As data security governance becomes an increasingly important global concern, ensuring the security of databases, foundational software for storing and managing critical data assets, has become a key challenge that requires collaboration between database vendors and customers. OceanBase has always prioritized product security. Over the years, it has actively complied with regulatory requirements, established a comprehensive security management system, and focused on building stable, reliable, secure, and open data infrastructure. Through continuous technological innovation, OceanBase helps customers protect the confidentiality, integrity, and availability of their data, earning its reputation as a trusted provider of foundational software. However, ensuring database security is not just the responsibility of vendors—it also requires close collaboration with customers.
Security is a key factor in evaluating the performance of a database. A database management system must prevent unauthorized access to safeguard the files and data it contains.
This topic provides the best practices for achieving access control.
MySQL tenant
Grant the CREATE USER privilege only to the administrator account
In a MySQL tenant, the CREATE USER privilege allows you to modify the password of any account and to delete any users. Therefore, make sure that only the administrator has this privilege.
Related operations
Self-check
Query non-root users that have the
CREATE USERprivilege.SELECT * FROM information_schema.user_privileges WHERE GRANTEE NOT LIKE ("'root'%") AND PRIVILEGE_TYPE = "CREATE USER"\GSecurity hardening
Revoke the
CREATE USERprivilege of normal users.REVOKE CREATE USER ON *.* FROM '<user>';
Grant database-level metadata access privilege only to the administrator account
The metadata of a MySQL tenant is stored in the internal tables or views of the databases named mysql and oceanbase. The metadata includes sensitive information such as hashed passwords and account privileges. Therefore, the metadata access privilege must be limited and configured for normal users on demand. Only the administrator account has the global access privilege on metadata.
Related operations
Self-check
Query non-root users that have the access privilege on the
oceanbaseormysqldatabase.SELECT u.* FROM DBA_OB_USERS AS u INNER JOIN DBA_OB_DATABASE_PRIVILEGE as db WHERE (database_name = "oceanbase" OR database_name = "mysql") AND u.USER_NAME= db.USERNAME AND u.user_name != "root"\GSecurity hardening
Revoke the database-level metadata access privilege of normal users and enable on-demand configuration of the table-level access privilege.
REVOKE ALL ON database_name.* FROM username; GRANT SELECT, INSERT, UPDATE ON database_name.table_name TO username; GRANT DELETE ON database_name.another_table TO username
Oracle tenant
Revoke the EXECUTE privilege on system packages from the PUBLIC role
You can revoke the EXECUTE privilege of the PUBLIC role to restrict the system package access and execution capabilities of all users. This way, only authorized users can use highly risky system packages, thereby improving system security.
Related operations
Self-check
Check whether the
EXECUTEprivilege on any highly risky system package has been granted to thePUBLICrole.SELECT grantee, privilege FROM dba_tab_privs WHERE grantee = 'PUBLIC' AND privilege = 'EXECUTE';Security hardening
Revoke the
EXECUTEprivilege on highly risky system packages from thePUBLICrole.REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC; REVOKE EXECUTE ON UTL_FILE FROM PUBLIC; REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC; REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC; REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;
Revoke '% ANY %' privileges from non-administrator grantees
In Oracle mode, the ANY keyword allows a user to modify any database object in the database directories, leading to unauthorized access among users. Therefore, non-administrator grantees should not be granted '% ANY %' privileges.
Related operations
Self-check
Query users with the privilege to access sensitive information.
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE LIKE '% ANY %' AND GRANTEE NOT IN ('SYS', 'DBA','ORAAUDITOR');Security hardening
Revoke '% ANY %' privileges from non-administrator grantees. Here is an example of revoking the
EXECUTE ANY PROCEDUREprivilege:REVOKE EXECUTE ANY PROCEDURE FROM <grantee>;