在Oracle Database 12.2 中引入了lockdown profile的新特性，可以用于限制PDB中的某些操作，增强某些操作的安全性。

PDB Lockdown Profiles to Restrict Operations on PDBs Starting with this release, in a multitenant environment, you can use PDB lockdown profiles to restrict functionality available to users in a given PDB.

PDB lockdown profiles enable you to restrict the access the user has to a set of features individually or in a group. This feature is designed to enhance security for situations in which identities are shared among PDBs.

以下通过一个简单的测试来看看这个特性的基本功能。 首先在CDB下创建一个profile，这个Profile将对全局可用：

SQL> connect / as sysdba Connected. SQL> CREATE LOCKDOWN PROFILE enmotech; Lockdown Profile created. SQL> ALTER LOCKDOWN PROFILE enmotech DISABLE STATEMENT  = ('ALTER SYSTEM'); Lockdown Profile altered.

连接到PDB YHEM,在PDB级别启用lockdown profile :

SQL> connect sys/oracle@yhem as sysdba Connected. SQL> ALTER SYSTEM SET PDB_LOCKDOWN = enmotech; System altered.

测试一下，可以看到所有的ALTER SYSTEM的操作都被禁用了：

SQL> alter system checkpoint; alter system checkpoint * ERROR at line 1: ORA-01031: insufficient privileges SQL> alter system set optimizer_mode = first_rows_1; alter system set optimizer_mode = first_rows_1 * ERROR at line 1: ORA-01031: insufficient privileges

LOCKDOWN PROFILE可以限制到非常细粒度的权限，比如以下限制仅仅限制用户执行ARCHIVE LOG和CHECKPOINT操作。

SQL> connect / as sysdba Connected. SQL> alter lockdown profile enmotech enable statement = ('ALTER SYSTEM')  2  clause all except = ('ARCHIVE LOG', 'CHECKPOINT'); Lockdown Profile altered.

现在测试一下，可以看到在PDB上，限制精确的生效，CHECKPOINT操作不允许被执行：

SQL> connect system/oracle@yhem Connected. SQL> alter system set optimizer_mode = first_rows_1; System altered. SQL> alter system checkpoint; alter system checkpoint * ERROR at line 1: ORA-01031: insufficient privileges

除了特定的权限，还可以对某些数据库功能特点进行限制，比如调用和执行UTL_HTTP 和 UTL_TCP 包可能是高风险的，那么以下的PROFILE设置可以禁用这些特性：

SQL> alter lockdown profile enmotech  2     disable feature = ('UTL_HTTP', 'UTL_TCP'); Lockdown profile altered. SQL> conn system/oracle@yhem Connected. SQL> declare  2    l_request   utl_http.req;  3    l_response  utl_http.resp;  4 begin  5    l_request := utl_http.begin_request('http://www.enmotech.com');  6    l_response := utl_http.get_response(l_request);  7 end;  8/ declare * ERROR at line 1: ORA-29273: HTTP request failed ORA-01031: insufficient privileges ORA-06512: at "SYS.UTL_HTTP", line 380 ORA-06512: at "SYS.UTL_HTTP", line 1127 ORA-06512: at line 5