-
1.发明授权公开(公告)号:US10303894B2
公开(公告)日:2019-05-28
申请号:US15253608
申请日:2016-08-31
Applicant: Oracle International Corporation
Inventor: Tanvir Ahmed , Yi Ru , Chao Liang , Vikram Reddy Pesati
Abstract: Embodiments allow, within database security policies, the grant of data change operation-specific privileges to particular users to be applied within particular data realms in a given table. Furthermore, according to one or more embodiments, User Privilege column-level privileges are explicitly associated with one or more data access operations such that the grant of such a column-level privilege allows the user to perform only those data access operations that are explicitly associated with the column-level privilege. Enforcement of the data security policies includes prevention of data leakage via WHERE and RETURNING INTO clauses. According to one or more embodiments, a two-phase rewrite is used to optimize enforcement of column-level privileges. During the two-phase rewrite of a given query, the privileges checked during enforcement of the User Privilege data security policies are pruned to avoid unnecessary privilege checks given the columns that are accessed in the query.
-
公开(公告)号:US09613224B2
公开(公告)日:2017-04-04
申请号:US14315280
申请日:2014-06-25
Applicant: Oracle International Corporation
Inventor: Mincai Wang , Chao Liang , Tanvir Ahmed , Vikram R. Pesati
CPC classification number: G06F21/6218 , G06F17/30575 , G06F17/30864 , G06F21/31 , G06F21/44 , G06F2221/2115 , G06F2221/2141 , H04L63/08 , H04L63/101
Abstract: Techniques are provided for integrating application-level user security context with a database. A session manager, in a middle tier that includes an application, obtains the security context of a user and establishes, in the database, a light-weight session (LWS) that reflects the security context. The security context is synchronized between the middle tier and database before application code execution. The database maintains an isolated copy of the LWS for the unit of application code executed as the security context. The database sends to the session manager the identifier of the copy of LWS. Before allowing a request from an application to be sent to the database, the session manager, transparent to the application, inserts an identifier that identifies the LWS. In this way, the database processes an application request in the context of the corresponding user's security context that is the same as the security context in the middle tier.
-
公开(公告)号:US20130232113A1
公开(公告)日:2013-09-05
申请号:US13852986
申请日:2013-03-28
Applicant: ORACLE INTERNATIONAL CORPORATION
Inventor: Chao Liang , Feng Cao , Rajendra Pingte
IPC: G06F17/30
CPC classification number: G06F17/30575 , G06F11/3414 , G06F11/3495 , G06F2201/86 , G06F2201/87
Abstract: Techniques are described herein for capturing and restoring database session state. Production database server components save the session state of each of a plurality of database sessions. The components store workload units that are processed in these sessions. The components store updated session states in response to certain events. Thus, the components may capture multiple session states, pertaining to various different points in time, for each session. The captured session states and the captured workload are moved to a test database server. A user selects, from among the time points represented by the session states, a point in time at which the user would like workload replay to begin. Sessions are re-created on the test database server. Session states of these sessions are set to reflect the session states as they existed at the user-selected time point. Workload units are replayed in the sessions relative to the test database server.
Abstract translation: 这里描述了用于捕获和恢复数据库会话状态的技术。 生产数据库服务器组件保存多个数据库会话中的每一个的会话状态。 组件存储在这些会话中处理的工作负载单元。 组件存储更新的会话状态以响应某些事件。 因此,组件可以针对每个会话捕获属于各种不同时间点的多个会话状态。 捕获的会话状态和捕获的工作负载被移动到测试数据库服务器。 用户从会话状态所表示的时间点中选择用户想要工作负载重放开始的时间点。 会话在测试数据库服务器上重新创建。 这些会话的会话状态被设置为反映在用户选择的时间点存在的会话状态。 在相对于测试数据库服务器的会话中重播工作负载单元。
-
公开(公告)号:US09104739B2
公开(公告)日:2015-08-11
申请号:US13852986
申请日:2013-03-28
Applicant: Oracle International Corporation
Inventor: Chao Liang , Feng Cao , Rajendra Pingte
CPC classification number: G06F17/30575 , G06F11/3414 , G06F11/3495 , G06F2201/86 , G06F2201/87
Abstract: Techniques are described herein for capturing and restoring database session state. Production database server components save the session state of each of a plurality of database sessions. The components store workload units that are processed in these sessions. The components store updated session states in response to certain events. Thus, the components may capture multiple session states, pertaining to various different points in time, for each session. The captured session states and the captured workload are moved to a test database server. A user selects, from among the time points represented by the session states, a point in time at which the user would like workload replay to begin. Sessions are re-created on the test database server. Session states of these sessions are set to reflect the session states as they existed at the user-selected time point. Workload units are replayed in the sessions relative to the test database server.
Abstract translation: 这里描述了用于捕获和恢复数据库会话状态的技术。 生产数据库服务器组件保存多个数据库会话中的每一个的会话状态。 组件存储在这些会话中处理的工作负载单元。 组件存储更新的会话状态以响应某些事件。 因此,组件可以针对每个会话捕获属于各种不同时间点的多个会话状态。 捕获的会话状态和捕获的工作负载被移动到测试数据库服务器。 用户从由会话状态表示的时间点中选择用户想要工作负载重放开始的时间点。 会话在测试数据库服务器上重新创建。 这些会话的会话状态被设置为反映在用户选择的时间点存在的会话状态。 在相对于测试数据库服务器的会话中重播工作负载单元。
-
5.发明申请公开(公告)号:US20150379293A1
公开(公告)日:2015-12-31
申请号:US14315280
申请日:2014-06-25
Applicant: Oracle International Corporation
Inventor: Mincai Wang , Chao Liang , Tanvir Ahmed , Vikram R. Pesati
CPC classification number: G06F21/6218 , G06F17/30575 , G06F17/30864 , G06F21/31 , G06F21/44 , G06F2221/2115 , G06F2221/2141 , H04L63/08 , H04L63/101
Abstract: Techniques are provided for integrating application-level user security context with a database. A session manager, in a middle tier that includes an application, obtains the security context of a user and establishes, in the database, a light-weight session (LWS) that reflects the security context. The security context is synchronized between the middle tier and database before application code execution. The database maintains an isolated copy of the LWS for the unit of application code executed as the security context. The database sends to the session manager the identifier of the copy of LWS. Before allowing a request from an application to be sent to the database, the session manager, transparent to the application, inserts an identifier that identifies the LWS. In this way, the database processes an application request in the context of the corresponding user's security context that is the same as the security context in the middle tier.
Abstract translation: 提供了将应用程序级用户安全上下文与数据库集成的技术。 在包含应用程序的中间层中的会话管理器获得用户的安全上下文,并在数据库中建立反映安全上下文的轻量级会话(LWS)。 在应用程序代码执行之前,安全上下文在中间层和数据库之间进行同步。 数据库维护作为安全上下文执行的应用程序代码单位的LWS的隔离副本。 数据库向会话管理器发送LWS副本的标识符。 在允许将应用程序的请求发送到数据库之前,对应用程序透明的会话管理器插入标识LWS的标识符。 以这种方式,数据库在与中间层中的安全上下文相同的对应用户的安全上下文的上下文中处理应用请求。
-
Patent Agency Ranking
公开(公告)号:US10102355B2
公开(公告)日:2018-10-16
申请号:US14313872
申请日:2014-06-24
Applicant: Oracle International Corporation
Inventor: Tanvir Ahmed , Yi Ru , Chao Liang , Vikram R. Pesati
Abstract: Techniques for efficient cursor sharing to enforce fine-grained access control are provided. In one technique, the authorization context of a database statement is stored in (or in association with) a corresponding cursor. The authorization context indicates multiple authorization results, each of which indicates whether a user (or role) associated with the database statement is allowed to access a different data set of multiple data sets that the database statement targets. An authorization context of an incoming database statement may be compared to the authorization context of a cursor in a single comparison to determine whether the authorization contexts match. If so, then the cursor may be shared. In another technique, one or more normalizations are applied to a cursor predicate that is generated based on the authorization context of a database statement. The one or more normalizations may result in removing one or more predicates from the cursor predicate.
-
7.发明申请公开(公告)号:US20180060603A1
公开(公告)日:2018-03-01
申请号:US15253608
申请日:2016-08-31
Applicant: Oracle International Corporation
Inventor: Tanvir Ahmed , Yi Ru , Chao Liang , Vikram Reddy Pesati
CPC classification number: G06F21/6227 , G06F17/30377 , G06F17/3056 , G06F17/30595 , H04L63/101
Abstract: Embodiments allow, within database security policies, the grant of data change operation-specific privileges to particular users to be applied within particular data realms in a given table. Furthermore, according to one or more embodiments, User Privilege column-level privileges are explicitly associated with one or more data access operations such that the grant of such a column-level privilege allows the user to perform only those data access operations that are explicitly associated with the column-level privilege. Enforcement of the data security policies includes prevention of data leakage via WHERE and RETURNING INTO clauses. According to one or more embodiments, a two-phase rewrite is used to optimize enforcement of column-level privileges. During the two-phase rewrite of a given query, the privileges checked during enforcement of the User Privilege data security policies are pruned to avoid unnecessary privilege checks given the columns that are accessed in the query.
-
公开(公告)号:US20150371018A1
公开(公告)日:2015-12-24
申请号:US14313872
申请日:2014-06-24
Applicant: Oracle International Corporation
Inventor: Tanvir Ahmed , Yi Ru , Chao Liang , Vikram R. Pesati
IPC: G06F21/30
CPC classification number: G06F21/30 , G06F17/30448 , G06F21/6218 , G06F21/6227 , G06F2221/2141
Abstract: Techniques for efficient cursor sharing to enforce fine-grained access control are provided. In one technique, the authorization context of a database statement is stored in (or in association with) a corresponding cursor. The authorization context indicates multiple authorization results, each of which indicates whether a user (or role) associated with the database statement is allowed to access a different data set of multiple data sets that the database statement targets. An authorization context of an incoming database statement may be compared to the authorization context of a cursor in a single comparison to determine whether the authorization contexts match. If so, then the cursor may be shared. In another technique, one or more normalizations are applied to a cursor predicate that is generated based on the authorization context of a database statement. The one or more normalizations may result in removing one or more predicates from the cursor predicate.
Abstract translation: 提供了有效的光标共享技术来执行细粒度访问控制。 在一种技术中,数据库语句的授权上下文存储在(或与其相关联)相应的游标。 授权上下文指示多个授权结果,每个授权结果指示是否允许与数据库语句相关联的用户(或角色)访问数据库语句所针对的多个数据集的不同数据集。 传入数据库语句的授权上下文可以与单个比较中的游标的授权上下文进行比较,以确定授权上下文是否匹配。 如果是,则可以共享光标。 在另一种技术中,一个或多个规范化应用于基于数据库语句的授权上下文生成的游标谓词。 一个或多个规范化可能导致从游标谓词中删除一个或多个谓词。
-
9.发明授权公开(公告)号:US11386221B2
公开(公告)日:2022-07-12
申请号:US16384283
申请日:2019-04-15
Applicant: Oracle International Corporation
Inventor: Tanvir Ahmed , Yi Ru , Chao Liang , Vikram Reddy Pesati
Abstract: Embodiments allow, within database security policies, the grant of data change operation-specific privileges to particular users to be applied within particular data realms in a given table. Furthermore, according to one or more embodiments, User Privilege column-level privileges are explicitly associated with one or more data access operations such that the grant of such a column-level privilege allows the user to perform only those data access operations that are explicitly associated with the column-level privilege. Enforcement of the data security policies includes prevention of data leakage via WHERE and RETURNING INTO clauses. According to one or more embodiments, a two-phase rewrite is used to optimize enforcement of column-level privileges. During the two-phase rewrite of a given query, the privileges checked during enforcement of the User Privilege data security policies are pruned to avoid unnecessary privilege checks given the columns that are accessed in the query.
-
10.发明申请公开(公告)号:US20190243987A1
公开(公告)日:2019-08-08
申请号:US16384283
申请日:2019-04-15
Applicant: Oracle International Corporation
Inventor: Tanvir Ahmed , Yi Ru , Chao Liang , Vikram Reddy Pesati
CPC classification number: G06F21/6227 , G06F16/2379 , G06F16/252 , G06F16/284 , H04L63/101
Abstract: Embodiments allow, within database security policies, the grant of data change operation-specific privileges to particular users to be applied within particular data realms in a given table. Furthermore, according to one or more embodiments, User Privilege column-level privileges are explicitly associated with one or more data access operations such that the grant of such a column-level privilege allows the user to perform only those data access operations that are explicitly associated with the column-level privilege. Enforcement of the data security policies includes prevention of data leakage via WHERE and RETURNING INTO clauses. According to one or more embodiments, a two-phase rewrite is used to optimize enforcement of column-level privileges. During the two-phase rewrite of a given query, the privileges checked during enforcement of the User Privilege data security policies are pruned to avoid unnecessary privilege checks given the columns that are accessed in the query.
-
-
-
-
-
-
-
-
-
Search Results
10
records
(took 0.014 seconds)
