最近生产环境的历史查询库有多个厂商在使用,goldengate同步经常莫名奇妙的被其他厂商关掉重启,一下子前台应用便感受到了。我们这些运维人员倍感压力啊。这个周末好好瞅了瞅Oracle GoldenGate 官方文档,研究了一下如何利用GoldenGate 安全性配置来控制用户访问 GoldenGate ggsci 命令的权限,今天先发这个最紧迫的 CMDSEC,将在近期系列性地探索一下GoldenGate 的各种安全性配置。
一、在OS上配置GoldenGate管理用户
GoldenGate 官方文档关于GoldenGate 安装和管理用户权限的介绍
《Oracle®GoldenGate Oracle Installation and Setup Guide Release 11.2.1》
1.2.5 Operating system privileges
Thefollowing are the privileges in the operating system that are required toinstall
OracleGoldenGate and to run the processes.
■ To install on Windows, the person who installs Oracle GoldenGate must login as
Administrator.
■ To install on UNIX, the person who installs Oracle GoldenGate must haveread
andwrite privileges on the Oracle GoldenGate installation directory.
■ The Oracle GoldenGate Extract, Replicat, and Manager processes mustoperate as
anoperating system user that has privileges to read, write, and delete files and
subdirectoriesin the Oracle GoldenGate directory. In addition, the Manager
processrequires privileges to control the other Oracle GoldenGate processes.
■ (Classic capture mode) In classic capture mode, the Extract process readsthe redo
logsdirectly and must operate as an operating system user that has read access to
the logfiles, both online and archived. On UNIX systems, that user must be a
memberof the group that owns the Oracle instance. If you install the Manager
processas a Windows service during the installation steps in this documentation,
you mustinstall as Administrator for the correct permissions to be assigned. If you
cannotinstall Manager as a service, assign read access to the Extract process
manually,and then always run Manager and Extract as Administrator.
■ Dedicate the Extract, Replicat, and Manager operating system users toOracle
GoldenGate.Sensitive information might be available to anyone who runs an
OracleGoldenGate process, depending on how database authentication is
configured.
Unix下
OGG 管理用户必须具有/home/oracle/ggs用户的读写权限
OGG 管理用户要管理 extract、pump 和 mgr 进程,必须对/home/oracle/ggs 及其子目录具有读写权限
OGG 管理用户必须是 Oracledatabase instance 的属组成员
1.创建 OGG 管理员用户
[[email protected] ~]# useradd -g oinstall -Gdba,oper,asmdba ogg
[[email protected] ~]# echo -n oracle|passwd--stdin ogg
配置 OGG 用户环境变量
[[email protected] ~]# su - ogg
[[email protected] ~]$ vi .bash_profile
export TMP=/tmp;
export TMPDIR=$TMP;
export ORACLE_HOSTNAME=prod.oracle.com;
export ORACLE_BASE=/u01/app/oracle;
exportORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1;
export ORACLE_UNQNAME=prod;
export ORACLE_SID=prod;
export ORACLE_TERM=xterm;
export PATH=/usr/sbin:$PATH;
exportPATH=/bin:/OPatch:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/u01/app/11.2.0/grid/bin:/root/bin;
export PATH=/home/oracle/ggs:$ORACLE_HOME/bin:$PATH
exportLD_LIBRARY_PATH=/home/oracle/ggs:$ORACLE_HOME/lib:/lib:/usr/lib;
exportCLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib;
export NLS_DATE_FORMAT="yyyy-mm-ddHH24:MI:SS";
#export NLS_LANG=AMERICAN_AMERICA.ZHS16GBK;
export NLS_LANG=AMERICAN_AMERICA.AL32UTF8;
export DISPLAY=192.168.8.100:0.0
~
GoldenGate 安装在 /home/oracle/ggs 下
[[email protected] home]# ls -lt
total 12
drwx------ 8 oracle oinstall 4096 Mar 3 14:21 oracle
drwx------ 3 ogg oinstall 4096 Mar 3 14:20 ogg
drwx------ 3 grid oinstall 4096 Mar 1 20:00 grid
[[email protected] ~]# cd /home
[[email protected] home]# ls -lt
total 12
drwx------ 3 ogg oinstall 4096 Mar 3 15:19 ogg
drwx------ 8 oracle oinstall 4096 Mar 3 15:10 oracle
drwx------ 3 grid oinstall 4096 Mar 1 20:00 grid
[[email protected] home]# su - ogg
[[email protected] ~]$ cd /home/oracle/ggs
-bash: cd: /home/oracle/ggs: Permissiondenied
原因:ogg 用户无权访问 oracle 属主目录 /home/oracle
修改/home/oracle的属组权限,以便 ogg 用户能够访问该目录及其子目录
[[email protected] home]# chmod g+rx oracle
[roo[email protected] home]# ls -lt
total 12
drwx------ 3 ogg oinstall 4096 Mar 3 15:19 ogg
drwxr-x--- 8 oracle oinstall 4096 Mar 3 15:10 oracle
drwx------ 3 grid oinstall 4096 Mar 1 20:00 grid
修改后便能访问:
[[email protected] home]# su - ogg
[[email protected] ~]$ cd /home/oracle/ggs
[[email protected] ~]$ ln -s /home/oracle/ggs ggs
执行 ggsci 命令进行测试:
[[email protected] ~]$ cd /home/oracle/ggs
[[email protected] ggs]$ ggsci
Oracle GoldenGate Command Interpreter forOracle
Version 11.2.1.0.1 OGGCORE_11.2.1.0.1_PLATFORMS_120423.0230_FBO
Linux, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25
Copyright (C) 1995, 2012, Oracle and/or itsaffiliates. All rights reserved.
GGSCI (prod.oracle.com) 1> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT RUNNING ESCOTT 00:00:00 00:00:06
EXTRACT RUNNING PSCOTT 00:00:00 00:00:00
GGSCI (prod.oracle.com) 2> stop *
Sending STOP request to EXTRACT ESCOTT ...
Request processed.
Sending STOP request to EXTRACT PSCOTT ...
Request processed.
GGSCI (prod.oracle.com) 6> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT STOPPED ESCOTT 00:00:00 00:00:45
EXTRACT STOPPED PSCOTT 00:00:00 00:00:45
GGSCI (prod.oracle.com) 7> start *
Sending START request to MANAGER ...
EXTRACT ESCOTT starting
Sending START request to MANAGER ...
EXTRACT PSCOTT starting
GGSCI (prod.oracle.com) 8> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT RUNNING ESCOTT 00:01:12 00:00:00
EXTRACT RUNNING PSCOTT 00:00:00 00:01:03
GGSCI (prod.oracle.com) 11> stop mgr
Manager process is required by other GGSprocesses.
Are you sure you want to stop it (y/n)? y
Sending STOP request to MANAGER ...
Request processed.
Manager stopped.
GGSCI (prod.oracle.com) 12> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER STOPPED
EXTRACT STOPPED ESCOTT 00:00:00 00:00:08
EXTRACT STOPPED PSCOTT 00:00:00 00:00:07
编辑参数文件:
GGSCI (prod.oracle.com) 9> edit paramsmgr
无法编辑,只有只读权限
原因 ogg 用户对 dirprm 文件夹及其下面的文件只有只读权限
[[email protected] ggs]$ ls -lt dirprm
total 20
-rwxr-xr-x 1 oracle oinstall 198 Mar 3 15:06 einit.prm
-rwxr-xr-x 1 oracle oinstall 153 Mar 3 15:06 escott.prm
-rwxr-x--- 1 oracle oinstall 53 Mar 3 15:06 jagent.prm
-rwxr-xr-x 1 oracle oinstall 53 Mar 3 15:06 mgr.prm
-rwxr-xr-x 1 oracle oinstall 168 Mar 3 15:06 pscott.prm
[[email protected] ggs]$ ls -lt | grep dir
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:29 dirdat
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:29 dirpcs
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:29 dirrpt
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:29 dirtmp
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:09 dirchk
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:08 dirdef
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:08 dirout
drwxrwxr-x 2 oracle oinstall 4096 Mar 3 15:08 dirsql
drwxr-x--- 2 oracle oinstall 4096 Mar 3 15:06 dirprm
drwxr-x--- 2 oracle oinstall 4096 Apr 23 2012 dirjar
如果 ogg 管理用户确实需要修改参数问价你的权限,可以通过执行如下命令解决
chmod -R g+w /home/oracle/ggs/dirprm
至此 GoldenGate 管理用户创建完毕。
二、配置 GoldenGate 命令安全性
您可以为Oracle GoldenGate 命令建立命令安全性来控制哪些用户可以访问 OracleGoldenGate 的功能。例如您可以允许某些用户执行 INFO 和 STATUS命令,阻止这些用户使用 START 和 STOP 命令。安全等级按照操作系统的属组来定义。
如果要为 OracleGoldenGate 命令配置安全策略,您可以在OracleGoldenGate 目录中创建一个 CMDSEC文件。没有该文件的话,任何用户都可以访问所有的 Oracle GoldenGate 命令。
配置 GoldenGate 命令安全性的步骤
1. 新建一个 ASCII 文本文件(UE)。
2. 参考以下语法及示例配置,为您想要限制的每个命令创建一个或多个规则,每个规则一行。规则的顺序按照由具体到抽象的顺序列出。CMDSEC文件中的安全规则按照由上至下的规则处理。第一条符合条件的规则就是决定是否具有访问权限的规则。
CMDSEC 文件格式如下,每个组件用空格或制表符分开
<commandname> <command object> <OS group> <OS user> <YES |NO>
其中:
❍<command name> 是 GGSCI命令名称或通配符,例如 START、STOP
或 *。
❍<command object> 可以是任何 GGSCI命令对象或通配符,例如 EXTRACT、
REPLICAT 或 MANAGER。
❍<OS group> 是指 Windows 或 UNIX 用户属组的名称。在 UNIX 系统上,可以指定数字形式的属组 ID 取代属组名称,也可以使用通配符指定所有属组。
❍<OS user> 是指Windows 或 UNIX 用户的名称。在 UNIX 系统上,可以指定数字形式的用户 ID 取代用户名称,也可以使用通配符指定所有用户。
❍<YES | NO> 指定授权访问命令还是禁止访问命令。
3. 将 ASCII 命名为 CMDSEC (Unix 系统上使用大写字母 )保存到 Oracle
GoldenGate home 目录中。
下面是一在 Unix 系统上正确实施 CMDSEC 文件的示例:
#Command Object Group User Access Allowed?
START * oinstall oracle YES
stop * oinstall oracle YES
stop * oinstall ogg NO
info * oinstall ogg YES
stats * oinstall ogg YES
alter * oinstall ogg NO
alter extract oinstall ogg NO
测试:
[[email protected] ggs]$ ggsci
Oracle GoldenGate Command Interpreter forOracle
Version 11.2.1.0.1OGGCORE_11.2.1.0.1_PLATFORMS_120423.0230_FBO
Linux, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25
Copyright (C) 1995, 2012, Oracle and/or itsaffiliates. All rights reserved.
GGSCI (prod.oracle.com) 1> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT STOPPED ESCOTT 00:00:00 00:00:06
EXTRACT STOPPED PSCOTT 00:00:00 05:55:55
根据 CMDSEC 文件配置,ogg 用户可以启动 extract,无法停止 extract
[[email protected] ggs]$ ggsci
Oracle GoldenGate Command Interpreter forOracle
Version 11.2.1.0.1 OGGCORE_11.2.1.0.1_PLATFORMS_120423.0230_FBO
Linux, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25
Copyright (C) 1995, 2012, Oracle and/or itsaffiliates. All rights reserved.
GGSCI (prod.oracle.com) 1> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT STOPPED ESCOTT 00:00:00 00:01:19
EXTRACT STOPPED PSCOTT 00:00:00 05:57:09
GGSCI (prod.oracle.com) 2> start ESCOTT
Sending START request to MANAGER ...
EXTRACT ESCOTT starting
GGSCI (prod.oracle.com) 3> info all
Program Status Group Lag at Chkpt Time Since Chkpt
MANAGER RUNNING
EXTRACT RUNNING ESCOTT 00:00:00 00:01:53
EXTRACT STOPPED PSCOTT 00:00:00 05:57:42
--- ogg 可以正常启动 escott 进程,我们停停试试
GGSCI (prod.oracle.com) 4> stop escott
ERROR: Command not authorized for this user.
--- ogg 用户无法停止 escott 进程,测试成功。
转载请注明作者、出处及源文链接:
http://blog.csdn.net/xiangsir/article/details/8631948
![nVisual在权限管理方面,不仅可以管理用户的基础信息,例如:增加用户、删除用户、修改用户信息、名称等,还可以将多个用[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)