Oracle GoldenGate安全性配置系列:利用CMDSEC文件控制GoldenGate命令的用户访问权限
Oracle GoldenGate安全性配置系列:利用CMDSEC文件控制GoldenGate
命令的用户访问权限
命令的用户访问权限
最近生产环境的历史查询库有多个厂商在使用,goldengate同步经常莫名奇妙的
被其他厂商关掉重启,一下子前台应用便感受到了。我们这些运维人员倍感压力啊。
这个周末好好瞅了瞅Oracle GoldenGate 官方文档,研究了一下如何利用
GoldenGate 安全性配置来控制用户访问 GoldenGate ggsci 命令的权限,今
天先发这个最紧迫的 CMDSEC,将在近期系列性地探索一下GoldenGate
的各种安全性配置。
被其他厂商关掉重启,一下子前台应用便感受到了。我们这些运维人员倍感压力啊。
这个周末好好瞅了瞅Oracle GoldenGate 官方文档,研究了一下如何利用
GoldenGate 安全性配置来控制用户访问 GoldenGate ggsci 命令的权限,今
天先发这个最紧迫的 CMDSEC,将在近期系列性地探索一下GoldenGate
的各种安全性配置。
www.zzzyk.com
一、在OS上配置GoldenGate管理用户
GoldenGate 官方文档关于GoldenGate 安装和管理用户权限的介绍
《Oracle®GoldenGate Oracle Installation and Setup Guide Release 11.2.1》
1.2.5 Operating system privileges
Thefollowing are the privileges in the operating system that are required toinstall
OracleGoldenGate and to run the processes.
■ To install on Windows, the person who installs Oracle GoldenGate must login as
Administrator.
■ To install on UNIX, the person who installs Oracle GoldenGate must haveread
andwrite privileges on the Oracle GoldenGate installation directory.
■ The Oracle GoldenGate Extract, Replicat, and Manager processes mustoperate as
anoperating system user that has privileges to read, write, and delete files and
subdirectoriesin the Oracle GoldenGate directory. In addition, the Manager
processrequires privileges to control the other Oracle GoldenGate processes.
■ (Classic capture mode) In classic capture mode, the Extract process readsthe redo
logsdirectly and must operate as an operating system user that has read access to
the logfiles, both online and archived. On UNIX systems, that user must be a
memberof the group that owns the Oracle instance. If you install the Manager
processas a Windows service during the installation steps in this documentation,
you mustinstall as Administrator for the correct permissions to be assigned. If you
cannotinstall Manager as a service, assign read access to the Extract process
manually,and then always run Manager and Extract as Administrator.
■ Dedicate the Extract, Replicat, and Manager operating system users toOracle
GoldenGate.Sensitive information might be available to anyone who runs an
OracleGoldenGate process, depending on how database authentication is
configured.
Unix下
OGG 管理用户必须具有/home/oracle/ggs用户的读写权限
OGG 管理用户要管理 extract、pump 和 mgr 进程,必须对/home/oracle/ggs
及其子目录具有读写权限
及其子目录具有读写权限
OGG 管理用户必须是 Oracledatabase instance 的属组成员
www.zzzyk.com
1.创建 OGG 管理员用户
[root@prod ~]# useradd -g oinstall -Gdba,oper,asmdba ogg
[root@prod ~]# echo -n oracle|passwd--stdin ogg
配置 OGG 用户环境变量
[root@prod ~]# su - ogg
[ogg@prod ~]$ vi .bash_profile
export TMP=/tmp;
export TMPDIR=$TMP;
export ORACLE_HOSTNAME=prod.oracle.com;
export ORACLE_BASE=/u01/app/oracle;
exportORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1;
export ORACLE_UNQNAME=prod;
export ORACLE_SID=prod;
export ORACLE_TERM=xterm;
export PATH=/usr/sbin:$PATH;
exportPATH=/bin:/OPatch:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/
sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/u01/app/11.2.0/grid/bin:/root/bin;
sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/u01/app/11.2.0/grid/bin:/root/bin;
export PATH=/home/oracle/ggs:$ORACLE_HOME/bin:$PATH
exportLD_LIBRARY_PATH=/home/oracle/ggs:$ORACLE_HOME/lib:/lib:/usr/lib;
exportCLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$
ORACLE_HOME/rdbms/jlib;
ORACLE_HOME/rdbms/jlib;
export NLS_DATE_FORMAT="yyyy-mm-ddHH24:MI:SS";
#export NLS_LANG=AMERICAN_AMERICA.ZHS16GBK;
export NLS_LANG=AMERICAN_AMERICA.AL32UTF8;
export DISPLAY=192.168.8.100:0.0
~
GoldenGate 安装在 /home/oracle/ggs 下
[root@prod home]# ls -lt
total 12
drwx------ 8 oracle oinstall 4096 Mar 3 14:21 oracle
drwx------ 3 ogg oinstall 4096 Mar 3 14:20 ogg
drwx------ 3 grid oinstall 4096 Mar 1 20:00 grid
[root@prod ~]# cd /home
[root@prod home]# ls -lt
total 12
drwx------ 3 ogg oinstall 4096 Mar 3 15:19 ogg
drwx------ 8 oracle oinstall 4096 Mar 3 15:10 oracle
drwx------ 3 grid oinstall 4096 Mar 1 20:00 grid
[root@prod home]# su - ogg
[ogg@prod ~]$ cd /home/oracle/ggs
-bash: cd: /home/oracle/ggs: Permissiondenied
原因:ogg 用户无权访问 oracle 属主目录 /home/oracle
修改/home/oracle的属组权限,以便 ogg 用户能够访问该目录及其子目录
[root@prod home]# chmod g+rx oracle
[root@prod home]# ls -lt
total 12
drwx------ 3 ogg oinstall 4096 Mar 3 15:19 ogg
drwxr-x--- 8 oracle oinstall 4096 Mar 3 15:10 oracle
drwx------ 3 grid oinstall 4096 Mar 1 20:00 grid
修改后便能访问:
[root@prod home]# su - ogg
[ogg@prod ~]$ cd /home/oracle/ggs
[ogg@prod ~]$ ln -s /home/oracle/ggs ggs
执行 ggsci 命令进行测试:
[ogg@prod ~]$ cd /home/oracle/ggs
[ogg@prod ggs]$ ggsci
Oracle GoldenGate Command Interpreter forOracle
Version 11.2.1.0.1 OGGCORE_11.2.1.0.1_PLATFORMS_120423.0230_FBO
Linux, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25
Copyright (C) 1995, 2012, Oracle and/or itsaffiliates. All rights reserved.
GGSCI (prod.oracle.com) 1> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT RUNNING ESCOTT 00:00:00 00:00:06
EXTRACT RUNNING PSCOTT 00:00:00 00:00:00
GGSCI (prod.oracle.com) 2> stop *
Sending STOP request to EXTRACT ESCOTT ...
Request processed.
Sending STOP request to EXTRACT PSCOTT ...
Request processed.
GGSCI (prod.oracle.com) 6> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT STOPPED ESCOTT 00:00:00 00:00:45
EXTRACT STOPPED PSCOTT 00:00:00 00:00:45
GGSCI (prod.oracle.com) 7> start *
Sending START request to
上一个:Oracle常用语句及时整理归纳
下一个:Oracle存储管理详解
- 更多Oracle疑问解答:
- 运行exp备份oracle数据库提示oracle-12154错误
- 有没有,生产Oracle Rman 备份脚本的工具啊!
- 初学orcle,希望有大大帮忙解说一下详细步骤,从登录oracle到创建表的过程
- oracle语句问题:一张user表,三个字段,id,name,time,插入记录比如:张三2007,李四2008,张三2011
- 如何写一个ORACLE触发器同步两个表中的数据?
- oracle 如何查看一个服务器上有多少个数据库.
- oracle 创建包的时候错误 求解
- oracle 重复列的问题
- oracle 中如何查处2星期前的数据
- 请教oracle数据库安装中的问题
- 请问谁能提供给我标准的oracle ERP的数据库表结构并详细说明各表主要的作用?
- 安装oracle遇到的问题 invalid entry CRC (expected 0x3e12e795 but got 0x9db0e9fd)
- 我的是ORACLE 10G,在RMAN中如何按指定的时间恢复数据文件啊?
- oracle为什么没有自动增长列
- oracle快捷键都有哪些啊?