MINI MINI MANI MO
Rem
Rem $Header: sdo/admin/sdordfsa.sql /main/17 2017/07/10 11:24:16 sravada Exp $
Rem
Rem sdordfsa.sql
Rem
Rem Copyright (c) 2008, 2017, Oracle and/or its affiliates.
Rem All rights reserved.
Rem
Rem NAME
Rem sdordfsa.sql - <one-line expansion of the name>
Rem
Rem DESCRIPTION
Rem <short description of component this file declares/defines>
Rem
Rem NOTES
Rem <other useful comments, qualifications, etc.>
Rem
Rem BEGIN SQL_FILE_METADATA
Rem SQL_SOURCE_FILE: sdo/admin/sdordfsa.sql
Rem SQL_SHIPPED_FILE: md/admin/sdordfsa.sql
Rem SQL_PHASE: SDORDFSA
Rem SQL_STARTUP_MODE: NORMAL
Rem SQL_IGNORABLE_ERRORS: NONE
Rem SQL_CALLING_FILE: sdo/admin/semrelod.sql
Rem END SQL_FILE_METADATA
Rem
Rem MODIFIED (MM/DD/YY)
Rem sravada 07/06/17 - move privs to mdprivs
Rem rjanders 03/23/17 - #25437999: Remove 'when others then NULL'
Rem handlers
Rem rjanders 03/09/17 - Add missing SQL_FILE_METADATA information
Rem sravada 01/11/17 - bug 25370681
Rem matperry 01/11/16 - do not set RDFVPD to installed in RDF_PARAMETER
Rem rjanders 03/15/13 - #16473696: Start/End _ORACLE_SCRIPT
Rem initialization
Rem matperry 06/27/12 - refactor: eliminate duplicate creation of
Rem rdfsa_resource and rdfsa_labelgen types,
Rem keeping the definition in sdordfty.sql
Rem matperry 06/22/12 - wrap type creation with execute immediate to be
Rem more upgrade friendly
Rem alwu 05/29/12 - add a wrapper function for sa_session.privs
Rem sdas 02/01/11 - SDO version check should look for 11 or higher
Rem sdas 11/22/10 - XbranchMerge sdas_ng_11.2.0.2.0_11.2.0.3.0 from
Rem st_sdo_11.2.0
Rem sdas 11/22/10 - XbranchMerge sdas_ng_11.2.0.2.0 from
Rem vkolovsk 08/19/10 - refactoring
Rem vkolovsk 08/16/10 - add VPD support in triple level OLS
Rem vkolovsk 07/29/10 - XbranchMerge
Rem vkolovsk_rdf_ols_set_triple_label_11.2.0.2.0 from
Rem st_sdo_11.2.0
Rem vkolovsk 06/03/10 - zhe code review
Rem vkolovsk 05/26/10 - add MIN_LABEL query option
Rem vkolovsk 05/24/10 - added sem_ols packages (triple level security)
Rem vkolovsk 05/12/10 - add an option for TRIPLE_LEVEL_ONLY
Rem vkolovsk 05/04/10 - XbranchMerge vkolovsk_rdf_ols_set_triple_label
Rem from main
Rem matperry 05/26/09 - remove WHENEVER SQLERROR EXIT
Rem ayalaman 01/28/09 - dml with rdf vpd
Rem ayalaman 01/05/09 - capture install status in parameter table
Rem ayalaman 12/21/08 - move rdf_resource to sdordfty.sql
Rem ayalaman 09/17/08 - vpd for rdf data
Rem sdas 07/28/08 - RDF OLS
Rem sdas 07/28/08 - Created
Rem
Rem ********************************************************************
Rem #16473696: Indicate Oracle-Supplied object
@@?/rdbms/admin/sqlsessstart.sql
Rem ********************************************************************
--
-- Best practices:
-- - The meta tags should have sensitivity labels that can only
-- be read/written by an Application developer.
--
--WHENEVER SQLERROR EXIT;
declare
rc NUMBER;
version VARCHAR2(100);
ver_num NUMBER;
begin
select count(*) into rc from SYS.all_objects where owner = 'MDSYS' and
object_name = 'SDO_RDF';
version := dbms_registry.version('SDO');
ver_num := to_number(substr(version,1,instr(version,'.')-1));
if (ver_num < 11 or rc = 0) then
raise_application_error(-20000, 'RDF Component not installed:'||
'RDF Component for 11.1 or above must be installed.');
end if;
end;
/
-- additional privileges to MDSYS --
-- to gather information about policies associated with MDSYS tables --
-- Let the RDFSA package installation go through even if OLS is not
-- installed. --
create or replace procedure mdsys.rdf$grant_ols_privs authid current_user is
begin
execute immediate 'grant select on lbacsys.DBA_SA_TABLE_POLICIES to mdsys';
execute immediate 'grant select on lbacsys.DBA_SA_LABELS to mdsys';
execute immediate 'grant select on lbacsys.DBA_SA_GROUPS to mdsys';
execute immediate 'grant select on lbacsys.DBA_SA_LEVELS to mdsys';
execute immediate 'grant select on lbacsys.DBA_SA_COMPARTMENTS to mdsys';
execute immediate 'grant execute on lbacsys.NUMERIC_DOMINATES to mdsys';
end;
/
begin
if (dbms_registry.version('OLS') = 'VALID') then
mdsys.rdf$grant_ols_privs;
end if;
end;
/
alter session set current_schema = MDSYS;
--alter session set Plsql_CCFlags = ' Tracing:true';
WHENEVER SQLERROR CONTINUE;
grant execute on mdsys.rdfsa_resource to public;
create or replace public synonym rdfsa_resource for mdsys.rdfsa_resource;
grant execute on mdsys.int_array to public;
--grant execute on mdsys.rdfsa_labelgen to public;
--grant under on mdsys.rdfsa_labelgen to public;
create or replace package sem_rdfsa_const authid current_user is
--- secure options passed to APPLY_OLS_POLICY API --
--
SECURE_SUBJECT CONSTANT SIMPLE_INTEGER := 1;
SECURE_PREDICATE CONSTANT SIMPLE_INTEGER := 2;
SECURE_OBJECT CONSTANT SIMPLE_INTEGER := 4;
--
--- Additional options for OLS enable RDF data --
--
-- DEFINE_BEFORE_USE: subject or predicate, when secured should be
-- pre-defined with a label (set_resource_label/set_predicate_label)
-- before they can be used in a triple -
OPT_DEFINE_BEFORE_USE CONSTANT SIMPLE_INTEGER := 16;
-- RELAX_TRIPLE_LABEL: The default behavior is that the Triple's label
-- dominates the labels associated with each of its components.
-- With this option, a triple label is set to user's initial row
-- label and the only check performed at the time of triple insertion
-- is that the user has READ access to its components.
OPT_RELAX_TRIPLE_LABEL CONSTANT SIMPLE_INTEGER := 32;
--Added by Vlad
TRIPLE_LEVEL_ONLY CONSTANT SIMPLE_INTEGER := 64;
--
--- Resource options for Inference Label Generators
--
USE_SUBJECT_LABEL CONSTANT SIMPLE_INTEGER := 128;
USE_PREDICATE_LABEL CONSTANT SIMPLE_INTEGER := 512;
USE_OBJECT_LABEL CONSTANT SIMPLE_INTEGER := 1024;
USE_RULE_LABEL CONSTANT SIMPLE_INTEGER := 2048;
USE_DOMINATING_LABEL CONSTANT SIMPLE_INTEGER := 4096;
USE_ANTECED_LABELS CONSTANT SIMPLE_INTEGER := 8192;
CUSTOM_LABELGEN CONSTANT SIMPLE_INTEGER := 16384;
--
--- Predefined label generators for inference. To be used with
--- create_entailment API.
--
LABELGEN_SUBJECT CONSTANT mdsys.rdfsa_labelgen :=
mdsys.rdfsa_labelgen(USE_SUBJECT_LABEL);
LABELGEN_PREDICATE CONSTANT mdsys.rdfsa_labelgen :=
mdsys.rdfsa_labelgen(USE_PREDICATE_LABEL);
LABELGEN_OBJECT CONSTANT mdsys.rdfsa_labelgen :=
mdsys.rdfsa_labelgen(USE_OBJECT_LABEL);
LABELGEN_RULE CONSTANT mdsys.rdfsa_labelgen :=
mdsys.rdfsa_labelgen(USE_RULE_LABEL);
LABELGEN_DOMINATING CONSTANT mdsys.rdfsa_labelgen :=
mdsys.rdfsa_labelgen(USE_DOMINATING_LABEL);
VPD_FULL_ACCESS CONSTANT VARCHAR2(32) := 'RDFVPD$FULLACCESS';
end sem_rdfsa_const;
/
show errors;
/*****************************************************************************/
/*** DBMS_RDFSA : Package for enabling fine-grained security for RDF ***/
/*****************************************************************************/
create or replace package sem_rdfsa authid current_user is
--
--- secure options passed to APPLY_OLS_POLICY API --
--
SECURE_SUBJECT CONSTANT SIMPLE_INTEGER := sem_rdfsa_const.SECURE_SUBJECT;
SECURE_PREDICATE CONSTANT SIMPLE_INTEGER := sem_rdfsa_const.SECURE_PREDICATE;
SECURE_OBJECT CONSTANT SIMPLE_INTEGER := sem_rdfsa_const.SECURE_OBJECT;
--
--- Additional options for OLS enable RDF data --
--
-- DEFINE_BEFORE_USE: subject or predicate, when secured should be
-- pre-defined with a label (set_resource_label/set_predicate_label)
-- before they can be used in a triple -
OPT_DEFINE_BEFORE_USE CONSTANT SIMPLE_INTEGER :=
sem_rdfsa_const.OPT_DEFINE_BEFORE_USE;
-- RELAX_TRIPLE_LABEL: The default behavior is that the Triple's label
-- dominates the labels associated with each of its components.
-- With this option, a triple label is set to user's initial row
-- label and the only check performed at the time of triple insertion
-- is that the user has READ access to its components.
OPT_RELAX_TRIPLE_LABEL CONSTANT SIMPLE_INTEGER :=
sem_rdfsa_const.OPT_RELAX_TRIPLE_LABEL;
--Added by Vlad
TRIPLE_LEVEL_ONLY CONSTANT SIMPLE_INTEGER := sem_rdfsa_const.TRIPLE_LEVEL_ONLY;
--
--- Resource options for Inference Label Generators
--
USE_SUBJECT_LABEL CONSTANT SIMPLE_INTEGER :=
sem_rdfsa_const.USE_SUBJECT_LABEL;
USE_PREDICATE_LABEL CONSTANT SIMPLE_INTEGER :=
sem_rdfsa_const.USE_PREDICATE_LABEL;
USE_OBJECT_LABEL CONSTANT SIMPLE_INTEGER :=
sem_rdfsa_const.USE_OBJECT_LABEL;
USE_RULE_LABEL CONSTANT SIMPLE_INTEGER :=
sem_rdfsa_const.USE_RULE_LABEL;
USE_DOMINATING_LABEL CONSTANT SIMPLE_INTEGER :=
sem_rdfsa_const.USE_DOMINATING_LABEL;
USE_ANTECED_LABELS CONSTANT SIMPLE_INTEGER :=
sem_rdfsa_const.USE_ANTECED_LABELS;
CUSTOM_LABELGEN CONSTANT SIMPLE_INTEGER :=
sem_rdfsa_const.CUSTOM_LABELGEN;
--
--- Predefined label generators for inference. To be used with
--- create_entailment API.
--
LABELGEN_SUBJECT CONSTANT mdsys.rdfsa_labelgen :=
sem_rdfsa_const.LABELGEN_SUBJECT;
LABELGEN_PREDICATE CONSTANT mdsys.rdfsa_labelgen :=
sem_rdfsa_const.LABELGEN_PREDICATE;
LABELGEN_OBJECT CONSTANT mdsys.rdfsa_labelgen :=
sem_rdfsa_const.LABELGEN_OBJECT;
LABELGEN_RULE CONSTANT mdsys.rdfsa_labelgen :=
sem_rdfsa_const.LABELGEN_RULE;
LABELGEN_DOMINATING CONSTANT mdsys.rdfsa_labelgen :=
sem_rdfsa_const.LABELGEN_DOMINATING;
VPD_FULL_ACCESS CONSTANT VARCHAR2(32) := sem_rdfsa_const.VPD_FULL_ACCESS;
function local_sa_session_privs(POLICY_NAME in varchar2) return varchar2;
--
--- APPLY_OLS_POLICY : Apply OLS policy for RDF data.
--- See SA_POLICY_ADMIN.APPLY_TABLE_POLICY for details.
--
procedure apply_ols_policy (
policy_name VARCHAR2,
rdfsa_options NUMBER default sem_rdfsa_const.SECURE_SUBJECT,
table_options VARCHAR2 default 'ALL_CONTROL',
label_function VARCHAR2 default null,
predicate VARCHAR2 default null);
--
--- REMOVE_OLS_POLICY : Remove the OLS policy for RDF data
--- Only a security administrator can execute this command.
--
procedure remove_ols_policy;
--
--- DISABLE_OLS_POLICY : Disable OLS policy for RDF data.
--- set_resource_label/set_predicate_label can still be used to set labels
--- for specific tags.
--- Only a security administrator can execute this command.
--
procedure disable_ols_policy;
--
--- ENABLE_OLS_POLICY : Enable OLS policy after disabling.
--- Only a security administrator can execute this command.
--
procedure enable_ols_policy;
--
--- RESET_MODEL_LABELS : Reset the labels for all triples in a model.
--- Only the user with FULL access on the OLS policy can execute this
--- command. The model must be empty (of triples) for this operation
--- to succeed.
--
procedure reset_model_labels (
model_name VARCHAR2);
--
--- SET_RESOURCE_LABEL : Set a label for a resource (URI) which may
--- be used as a Subject or an Object. The resource position is
--- defaulted to 'S' (Subject) and 'S,O' may be specified to secure
--- the resource in the Object position as well.
--- Model Name RDF$GLOBAL can be used to set the label for a resource
--- across models.
--
procedure set_resource_label (
model_name VARCHAR2,
resource_uri VARCHAR2,
label_string VARCHAR2,
resource_pos VARCHAR2 default 'S');
--
--- SET_PREDICATE_LABEL : Set a label for predicate in a specific
--- model or across all models (RDF$GLOBAL) in the instance.
---
procedure set_predicate_label (
model_name VARCHAR2,
predicate VARCHAR2,
label_string VARCHAR2);
--- SET_RDFS_LABEL : The RDFS Vocabulary elements such as Class,
--- subPropertyOf, may be assigned a specfic label to restrict
--- the users from creating new classes and properties. The
--- inference override label is used by the label generator to
--- determine the appropriate labels for the inferred triples.
---
procedure set_rdfs_label (
label_string VARCHAR2,
inf_override VARCHAR2 default null);
--
--- SET_RULE_LABEL : Set label for rule. The rule's label
--- can be used as the default label for the triples inferred
--- by this rule. (PARTIAL SUPPORT with RDFs rules and no
--- support for User defined rules)
--
procedure set_rule_label (
rule_base VARCHAR2,
rule_name VARCHAR2,
label_string VARCHAR2);
-- VPD interfaces ---
-- The VPD policy will be implicitly created in the current
-- schema. An RDF VPD policy may be used to enforce constraints
-- on one or more RDF models.
procedure create_vpd_policy (
policy_name VARCHAR2,
namespace_map RDF_ALIASES default null,
policy_context VARCHAR2 default null,
flag in NUMBER default null);
-- Drop the VPD policy defined in the current schema. --
procedure drop_vpd_policy (
policy_name VARCHAR2);
-- Apply a VPD policy to a model --
procedure apply_vpd_policy (
policy_name VARCHAR2,
model_name VARCHAR2,
oper_type VARCHAR2 default 'ALL',
flag in NUMBER default null);
-- Remove the VPD policy from a model --
procedure remove_vpd_policy (
policy_name VARCHAR2,
model_name VARCHAR2);
-- Maintain the VPD metadata in the form of RDF scehma statements
-- associated with policy. Only a fixed set of predicate types are
-- recognized and accepted by the VPD metadata.
procedure maint_vpd_metadata (
policy_name VARCHAR2,
t_subject VARCHAR2,
t_predicate VARCHAR2,
t_object VARCHAR2,
action VARCHAR2 default 'ADD');
-- Add a constraint to the VPD policy --
procedure add_vpd_constraint (
policy_name VARCHAR2,
constr_name VARCHAR2,
match_pattern VARCHAR2,
apply_pattern VARCHAR2,
constr_group VARCHAR2 default null,
flag in NUMBER default null);
-- Delete a constraint from the VPD policy --
procedure delete_vpd_constraint (
policy_name VARCHAR2,
constr_name VARCHAR2);
end;
/
show errors;
/*****************************************************************************/
/*** DBMS_RDFSA : Package for enabling fine-grained security for RDF ***/
/*****************************************************************************/
create or replace package sem_ols authid current_user is
MIN_QUERY_LABEL CONSTANT VARCHAR2(100) := 'MIN_QUERY_LABEL';
INTERIM_BREAK_UP_FCN_NAME CONSTANT varchar2(32767)
:= 'ORACLE_ORARDF_BREAK_UP_TRIPLE';
procedure remove_policy_from_app_tab(
policy_name varchar2,
schema_name varchar2,
table_name varchar2,
check_model boolean default true);
procedure apply_policy_to_app_tab(
policy_name varchar2,
schema_name varchar2,
table_name varchar2,
predicate varchar2 default null);
-- Note: this functionality is exposed in the SEM_MATCH query itself
procedure set_min_label_for_query(label_name varchar2);
function get_min_label_for_query return varchar2;
--- Additional options for OLS enable RDF data --
--
--
--- APPLY_OLS_POLICY : Apply OLS policy for RDF data.
--- See SA_POLICY_ADMIN.APPLY_TABLE_POLICY for details.
--
procedure apply_ols_policy (
policy_name VARCHAR2,
rdfsa_options NUMBER,
table_options VARCHAR2 default 'ALL_CONTROL',
predicate VARCHAR2 default null);
--
--- REMOVE_OLS_POLICY : Remove the OLS policy for RDF data
--- Only a security administrator can execute this command.
--
procedure remove_ols_policy;
--
--- DISABLE_OLS_POLICY : Disable OLS policy for RDF data.
--- set_resource_label/set_predicate_label can still be used to set labels
--- for specific tags.
--- Only a security administrator can execute this command.
--
procedure disable_ols_policy;
--
--- ENABLE_OLS_POLICY : Enable OLS policy after disabling.
--- Only a security administrator can execute this command.
--
procedure enable_ols_policy;
end;
/
show errors;
create or replace public synonym sem_ols for mdsys.sem_ols;
create or replace public synonym sem_rdfsa for mdsys.sem_rdfsa;
@@pvtrdfsa.plb
begin
EXECUTE IMMEDIATE
'insert into mdsys.rdf_parameter(namespace, attribute, value, description)
values (:1,:2,:3,:4)' USING 'COMPONENT','RDFOLS','INSTALLED',
'RDF Optional component for OLS support';
exception
when dup_val_on_index then null;
end;
/
-- RDFVPD is desupported as of 12.2.0.1
--begin
-- EXECUTE IMMEDIATE
-- 'insert into mdsys.rdf_parameter(namespace, attribute, value, description)
-- values (:1,:2,:3,:4)' USING 'COMPONENT','RDFVPD','INSTALLED',
-- 'RDF Optional component for VPD support';
--exception when dup_val_on_index then
-- null;
--end;
--/
commit;
Rem ********************************************************************
Rem #16473696: Indicate Oracle-Supplied object
@?/rdbms/admin/sqlsessend.sql
Rem ********************************************************************
OHA YOOOO