最近生产环境的历史查询库有多个厂商在使用,goldengate同步经常莫名奇妙的被其他厂商关掉重启,一下子前台应用便感受到了。我们这些运维人员倍感压力啊。这个周末好好瞅了瞅Oracle GoldenGate 官方文档,研究了一下如何利用GoldenGate 安全性配置来控制用户访问 GoldenGate ggsci 命令的权限,今天先发这个最紧迫的 CMDSEC,将在近期系列性地探索一下GoldenGate 的各种安全性配置。
一、在OS上配置GoldenGate管理用户
GoldenGate 官方文档关于GoldenGate 安装和管理用户权限的介绍
《Oracle®GoldenGate
Oracle Installation and Setup Guide Release 11.2.1》
1.2.5 Operating system privileges
Thefollowing are the privileges in the operating system that are required toinstall
OracleGoldenGate and to run the processes.
■ To install on Windows, the person who installs Oracle GoldenGate must login as
Administrator.
■ To install on UNIX, the person who installs Oracle GoldenGate must haveread
andwrite privileges on the Oracle GoldenGate installation directory.
■ The Oracle GoldenGate Extract, Replicat, and Manager processes mustoperate as
anoperating system user that has privileges to read, write, and delete files and
subdirectoriesin the Oracle GoldenGate directory. In addition, the Manager
processrequires privileges to control the other Oracle GoldenGate processes.
■ (Classic capture mode) In classic capture mode, the Extract process readsthe redo
logsdirectly and must operate as an operating system user that has read access to
the logfiles, both online and archived. On UNIX systems, that user must be a
memberof the group that owns the Oracle instance. If you install the Manager
processas a Windows service during the installation steps in this documentation,
you mustinstall as Administrator for the correct permissions to be assigned. If you
cannotinstall Manager as a service, assign read access to the Extract process
manually,and then always run Manager and Extract as Administrator.
■ Dedicate the Extract, Replicat, and Manager operating system users toOracle
GoldenGate.Sensitive information might be available to anyone who runs an
OracleGoldenGate process, depending on how database authentication is
configured.
Unix下
OGG 管理用户必须具有/home/oracle/ggs用户的读写权限
OGG 管理用户要管理 extract、pump 和 mgr 进程,必须对/home/oracle/ggs 及其子目录具有读写权限
OGG 管理用户必须是 Oracledatabase instance 的属组成员
1.创建 OGG 管理员用户
[root@prod ~]# useradd -g oinstall -Gdba,oper,asmdba ogg
[root@prod ~]# echo -n oracle|passwd--stdin ogg
配置 OGG 用户环境变量
[root@prod ~]# su - ogg
[ogg@prod ~]$ vi .bash_profile
export TMP=/tmp;
export TMPDIR=$TMP;
export ORACLE_HOSTNAME=prod.oracle.com;
export ORACLE_BASE=/u01/app/oracle;
exportORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1;
export ORACLE_UNQNAME=prod;
export ORACLE_SID=prod;
export ORACLE_TERM=xterm;
export PATH=/usr/sbin:$PATH;
exportPATH=/bin:/OPatch:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/u01/app/11.2.0/grid/bin:/root/bin;
export PATH=/home/oracle/ggs:$ORACLE_HOME/bin:$PATH
exportLD_LIBRARY_PATH=/home/oracle/ggs:$ORACLE_HOME/lib:/lib:/usr/lib;
exportCLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib;
export NLS_DATE_FORMAT="yyyy-mm-ddHH24:MI:SS";
#export NLS_LANG=AMERICAN_AMERICA.ZHS16GBK;
export NLS_LANG=AMERICAN_AMERICA.AL32UTF8;
export DISPLAY=192.168.8.100:0.0
~
GoldenGate 安装在 /home/oracle/ggs 下
[root@prod home]# ls -lt
total 12
drwx------ 8 oracle oinstall 4096 Mar 3 14:21 oracle
drwx------ 3 ogg oinstall 4096 Mar 3 14:20 ogg
drwx------ 3 grid oinstall 4096 Mar 1 20:00 grid
[root@prod ~]# cd /home
[root@prod home]# ls -lt
total 12
drwx------ 3 ogg oinstall 4096 Mar 3 15:19 ogg
drwx------ 8 oracle oinstall 4096 Mar 3 15:10 oracle
drwx------ 3 grid oinstall 4096 Mar 1 20:00 grid
[root@prod home]# su - ogg
[ogg@prod ~]$ cd /home/oracle/ggs
-bash: cd: /home/oracle/ggs: Permissiondenied
原因:ogg 用户无权访问 oracle 属主目录 /home/oracle
修改/home/oracle的属组权限,以便 ogg 用户能够访问该目录及其子目录
[root@prod home]# chmod g+rx oracle
[root@prod home]# ls -lt
total 12
drwx------ 3 ogg oinstall 4096 Mar 3 15:19 ogg
drwxr-x--- 8 oracle oinstall 4096 Mar 3 15:10 oracle
drwx------ 3 grid oinstall 4096 Mar 1 20:00 grid
修改后便能访问:
[root@prod home]# su - ogg
[ogg@prod ~]$ cd /home/oracle/ggs
[ogg@prod ~]$ ln -s /home/oracle/ggs ggs
执行 ggsci 命令进行测试:
[ogg@prod ~]$ cd /home/oracle/ggs
[ogg@prod ggs]$ ggsci
Oracle GoldenGate Command Interpreter forOracle
Version 11.2.1.0.1 OGGCORE_11.2.1.0.1_PLATFORMS_120423.0230_FBO
Linux, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25
Copyright (C) 1995, 2012, Oracle and/or itsaffiliates. All rights reserved.
GGSCI (prod.oracle.com) 1> info all
ProgramStatus Group Lag at Chkpt Time Since Chkpt
MANAGERRUNNING
EXTRACTRUNNING ESCOTT 00:00:00 00:00:06
EXTRACTRUNNING PSCOTT 00:00:00 00:00:00
GGSCI (prod.oracle.com) 2> stop *
Sending STOP request to EXTRACT ESCOTT ...
Request processed.
Sending STOP request to EXTRACT PSCOTT ...
Request processed.
GGSCI (prod.oracle.com) 6> info all
ProgramStatus Group Lag at Chkpt Time Since Chkpt
MANAGERRUNNING
EXTRACTSTOPPED ESCOTT 00:00:00 00:00:45
EXTRACTSTOPPED PSCOTT 00:00:00 00:00:45
GGSCI (prod.oracle.com) 7> start *
Sending START request to MANAGER ...
EXTRACT ESCOTT starting
Sending START request to MANAGER ...
EXTRACT PSCOTT starting
GGSCI (prod.oracle.com) 8> info all
ProgramStatus Group Lag at Chkpt Time Since Chkpt
MANAGERRUNNING
EXTRACTRUNNING ESCOTT 00:01:12 00:00:00
EXTRACTRUNNING PSCOTT 00:00:00 00:01:03
GGSCI (prod.oracle.com) 11> stop mgr
Manager process is required by other GGSprocesses.
Are you sure you want to stop it (y/n)? y
Sending STOP request to MANAGER ...
Request processed.
Manager stopped.
GGSCI (prod.oracle.com) 12> info all
ProgramStatus Group Lag at Chkpt Time Since Chkpt
MANAGERSTOPPED
EXTRACTSTOPPED ESCOTT 00:00:00 00:00:08
EXTRACTSTOPPED PSCOTT 00:00:00 00:00:07
编辑参数文件:
GGSCI (prod.oracle.com) 9> edit paramsmgr
无法编辑,只有只读权限
原因 ogg 用户对 dirprm 文件夹及其下面的文件只有只读权限
[ogg@prod ggs]$ ls -lt dirprm
total 20
-rwxr-xr-x 1 oracle oinstall 198 Mar 3 15:06 einit.prm
-rwxr-xr-x 1 oracle oinstall 153 Mar 3 15:06 escott.prm
-rwxr-x--- 1 oracle oinstall 53 Mar3 15:06 jagent.prm
-rwxr-xr-x 1 oracle oinstall 53 Mar3 15:06 mgr.prm
-rwxr-xr-x 1 oracle oinstall 168 Mar 3 15:06 pscott.prm
[ogg@prod ggs]$ ls -lt | grep dir
drwxrwxr-x 2 oracle oinstall 4096 Mar3 15:29 dirdat
drwxrwxr-x 2 oracle oinstall 4096 Mar3 15:29 dirpcs
drwxrwxr-x 2 oracle oinstall 4096 Mar3 15:29 dirrpt
drwxrwxr-x 2 oracle oinstall 4096 Mar3 15:29 dirtmp
drwxrwxr-x 2 oracle oinstall 4096 Mar3 15:09 dirchk
drwxrwxr-x 2 oracle oinstall 4096 Mar3 15:08 dirdef
drwxrwxr-x 2 oracle oinstall 4096 Mar3 15:08 dirout
drwxrwxr-x 2 oracle oinstall 4096 Mar3 15:08 dirsql
drwxr-x--- 2 oracle oinstall 4096 Mar3 15:06 dirprm
drwxr-x--- 2 oracle oinstall 4096 Apr 23 2012 dirjar
如果 ogg 管理用户确实需要修改参数问价你的权限,可以通过执行如下命令解决
chmod -R g+w /home/oracle/ggs/dirprm
至此 GoldenGate 管理用户创建完毕。
二、配置 GoldenGate 命令安全性
您可以为Oracle GoldenGate 命令建立命令安全性来控制哪些用户可以访问 OracleGoldenGate 的功能。例如您可以允许某些用户执行 INFO 和 STATUS命令,阻止这些用户使用 START 和 STOP 命令。安全等级按照操作系统的属组来定义。
如果要为 OracleGoldenGate 命令配置安全策略,您可以在OracleGoldenGate 目录中创建一个 CMDSEC文件。没有该文件的话,任何用户都可以访问所有的 Oracle GoldenGate 命令。
配置 GoldenGate 命令安全性的步骤
1.
新建一个 ASCII 文本文件(UE)。
2.
参考以下语法及示例配置,为您想要限制的每个命令创建一个或多个规则,每个规则一行。规则的顺序按照由具体到抽象的顺序列出。CMDSEC文件中的安全规则按照由上至下的规则处理。第一条符合条件的规则就是决定是否具有访问权限的规则。
CMDSEC 文件格式如下,每个组件用空格或制表符分开
<commandname> <command object> <OS group> <OS user> <YES |NO>
其中:
❍<command name> 是 GGSCI命令名称或通配符,例如 START、STOP
或 *。
❍<command object> 可以是任何 GGSCI命令对象或通配符,例如 EXTRACT、
REPLICAT 或 MANAGER。
❍<OS group> 是指 Windows 或 UNIX 用户属组的名称。在 UNIX 系统上,可以指定数字形式的属组 ID 取代属组名称,也可以使用通配符指定所有属组。
❍<OS user> 是指Windows 或 UNIX 用户的名称。在 UNIX 系统上,可以指定数字形式的用户 ID 取代用户名称,也可以使用通配符指定所有用户。
❍<YES | NO> 指定授权访问命令还是禁止访问命令。
3.
将 ASCII 命名为 CMDSEC (Unix 系统上使用大写字母 )保存到 Oracle
GoldenGate home 目录中。
下面是一在 Unix 系统上正确实施 CMDSEC 文件的示例:
#CommandObject Group User Access Allowed?
START* oinstall oracle YES
stop* oinstall oracle YES
stop* oinstall ogg NO
info* oinstall ogg YES
stats* oinstall ogg YES
alter* oinstallogg NO
alterextract oinstall ogg NO
测试:
[oracle@prod ggs]$ ggsci
Oracle GoldenGate Command Interpreter forOracle
Version 11.2.1.0.1OGGCORE_11.2.1.0.1_PLATFORMS_120423.0230_FBO
Linux, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25
Copyright (C) 1995, 2012, Oracle and/or itsaffiliates. All rights reserved.
GGSCI (prod.oracle.com) 1> info all
ProgramStatus Group Lag at Chkpt Time Since Chkpt
MANAGERRUNNING
EXTRACTSTOPPED ESCOTT00:00:00 00:00:06
EXTRACTSTOPPED PSCOTT 00:00:00 05:55:55
根据 CMDSEC 文件配置,ogg 用户可以启动 extract,无法停止 extract
[ogg@prod ggs]$ ggsci
Oracle GoldenGate Command Interpreter forOracle
Version 11.2.1.0.1 OGGCORE_11.2.1.0.1_PLATFORMS_120423.0230_FBO
Linux, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25
Copyright (C) 1995, 2012, Oracle and/or itsaffiliates. All rights reserved.
GGSCI (prod.oracle.com) 1> info all
ProgramStatus Group Lag at Chkpt Time Since Chkpt
MANAGERRUNNING
EXTRACTSTOPPED ESCOTT 00:00:00 00:01:19
EXTRACTSTOPPED PSCOTT 00:00:00 05:57:09
GGSCI (prod.oracle.com) 2> start ESCOTT
Sending START request to MANAGER ...
EXTRACT ESCOTT starting
GGSCI (prod.oracle.com) 3> info all
ProgramStatus Group Lag at Chkpt Time Since Chkpt
MANAGERRUNNING
EXTRACTRUNNING ESCOTT 00:00:00 00:01:53
EXTRACTSTOPPED PSCOTT 00:00:00 05:57:42
--- ogg 可以正常启动 escott 进程,我们停停试试
GGSCI (prod.oracle.com) 4> stop escott
ERROR: Command not authorized for this user.
--- ogg 用户无法停止 escott 进程,测试成功。
转载请注明作者、出处及源文链接:
http://blog.csdn.net/xiangsir/article/details/8631948
分享到:
相关推荐
Pro Oracle GoldenGate for the DBA is aimed squarely at Oracle database administrators who find themselves involved in GoldenGate integration projects. The book provides the DBA view into such projects...
Oracle GoldenGate 安装配置详细手册
OracleGoldenGate手册,是我详细整理出来的,其中还包含了遇到的问题以及处理方案,源端数据库有:DB2/oracle/mysql 目标端有:数据库/kafka,如果有问题,欢迎提出相关意见!
7.2 GoldenGate的GLOBALS配置文件内容 44 7.3 GoldenGate的eiex01配置文件内容 44 7.4 GoldenGate的epmp01配置文件内容 44 7.5 GoldenGate的rora01配置文件内容 45 7.6 GoldenGate的eiexbb配置文件内容 45 7.7 ...
在Oracle GoldenGate中采用可用性高的解决方案,数据实时集成,事务变更数据捕获,数据复制,转换,运营和分析企业系统之间的验证。一对一,广播(一对多),聚合(多对一),双向,点到点,级联和其他灵活的拓扑...
oracle 11g安装配置手册.Oracle Goldengate 11g Install and Setup Guide.pdf
OracleGoldengate从入门到精通 Agenda Goldengate是什么? Goldengate适用的场景 Goldengate基本原理 Goldengate复制拓扑和异构 Goldengate产品线介绍 Goldengate产品的下载 快速的搭建一个...
Oracle Goldengate 11g Install and Setup Guide(Oracle Goldengate 10g 安装、配置指南 英文版)
一、双向复制节点2配置: 1)添加附加的redolog信息 DBLOGIN USERID ogg, PASSWORD Ogg ADD TRANDATA scott.* 2)配置extract
Oracle数据容灾之_Oracle GoldenGate配置与测试总结
教程名称:Oracle GoldenGate 官方培训文档合集课程目录:【】Oracle GoldenGate 官方培训文档1【】Oracle GoldenGate 官方培训文档2【】Oracle GoldenGate 官方培训文档3【】Oracle GoldenGate 官方培训文档4【】...
Oracle Goldengate 考试 题目 认证 必过
Oracle+GoldenGate+Director配置手册
《Reference for Oracle GoldenGate for Windows and UNIX》参考文档,涉及到内容Oracle GoldenGate参数详解。
oracle goldengate官方文档,Extracting Data in Oracle GoldenGate Integrated Capture Mode
介绍了ogg的单向,双向,复制传输,DML DDL的安装配置以及排错。 主要是介绍的windows平台。
Oracle GoldenGate V12.2.0.1.1
Oracle GoldenGate 11g
[Packt Publishing] Oracle Goldengate 11g 开发技巧大全 (英文版) [Packt Publishing] Oracle Goldengate 11g Complete Cookbook (E-Book) ☆ 图书概要:☆ Over 60 simple and easy-to-follow recipes to ...
Oracle GoldenGate V11.1.1.1.2