Configuring GGSCI Command Security CMDSEC in GoldenGate 19c classic
Configuring GGSCI Command Security CMDSEC
You can establish command security for Oracle GoldenGate to control which users have access
to which Oracle GoldenGate command line functions. For example, you can allow certain users to issue
INFO and STATUS commands, while preventing their use of START and STOP commands. Security
levels are defined by the operating system's user groups.
To implement security for Oracle GoldenGate commands, you create a CMDSEC file in the Oracle
GoldenGate directory. Without this file, access to all Oracle GoldenGate commands is granted
to all users.
As GoldenGate administrator you have team of GoldenGate users who has different levels of
skill sets and responsibilities ,how do you manage these Users with correct responsibilities
is in GoldenGate classic 19c ?
CMDSEC (Command line GGSCI Security)
For e.g. A person with monitoring responsibility should not able to use START and STOP commands
But the same person should able to use INFO and status commands. Remember one thing this is
operating system's users security levels. So you need to have these users defined at operating
system level first and then only you will able to use CMDSEC.
GGSCI command security may be used to grant or deny users to specific commands within
the utility. The CMDSEC file contains space or tab delimited data rows that specifies
what commands users and groups may execute. The format of each data rows is:
command_name command_object OS_group OS_user {YES | NO}
Following rules you will need to think before you use and configure the CMDSEC
1) The oracle user requires full access to all files and directories.
2) Only the oracle user must be allowed to start processes. Processes are owned by the user running GGSCI, and no other users; including oracle, can stop them. For example, if the user Jeff in the sysops group were allowed to start Extracts or Replicats, he would be the only person (other than root) allowed to stop them.
3) The dba group and other users monitoring the instance require write access to the file ggserr.log.
4) The dba group and other users monitoring the instance require execute access to the ggsci object.
5) The dba group and other users monitoring the instance require full access to the dirchk directory in order to execute the status command.
6) The dba group and other users monitoring the instance require read and execute access to the dirrpt directory in order to execute the view report command.
[oracle@ggate1 ogg_trg]$ vi CMDSEC
#command_Name Command_Object OS_Group OS_User Allow
STATUS * dba * NO
START * dba * YES
STOP * dba * YES
SHELL * * * NO
SH * * * NO
* * root root YES
[oracle@ggate1 ogg_trg]$ ./ggsci
Oracle GoldenGate Command Interpreter for Oracle
Version 19.1.0.0.4 OGGCORE_19.1.0.0.0_PLATFORMS_191017.1054_FBO
Linux, x64, 64bit (optimized), Oracle 12c on Oct 18 2019 01:38:51
Operating system character set identified as UTF-8.
Copyright (C) 1995, 2019, Oracle and/or its affiliates. All rights reserved.
GGSCI (ggate1) 1> status
ERROR: Command not authorized for this user.
GGSCI (ggate1) 2> SHELL ls -lart
ERROR: Command not authorized for this user.
GGSCI (ggate1) 3> SH ls -lart
ERROR: Command not authorized for this user.
Go ahead and configure CMDSEC and explore !!!
You can establish command security for Oracle GoldenGate to control which users have access
to which Oracle GoldenGate command line functions. For example, you can allow certain users to issue
INFO and STATUS commands, while preventing their use of START and STOP commands. Security
levels are defined by the operating system's user groups.
To implement security for Oracle GoldenGate commands, you create a CMDSEC file in the Oracle
GoldenGate directory. Without this file, access to all Oracle GoldenGate commands is granted
to all users.
As GoldenGate administrator you have team of GoldenGate users who has different levels of
skill sets and responsibilities ,how do you manage these Users with correct responsibilities
is in GoldenGate classic 19c ?
CMDSEC (Command line GGSCI Security)
For e.g. A person with monitoring responsibility should not able to use START and STOP commands
But the same person should able to use INFO and status commands. Remember one thing this is
operating system's users security levels. So you need to have these users defined at operating
system level first and then only you will able to use CMDSEC.
GGSCI command security may be used to grant or deny users to specific commands within
the utility. The CMDSEC file contains space or tab delimited data rows that specifies
what commands users and groups may execute. The format of each data rows is:
command_name command_object OS_group OS_user {YES | NO}
Following rules you will need to think before you use and configure the CMDSEC
1) The oracle user requires full access to all files and directories.
2) Only the oracle user must be allowed to start processes. Processes are owned by the user running GGSCI, and no other users; including oracle, can stop them. For example, if the user Jeff in the sysops group were allowed to start Extracts or Replicats, he would be the only person (other than root) allowed to stop them.
3) The dba group and other users monitoring the instance require write access to the file ggserr.log.
4) The dba group and other users monitoring the instance require execute access to the ggsci object.
5) The dba group and other users monitoring the instance require full access to the dirchk directory in order to execute the status command.
6) The dba group and other users monitoring the instance require read and execute access to the dirrpt directory in order to execute the view report command.
[oracle@ggate1 ogg_trg]$ vi CMDSEC
#command_Name Command_Object OS_Group OS_User Allow
STATUS * dba * NO
START * dba * YES
STOP * dba * YES
SHELL * * * NO
SH * * * NO
* * root root YES
[oracle@ggate1 ogg_trg]$ ./ggsci
Oracle GoldenGate Command Interpreter for Oracle
Version 19.1.0.0.4 OGGCORE_19.1.0.0.0_PLATFORMS_191017.1054_FBO
Linux, x64, 64bit (optimized), Oracle 12c on Oct 18 2019 01:38:51
Operating system character set identified as UTF-8.
Copyright (C) 1995, 2019, Oracle and/or its affiliates. All rights reserved.
GGSCI (ggate1) 1> status
ERROR: Command not authorized for this user.
GGSCI (ggate1) 2> SHELL ls -lart
ERROR: Command not authorized for this user.
GGSCI (ggate1) 3> SH ls -lart
ERROR: Command not authorized for this user.
Go ahead and configure CMDSEC and explore !!!
Comments
Post a Comment