Oracle GoldenGate安全性配置系列：利用CMDSEC文件控制GoldenGate命令的用户访问权限

Oracle GoldenGate安全性配置系列：利用CMDSEC文件控制GoldenGate
命令的用户访问权限

 

最近生产环境的历史查询库有多个厂商在使用，goldengate同步经常莫名奇妙的
被其他厂商关掉重启，一下子前台应用便感受到了。我们这些运维人员倍感压力啊。
这个周末好好瞅了瞅Oracle GoldenGate 官方文档，研究了一下如何利用
GoldenGate 安全性配置来控制用户访问 GoldenGate ggsci 命令的权限，今
天先发这个最紧迫的 CMDSEC，将在近期系列性地探索一下GoldenGate
的各种安全性配置。 

   www.zzzyk.com  

一、在OS上配置GoldenGate管理用户

 

GoldenGate 官方文档关于GoldenGate 安装和管理用户权限的介绍

《Oracle®GoldenGate Oracle Installation and Setup Guide Release 11.2.1》

1.2.5 Operating system privileges

Thefollowing are the privileges in the operating system that are required toinstall

OracleGoldenGate and to run the processes.

■ To install on Windows, the person who installs Oracle GoldenGate must login as

Administrator.

■ To install on UNIX, the person who installs Oracle GoldenGate must haveread

andwrite privileges on the Oracle GoldenGate installation directory.

■ The Oracle GoldenGate Extract, Replicat, and Manager processes mustoperate as

anoperating system user that has privileges to read, write, and delete files and

subdirectoriesin the Oracle GoldenGate directory. In addition, the Manager

processrequires privileges to control the other Oracle GoldenGate processes.

■ (Classic capture mode) In classic capture mode, the Extract process readsthe redo

logsdirectly and must operate as an operating system user that has read access to

the logfiles, both online and archived. On UNIX systems, that user must be a

memberof the group that owns the Oracle instance. If you install the Manager

processas a Windows service during the installation steps in this documentation,

you mustinstall as Administrator for the correct permissions to be assigned. If you

cannotinstall Manager as a service, assign read access to the Extract process

manually,and then always run Manager and Extract as Administrator.

■ Dedicate the Extract, Replicat, and Manager operating system users toOracle

GoldenGate.Sensitive information might be available to anyone who runs an

OracleGoldenGate process, depending on how database authentication is

configured.

 

Unix下

OGG 管理用户必须具有/home/oracle/ggs用户的读写权限

OGG 管理用户要管理 extract、pump 和 mgr 进程，必须对/home/oracle/ggs
及其子目录具有读写权限

OGG 管理用户必须是 Oracledatabase instance 的属组成员

   www.zzzyk.com  

1.创建 OGG 管理员用户

 

[root@prod ~]# useradd -g oinstall -Gdba,oper,asmdba ogg 

[root@prod ~]# echo -n oracle|passwd--stdin ogg

 

配置 OGG 用户环境变量

[root@prod ~]# su - ogg

[ogg@prod ~]$ vi .bash_profile

 

export TMP=/tmp;

export TMPDIR=$TMP;

export ORACLE_HOSTNAME=prod.oracle.com;

export ORACLE_BASE=/u01/app/oracle;

exportORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1;

export ORACLE_UNQNAME=prod;

export ORACLE_SID=prod;

export ORACLE_TERM=xterm;

export PATH=/usr/sbin:$PATH;

exportPATH=/bin:/OPatch:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/
sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/u01/app/11.2.0/grid/bin:/root/bin;

export PATH=/home/oracle/ggs:$ORACLE_HOME/bin:$PATH

exportLD_LIBRARY_PATH=/home/oracle/ggs:$ORACLE_HOME/lib:/lib:/usr/lib;

exportCLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$
ORACLE_HOME/rdbms/jlib;

export NLS_DATE_FORMAT="yyyy-mm-ddHH24:MI:SS";

#export NLS_LANG=AMERICAN_AMERICA.ZHS16GBK;

export NLS_LANG=AMERICAN_AMERICA.AL32UTF8;

export DISPLAY=192.168.8.100:0.0

~

 

GoldenGate 安装在 /home/oracle/ggs 下

 

[root@prod home]# ls -lt

total 12

drwx------ 8 oracle oinstall 4096 Mar  3 14:21 oracle

drwx------ 3 ogg    oinstall 4096 Mar  3 14:20 ogg

drwx------ 3 grid   oinstall 4096 Mar  1 20:00 grid

 

[root@prod ~]# cd /home

[root@prod home]# ls -lt

total 12

drwx------ 3 ogg    oinstall 4096 Mar  3 15:19 ogg

drwx------ 8 oracle oinstall 4096 Mar  3 15:10 oracle

drwx------ 3 grid   oinstall 4096 Mar  1 20:00 grid

 

[root@prod home]# su - ogg

[ogg@prod ~]$ cd /home/oracle/ggs

-bash: cd: /home/oracle/ggs: Permissiondenied

原因：ogg 用户无权访问 oracle 属主目录 /home/oracle

 

修改/home/oracle的属组权限，以便 ogg 用户能够访问该目录及其子目录

[root@prod home]# chmod g+rx oracle

[root@prod home]# ls -lt

total 12

drwx------ 3 ogg    oinstall 4096 Mar  3 15:19 ogg

drwxr-x--- 8 oracle oinstall 4096 Mar  3 15:10 oracle

drwx------ 3 grid   oinstall 4096 Mar  1 20:00 grid

修改后便能访问：

[root@prod home]# su - ogg

[ogg@prod ~]$ cd /home/oracle/ggs

[ogg@prod ~]$ ln -s /home/oracle/ggs ggs

 

执行 ggsci 命令进行测试：

 

[ogg@prod ~]$ cd /home/oracle/ggs

[ogg@prod ggs]$ ggsci

 

Oracle GoldenGate Command Interpreter forOracle

Version 11.2.1.0.1 OGGCORE_11.2.1.0.1_PLATFORMS_120423.0230_FBO

Linux, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25

Copyright (C) 1995, 2012, Oracle and/or itsaffiliates. All rights reserved.

 

GGSCI (prod.oracle.com) 1> info all

 

Program    Status      Group       Lag at Chkpt  Time Since Chkpt

 

MANAGER    RUNNING                                          

EXTRACT    RUNNING     ESCOTT      00:00:00      00:00:06   

EXTRACT    RUNNING     PSCOTT      00:00:00      00:00:00  

 

GGSCI (prod.oracle.com) 2> stop *

 

Sending STOP request to EXTRACT ESCOTT ...

Request processed.

 

Sending STOP request to EXTRACT PSCOTT ...

Request processed.

 

GGSCI (prod.oracle.com) 6> info all

 

Program    Status      Group       Lag at Chkpt  Time Since Chkpt

 

MANAGER    RUNNING                                          

EXTRACT    STOPPED     ESCOTT      00:00:00      00:00:45   

EXTRACT    STOPPED     PSCOTT      00:00:00      00:00:45  

 

 

GGSCI (prod.oracle.com) 7> start *

 

Sending START request to