最近生産環境的曆史查詢庫有多個廠商在使用,goldengate同步經常莫名奇妙的被其他廠商關掉重新開機,一下子前台應用便感受到了。我們這些運維人員倍感壓力啊。這個周末好好瞅了瞅Oracle GoldenGate 官方文檔,研究了一下如何利用GoldenGate 安全性配置來控制使用者通路 GoldenGate ggsci 指令的權限,今天先發這個最緊迫的 CMDSEC,将在近期系列性地探索一下GoldenGate 的各種安全性配置。
一、在OS上配置GoldenGate管理使用者
GoldenGate 官方文檔關于GoldenGate 安裝和管理使用者權限的介紹
《Oracle®GoldenGate Oracle Installation and Setup Guide Release 11.2.1》
1.2.5 Operating system privileges
Thefollowing are the privileges in the operating system that are required toinstall
OracleGoldenGate and to run the processes.
■ To install on Windows, the person who installs Oracle GoldenGate must login as
Administrator.
■ To install on UNIX, the person who installs Oracle GoldenGate must haveread
andwrite privileges on the Oracle GoldenGate installation directory.
■ The Oracle GoldenGate Extract, Replicat, and Manager processes mustoperate as
anoperating system user that has privileges to read, write, and delete files and
subdirectoriesin the Oracle GoldenGate directory. In addition, the Manager
processrequires privileges to control the other Oracle GoldenGate processes.
■ (Classic capture mode) In classic capture mode, the Extract process readsthe redo
logsdirectly and must operate as an operating system user that has read access to
the logfiles, both online and archived. On UNIX systems, that user must be a
memberof the group that owns the Oracle instance. If you install the Manager
processas a Windows service during the installation steps in this documentation,
you mustinstall as Administrator for the correct permissions to be assigned. If you
cannotinstall Manager as a service, assign read access to the Extract process
manually,and then always run Manager and Extract as Administrator.
■ Dedicate the Extract, Replicat, and Manager operating system users toOracle
GoldenGate.Sensitive information might be available to anyone who runs an
OracleGoldenGate process, depending on how database authentication is
configured.
Unix下
OGG 管理使用者必須具有/home/oracle/ggs使用者的讀寫權限
OGG 管理使用者要管理 extract、pump 和 mgr 程序,必須對/home/oracle/ggs 及其子目錄具有讀寫權限
OGG 管理使用者必須是 Oracledatabase instance 的屬組成員
1.建立 OGG 管理者使用者
[[email protected] ~]# useradd -g oinstall -Gdba,oper,asmdba ogg
[[email protected] ~]# echo -n oracle|passwd--stdin ogg
配置 OGG 使用者環境變量
[[email protected] ~]# su - ogg
[[email protected] ~]$ vi .bash_profile
export TMP=/tmp;
export TMPDIR=$TMP;
export ORACLE_HOSTNAME=prod.oracle.com;
export ORACLE_BASE=/u01/app/oracle;
exportORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1;
export ORACLE_UNQNAME=prod;
export ORACLE_SID=prod;
export ORACLE_TERM=xterm;
export PATH=/usr/sbin:$PATH;
exportPATH=/bin:/OPatch:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/u01/app/11.2.0/grid/bin:/root/bin;
export PATH=/home/oracle/ggs:$ORACLE_HOME/bin:$PATH
exportLD_LIBRARY_PATH=/home/oracle/ggs:$ORACLE_HOME/lib:/lib:/usr/lib;
exportCLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib;
export NLS_DATE_FORMAT="yyyy-mm-ddHH24:MI:SS";
#export NLS_LANG=AMERICAN_AMERICA.ZHS16GBK;
export NLS_LANG=AMERICAN_AMERICA.AL32UTF8;
export DISPLAY=192.168.8.100:0.0
~
GoldenGate 安裝在 /home/oracle/ggs 下
[[email protected] home]# ls -lt
total 12
drwx------ 8 oracle oinstall 4096 Mar 3 14:21 oracle
drwx------ 3 ogg oinstall 4096 Mar 3 14:20 ogg
drwx------ 3 grid oinstall 4096 Mar 1 20:00 grid
[[email protected] ~]# cd /home
[[email protected] home]# ls -lt
total 12
drwx------ 3 ogg oinstall 4096 Mar 3 15:19 ogg
drwx------ 8 oracle oinstall 4096 Mar 3 15:10 oracle
drwx------ 3 grid oinstall 4096 Mar 1 20:00 grid
[[email protected] home]# su - ogg
[[email protected] ~]$ cd /home/oracle/ggs
-bash: cd: /home/oracle/ggs: Permissiondenied
原因:ogg 使用者無權通路 oracle 屬主目錄 /home/oracle
修改/home/oracle的屬組權限,以便 ogg 使用者能夠通路該目錄及其子目錄
[[email protected] home]# chmod g+rx oracle
[roo[email protected] home]# ls -lt
total 12
drwx------ 3 ogg oinstall 4096 Mar 3 15:19 ogg
drwxr-x--- 8 oracle oinstall 4096 Mar 3 15:10 oracle
drwx------ 3 grid oinstall 4096 Mar 1 20:00 grid
修改後便能通路:
[[email protected] home]# su - ogg
[[email protected] ~]$ cd /home/oracle/ggs
[[email protected] ~]$ ln -s /home/oracle/ggs ggs
執行 ggsci 指令進行測試:
[[email protected] ~]$ cd /home/oracle/ggs
[[email protected] ggs]$ ggsci
Oracle GoldenGate Command Interpreter forOracle
Version 11.2.1.0.1 OGGCORE_11.2.1.0.1_PLATFORMS_120423.0230_FBO
Linux, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25
Copyright (C) 1995, 2012, Oracle and/or itsaffiliates. All rights reserved.
GGSCI (prod.oracle.com) 1> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT RUNNING ESCOTT 00:00:00 00:00:06
EXTRACT RUNNING PSCOTT 00:00:00 00:00:00
GGSCI (prod.oracle.com) 2> stop *
Sending STOP request to EXTRACT ESCOTT ...
Request processed.
Sending STOP request to EXTRACT PSCOTT ...
Request processed.
GGSCI (prod.oracle.com) 6> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT STOPPED ESCOTT 00:00:00 00:00:45
EXTRACT STOPPED PSCOTT 00:00:00 00:00:45
GGSCI (prod.oracle.com) 7> start *
Sending START request to MANAGER ...
EXTRACT ESCOTT starting
Sending START request to MANAGER ...
EXTRACT PSCOTT starting
GGSCI (prod.oracle.com) 8> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT RUNNING ESCOTT 00:01:12 00:00:00
EXTRACT RUNNING PSCOTT 00:00:00 00:01:03
GGSCI (prod.oracle.com) 11> stop mgr
Manager process is required by other GGSprocesses.
Are you sure you want to stop it (y/n)? y
Sending STOP request to MANAGER ...
Request processed.
Manager stopped.
GGSCI (prod.oracle.com) 12> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER STOPPED
EXTRACT STOPPED ESCOTT 00:00:00 00:00:08
EXTRACT STOPPED PSCOTT 00:00:00 00:00:07
編輯參數檔案:
GGSCI (prod.oracle.com) 9> edit paramsmgr
無法編輯,隻有隻讀權限
原因 ogg 使用者對 dirprm 檔案夾及其下面的檔案隻有隻讀權限
[[email protected] ggs]$ ls -lt dirprm
total 20
-rwxr-xr-x 1 oracle oinstall 198 Mar 3 15:06 einit.prm
-rwxr-xr-x 1 oracle oinstall 153 Mar 3 15:06 escott.prm
-rwxr-x--- 1 oracle oinstall 53 Mar 3 15:06 jagent.prm
-rwxr-xr-x 1 oracle oinstall 53 Mar 3 15:06 mgr.prm
-rwxr-xr-x 1 oracle oinstall 168 Mar 3 15:06 pscott.prm
[[email protected] ggs]$ ls -lt | grep dir
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:29 dirdat
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:29 dirpcs
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:29 dirrpt
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:29 dirtmp
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:09 dirchk
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:08 dirdef
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:08 dirout
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:08 dirsql
drwxr-x--- 2 oracle oinstall 4096 Mar 3 15:06 dirprm
drwxr-x--- 2 oracle oinstall 4096 Apr 23 2012 dirjar
如果 ogg 管理使用者确實需要修改參數問價你的權限,可以通過執行如下指令解決
chmod -R g+w /home/oracle/ggs/dirprm
至此 GoldenGate 管理使用者建立完畢。
二、配置 GoldenGate 指令安全性
您可以為Oracle GoldenGate 指令建立指令安全性來控制哪些使用者可以通路 OracleGoldenGate 的功能。例如您可以允許某些使用者執行 INFO 和 STATUS指令,阻止這些使用者使用 START 和 STOP 指令。安全等級按照作業系統的屬組來定義。
如果要為 OracleGoldenGate 指令配置安全政策,您可以在OracleGoldenGate 目錄中建立一個 CMDSEC檔案。沒有該檔案的話,任何使用者都可以通路所有的 Oracle GoldenGate 指令。
配置 GoldenGate 指令安全性的步驟
1. 建立一個 ASCII 文本檔案(UE)。
2. 參考以下文法及示例配置,為您想要限制的每個指令建立一個或多個規則,每個規則一行。規則的順序按照由具體到抽象的順序列出。CMDSEC檔案中的安全規則按照由上至下的規則處理。第一條符合條件的規則就是決定是否具有通路權限的規則。
CMDSEC 檔案格式如下,每個元件用空格或制表符分開
<commandname> <command object> <OS group> <OS user> <YES |NO>
其中:
❍<command name> 是 GGSCI指令名稱或通配符,例如 START、STOP
或 *。
❍<command object> 可以是任何 GGSCI指令對象或通配符,例如 EXTRACT、
REPLICAT 或 MANAGER。
❍<OS group> 是指 Windows 或 UNIX 使用者屬組的名稱。在 UNIX 系統上,可以指定數字形式的屬組 ID 取代屬組名稱,也可以使用通配符指定所有屬組。
❍<OS user> 是指Windows 或 UNIX 使用者的名稱。在 UNIX 系統上,可以指定數字形式的使用者 ID 取代使用者名稱,也可以使用通配符指定所有使用者。
❍<YES | NO> 指定授權通路指令還是禁止通路指令。
3. 将 ASCII 命名為 CMDSEC (Unix 系統上使用大寫字母 )儲存到 Oracle
GoldenGate home 目錄中。
下面是一在 Unix 系統上正确實施 CMDSEC 檔案的示例:
#Command Object Group User Access Allowed?
START * oinstall oracle YES
stop * oinstall oracle YES
stop * oinstall ogg NO
info * oinstall ogg YES
stats * oinstall ogg YES
alter * oinstall ogg NO
alter extract oinstall ogg NO
測試:
[[email protected] ggs]$ ggsci
Oracle GoldenGate Command Interpreter forOracle
Version 11.2.1.0.1OGGCORE_11.2.1.0.1_PLATFORMS_120423.0230_FBO
Linux, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25
Copyright (C) 1995, 2012, Oracle and/or itsaffiliates. All rights reserved.
GGSCI (prod.oracle.com) 1> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT STOPPED ESCOTT 00:00:00 00:00:06
EXTRACT STOPPED PSCOTT 00:00:00 05:55:55
根據 CMDSEC 檔案配置,ogg 使用者可以啟動 extract,無法停止 extract
[[email protected] ggs]$ ggsci
Oracle GoldenGate Command Interpreter forOracle
Version 11.2.1.0.1 OGGCORE_11.2.1.0.1_PLATFORMS_120423.0230_FBO
Linux, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25
Copyright (C) 1995, 2012, Oracle and/or itsaffiliates. All rights reserved.
GGSCI (prod.oracle.com) 1> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT STOPPED ESCOTT 00:00:00 00:01:19
EXTRACT STOPPED PSCOTT 00:00:00 05:57:09
GGSCI (prod.oracle.com) 2> start ESCOTT
Sending START request to MANAGER ...
EXTRACT ESCOTT starting
GGSCI (prod.oracle.com) 3> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT RUNNING ESCOTT 00:00:00 00:01:53
EXTRACT STOPPED PSCOTT 00:00:00 05:57:42
--- ogg 可以正常啟動 escott 程序,我們停停試試
GGSCI (prod.oracle.com) 4> stop escott
ERROR: Command not authorized for this user.
--- ogg 使用者無法停止 escott 程序,測試成功。
轉載請注明作者、出處及源文連結:
http://blog.csdn.net/xiangsir/article/details/8631948