to users or groups.
-
8/6/2019 DB2 2 Security
15/45
IBM DB2 9
15
-
8/6/2019 DB2 2 Security
16/45
IBM DB2 9
16
System Monitoring(SYSMON) authorityallow to take systemmonitor snapshots for ainstance and/or for one ormore databases that fall
under that instance's control.
It is designed to allow special
users to monitor theperformance of a databasethat contains sensitive datathat they most likely do nothave the right to view ormodify.
Security Administrator(SECADM) authorityallow special users toconfigure various label-basedaccess control (LBAC)
elements (rules, labels and
policies) to restrict access toone or more tables thatcontain data to which theymost likely do not haveaccess themselves.
No other authority provides auser with these abilities,including SYSADM
-
8/6/2019 DB2 2 Security
17/45
IBM DB2 9
17
-
8/6/2019 DB2 2 Security
18/45
IBM DB2 9
18
Privileges
-
8/6/2019 DB2 2 Security
19/45
IBM DB2 9
19
Database Privileges CONNECT: Users can connect to thedatabase.
QUIESCE_CONNECT: Users canaccess a database while it is in aquiesced state.
IMPLICIT_SCHEMA: Users canimplicitly create schemas within thedatabase without using the CREATESCHEMA command.
CREATETAB: Users can createtables within the database.
BINDADD: Users can createpackages in the database using the
BIND command. CREATE_EXTERNAL_ROUTINE: Users can create a procedure for use
by applications and other users of the database.
CREATE_NOT_FENCED: Users can create unfenced (UDFs).
LOAD: Users can load data into a table
-
8/6/2019 DB2 2 Security
20/45
IBM DB2 9
20
USE allows a user to create tables and
indexes in the table space. The owner
of a table space automatically receives
USE privilege for that table space.
The USE privilege cannot be used for
SYSCATSPACE table space or any
temporary table space that might exist.
CREATEIN allows users to create
objects within the schema.
ALTERIN allows users to modify
definitions of objects within theschema.
DROPINAllows users to drop objects
within the schema.
-
8/6/2019 DB2 2 Security
21/45
IBM DB2 9
21
Privileges - Tables & Views
-
8/6/2019 DB2 2 Security
22/45
IBM DB2 9
22
Privileges on other objects
-
8/6/2019 DB2 2 Security
23/45
IBM DB2 9
23
-
8/6/2019 DB2 2 Security
24/45
IBM DB2 9
24
Some Examples -
CONNECT TO sample USER Jane USING passwordGRANT SELECT ON TABLE inventory TOjohn_doe WITH GRANT OPTION
GRANT SELECT, INSERT, UPDATE, DELETE ON
deptview TO USERuser1, USERuser2GRANT REFERENCES (empid) ON TABLE employee
TO USERuser1, GROUP group1GRANT ALL ON TABLE payroll.employee TOPUBLIC
GRANT UPDATE (address, home_phone) ONTABLE emp_info TO PUBLICREVOKE ALL ON TABLE department FROMuser1,PUBLIC [Inaccessible views]
-
8/6/2019 DB2 2 Security
25/45
IBM DB2 9
25
Label-Based Access Control (LBAC)
Provides DBA the ability to restrict read / writeprivileges on the row or column level of a table.
LBAC is set up by the security administratorby
creating Security Policies. Each table may only be
subscribed to one security policy, but the system may
have as many security policies as you'd like.
To set up LBAC security to enable business rules:
-Define the security policies and labels and grant the securitylabels to the users
-Modify of the table including the security label column and
attaching the security policy to it
-
8/6/2019 DB2 2 Security
26/45
IBM DB2 9
26
LBAC query No LBAC LBAC ID SALARY255 60000
100 50000
50 70000
50 45000
60 30000
250 56000
102 82000
100 54000
75 33000
253 4600090 83000
200 78000
105 45000
SELECT * FROM EMPWHERE SALARY >= 50000
User Level = 100
Users with user level 100
can view the rows with ID = 50000
(indicated in green)
With no LBAC user level
imposed, users can viewrows that meet the salary >=
50000 qualifier
(shown in red)
-
8/6/2019 DB2 2 Security
27/45
IBM DB2 9
27
Example implementation of LBAC
Steps overview:
1. Define the security policies and labels
a. Define the security label component
b. Define the security policy
c. Define the security labels
2. Create the protected SALES table by including a column
that holds the security label and attaching the security policy
to the table.
3. Grant the appropriate security labels to users.
Requires SECADM authority to execute commands for
creating security policies and labels.
-
8/6/2019 DB2 2 Security
28/45
IBM DB2 9
28
Step 1. Create the security label component
CREATE SECURITY LABEL COMPONENT J_DEPT TREE (
- 'HR_EXECUTIVE' ROOT,
- 'MAN_D11_E21' UNDER 'HR_EXECUTIVE'
- 'A00' UNDER 'HR_EXECUTIVE',
-'B01' UNDER 'HR_EXECUTIVE',
- 'C01' UNDER 'HR_EXECUTIVE',
- 'D11' UNDER 'MAN_D11_E21',
- 'D21' UNDER 'HR_EXECUTIVE',
- 'E01' UNDER 'HR_EXECUTIVE',
- 'E11' UNDER 'HR_EXECUTIVE',
- 'E21' UNDER 'MAN_D11_E21 )
-
8/6/2019 DB2 2 Security
29/45
-
8/6/2019 DB2 2 Security
30/45
IBM DB2 9
30
Step4. Grant rights based on labels
db2 grant security labelJ_DEPT_POLICY.A00 to user Frank forread access
db2 grant security labelJ_DEPT_POLICY.MANAGE_D11_E21 to userJoe for all access
db2 gran
tsec
urity label
J_DEPT_POLICY.EXECUTIVE to user Janefor all access
-
8/6/2019 DB2 2 Security
31/45
IBM DB2 9
31
Step5. Modify the EMP table
When modifying the EMP table, you must create an extracolumn to store the security label. This is of type
"DB2SECURITYLABEL".
ALTER TABLE EMP
ADD COLUMN DEPT_TAG DB2SECURITYLABELADD SECURITY POLICY J_DEPT_POLICY
After alter with a user defined on the EXECUTIVE level, all the
security tags will have been added as EXECUTIVE. To change
this, you need to updateupdate emp set DEPT_TAG =(SECLABEL_BY_NAME('J_DEPT_POLICY','E11'))
where WORKDEPT='E11'
-
8/6/2019 DB2 2 Security
32/45
IBM DB2 9
32
-
8/6/2019 DB2 2 Security
33/45
IBM DB2 9
33
1) Which of the following is NOT a
valid method of authentication that
can be used by DB2 9?
A. SERVERB. SERVER_ENCRYPT
C. CLIENTD. DCS
-
8/6/2019 DB2 2 Security
34/45
IBM DB2 9
34
2) In a client-server environment, which
two of the following can be used to verifypasswords?
A. System Catalog
B. User ID/password file
C. Client Operating System
D. Communications layerE. Application Server
-
8/6/2019 DB2 2 Security
35/45
IBM DB2 9
35
3 )A table named DEPARTMENT has the following columns:
- DEPT_ID
- DEPT_NAME
- MANAGER
-AVG_SALARY
Which of the following is the best way to prevent most users
from viewing AVG_SALARY data?
A. Encrypt the table's data
B. Create a view that does not contain the AVG_SALARY
column
C. Revoke SELECT access for the AVG_SALARY columnfrom users who should not see AVG_SALARY data
D. Store AVG_SALARY data in a separate table and grant
SELECT privilege for that table to the appropriate users
-
8/6/2019 DB2 2 Security
36/45
IBM DB2 9
36
4) Assuming USER1 has no authorities or
privileges, which of the following will allowUSER1 to create a view named VIEW1 that
references two tables named TAB1 and TAB2?
A. CREATEIN privilege on the database
B. REFERENCES privilege on TAB1 and
TAB2
C. CREATE_TAB privilege on the database
D. SELECT privilege on TAB1 and TAB2
-
8/6/2019 DB2 2 Security
37/45
IBM DB2 9
37
5. On which two of the following database
objects may the SELECT privilege becontrolled?
A. Sequence
B. Nickname
C. Schema
D. ViewE. Index
-
8/6/2019 DB2 2 Security
38/45
IBM DB2 9
38
6)After the following SQL statement is executed:
GRANT ALL PRIVILEGES ON TABLEemployee TO USERuser1
Assuming user USER1 has no other authorities or
privileges, which of the following actions is USER1
allowed to perform?
A. Drop an index on the EMPLOYEE table
B. Grant all privileges on the EMPLOYEE table to
other usersC. Alter the table definition
D. Drop the EMPLOYEE table
-
8/6/2019 DB2 2 Security
39/45
IBM DB2 9
39
7) A user wishing to invoke an SQL stored procedure
that queries a table must have which of the following
privileges?
A. CALL privilege on the procedure; SELECT
privilege on the table
B. CALL privilege on the procedure; REFERENCES
privilege on the table
C. EXECUTE privilege on the procedure; SELECT
privilege on the tableD. EXECUTE privilege on the procedure;
REFERENCES privilege on the table
-
8/6/2019 DB2 2 Security
40/45
IBM DB2 9
40
8) User USER1 wants to utilize an alias to
remove rows from a table. Assuming USER1has no authorities or privileges, which of the
following privileges are needed?
A. DELETE privilege on the table
B. DELETE privilege on the alias
C. DELETE privilege on the alias;
REFERENCES privilege on the tableD. REFERENCES privilege on the alias;
DELETE privilege on the table
-
8/6/2019 DB2 2 Security
41/45
IBM DB2 9
41
9) Which of the following statements allows user
USER1 to take the ability to create packages in a
database named SAMPLE away from user
USER2?
A. REVOKE CONNECT ON DATABASE FROM
user2
B. REVOKE CREATETAB ON DATABASE FROM
user2
C. REVOKE BIND ON DATABASE FROM user2
D. REVOKE BINDADD ON DATABASE FROM
user2
-
8/6/2019 DB2 2 Security
42/45
IBM DB2 9
42
10) Which of the following will allow user USER1 to
change the comment associated with a table namedTABLE1?
A. GRANT UPDATE ON TABLE table1 TO user1
B. GRANT CONTROL ON TABLE table1 TO user1
C. GRANT ALTER ON TABLE table1 TO user1
D. GRANT REFERENCES ON TABLE table1 TO
user1
-
8/6/2019 DB2 2 Security
43/45
-
8/6/2019 DB2 2 Security
44/45
-
8/6/2019 DB2 2 Security
45/45
IBM DB2 9
45
Japanese
Hebrew
ThankYou
English
MerciFrench
Russian
DankeGerman
GrazieItalian
GraciasSpanish
ObrigadoPortuguese
Arabic
Simplified Chinese
Traditional Chinese
Tamil
Thai
Korean
A. Encrypt the table's data