Oracle 12c: SYSBACKUP, SYSDG and OS-Authentication
As we all know, Oracle 12c allows role separation by for database administration in general, Backup & Recovery and DataGuard-Administration. You can define different OS groups for these task at installation time. Mostly these groups are named DBA, BACKUPDBA and DGDBA.
Even if you do not want to introduce role separation in the first step, I recommend to create these operating system groups and install Oracle accordingly. Then you are prepared for possible organizational changes.
If you have prepared these OS groups, you can run DGMGRL and RMAN with the appropriate OS users and will have limited privileges only when using the tools.
Bus unfortunately RMAN and DGMGRL handle OS authentication a little bit different:
The OS configuration (groups and users) on our test system looks like this:
oracle@training:~/ [TVD12] cat /etc/group
..
oinstall:x:54321:oracle,rmanbackup,dgdba
dba:x:54322:oracle
..
oper:x:54323:oracle
backupdba:x:54324:oracle,rmanbackup
dgdba:x:54325:oracle,dgdba
kmdba:x:54326:oracle
..
oracle@training:~/ [TVD12] cat /etc/passwd
..
oracle:x:54321:54321::/home/oracle:/bin/bash
..
rmanbackup:x:54333:54324::/home/rmanbackup:/bin/bash
dgdba:x:54334:54325::/home/dgdba:/bin/bash
So everything is prepared for role separation.
Let’s start with the user oracle:
oracle@training:~/ [TVD12] rman target=/
Recovery Manager: Release 12.1.0.2.0 - Production on Sun Jul 12 13:18:15 2015
Copyright (c) 1982, 2014, Oracle and/or its affiliates. All rights reserved.
connected to target database: TVD12 (DBID=413165408)
RMAN>; backup spfile;
Starting backup at 12-JUL-15
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=26 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current SPFILE in backup set
channel ORA_DISK_1: starting piece 1 at 12-JUL-15
channel ORA_DISK_1: finished piece 1 at 12-JUL-15
piece handle=/u02/backup/TVD12/1tqbs34s_1_1 tag=TAG20150712T131820 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 12-JUL-15
Starting Control File and SPFILE Autobackup at 12-JUL-15
piece handle=/u02/backup/TVD12/c-413165408-20150712-00 comment=NONE
Finished Control File and SPFILE Autobackup at 12-JUL-15
RMAN>; exit
Recovery Manager complete.
oracle@training:~/ [TVD12] dgmgrl
DGMGRL for Linux: Version 12.1.0.2.0 - 64bit Production
Copyright (c) 2000, 2013, Oracle. All rights reserved.
Welcome to DGMGRL, type "help" for information.
DGMGRL>; connect /
Connected as SYSDG.
DGMGRL>
OK, as expected, nothing has changed. But when using DGMGRL, DGMGRL connects as SYSDG automatically.
Let’s continue with the user DGDBA:
dgdba@training:~/ [TVD12] id
uid=54334(dgdba) gid=54325(dgdba) groups=54325(dgdba),54321(oinstall)
dgdba@training:~/ [TVD12] rman
Recovery Manager: Release 12.1.0.2.0 - Production on Sun Jul 12 13:20:36 2015
Copyright (c) 1982, 2014, Oracle and/or its affiliates. All rights reserved.
RMAN> connect target '/ as sysdg'
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-04037: Connection should be as SYSDBA or as SYSBACKUP
RMAN> exit
OK, RMAN does not work. But that’s intended. Let’s continue with DGMGRL:
dgdba@training:~/ [TVD12] dgmgrl
DGMGRL for Linux: Version 12.1.0.2.0 - 64bit Production
Copyright (c) 2000, 2013, Oracle. All rights reserved.
Welcome to DGMGRL, type "help" for information.
DGMGRL> connect /
Connected as SYSDG.
OK, it works (as expected). And again, the user is automatically connected “AS SYSDG”.
Finally, the user RMANBACKUP:
rmanbackup@training:~/ [TVD12CDB] dgmgrl
DGMGRL for Linux: Version 12.1.0.2.0 - 64bit Production
Copyright (c) 2000, 2013, Oracle. All rights reserved.
Welcome to DGMGRL, type "help" for information.
DGMGR> connect /
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
It doesn’t work. As expected.
But let’s see rman behaves:
rmanbackup@training:~/ [TVD12CDB] rman
Recovery Manager: Release 12.1.0.2.0 - Production on Sun Jul 12 13:25:17 2015
Copyright (c) 1982, 2014, Oracle and/or its affiliates. All rights reserved.
RMAN> connect target /
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
ORA-01017: invalid username/password; logon denied
Only
RMAN> connect target '/ as sysbackup'
connected to target database: TVD12CDB (DBID=3125497841)
works. So rman expects a “CONNECT / AS SYSDBA” when connecting using “TARGET /”.
And from my point of view, that’s annoying. If rman would implicitly connect “AS SYSBACKUP” – like DGMGRL does with SYSDG, you could use existing scripts (which contain a “CONNECT TARGET /”) without changes. Just run them as a different OS user. But now you have to change the scripts and add “/ AS SYSBACKUP” if you want to use role separation.