RE: How to restrict database to use specific diskgroup within a Grid configuration
Date: Fri, 18 Mar 2022 17:22:11 -0400
Message-ID: <063b01d83b0e$3cefa970$b6cefc50$_at_rsiz.com>
IF you have thousands of distinct databases on one grid you have constructed an interesting place in hell for yourself.
Maintaining security as you request in that hell is of course daunting, and there is no easier way I can think of than distinct OS users with ACLs. Of course slicing up your pie of available storage into 1000 slices is a great way to waste space in pre-allocated free space.
Since having your database administrators allocate disk space to their database only in accordance with policy is trivial, flexible for emergencies, and easy to report for policy violations, that is what I think you should tell the auditors is more sensible.
And that allows for Balanced Organization of Resources In Natural Groups (BORING) space allocation. BORING is Good. BORING makes it easy to find space and to discover if someone is outside where they are supposed to be.
Negotiation to be allowed to use little dribs and drabs of space by slicing up volumes into secure (from each other) disks at the OS level directly presents the opportunity to create a potpourri. Potpourri “organization” was shown to be destructive to performance and difficult to manage by at least the 1990s. Potpourri has less tendency to muck up performance on devices with large amounts of cache and/or SSD, but it is still a great way to let a sneaky idiot get away with murder.
Use far fewer container databases. Organize your media farm sensibly. Tell people the rules and track violations in near real time. You probably don’t really need ACLs, but at a reasonable number of independent databases that’s sufficient if you really do.
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Sourav Biswas
Sent: Friday, March 18, 2022 3:01 PM
To: Seth Miller; Martin Berger
Cc: oracle-l_at_freelists.org
Subject: Re: How to restrict database to use specific diskgroup within a Grid configuration
Thanks Martin and Seth.
This came out as a compliance issue, that one DB should not have access to disks of other DBs. The intent is to enforce a restriction, so that any attempt to create data files to ASM diskgroups belonging to other databases should be stopped.
Seth, I have looked into that document about ASM file access control. My current environment has 'oracle' as OS User for all DBs. In order to implement ACL , I have to make dedicated OS User for each DBs and grant them security limits. This is going to be a daunting task, as we have around hundreds of such DBs, if not thousands.
Regards,
Sourav Biswas
From: Seth Miller <sethmiller.sm_at_gmail.com>
Sent: Friday, 18 March 2022, 23:18
To: Martin Berger
Cc: biswas.sourav_at_hotmail.com; oracle-l_at_freelists.org
Subject: Re: How to restrict database to use specific diskgroup within a Grid configuration
https://docs.oracle.com/en/database/oracle/oracle-database/19/ostmg/asm-access-control-diskgroups.html <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.oracle.com%2Fen%2Fdatabase%2Foracle%2Foracle-database%2F19%2Fostmg%2Fasm-access-control-diskgroups.html&data=04%7C01%7C%7C81fc01db57e54401060208da09078032%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637832225084079489%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=U6wPMCtKInRYhL78MEuuJ0Eb4GOwX0diNipOnpAaqYo%3D&reserved=0>
On Thu, Mar 17, 2022 at 2:21 AM Martin Berger <martin.a.berger_at_gmail.com> wrote:
Hi,
I assume you are using Linux and no Exadata or similar. You can assign separate group IDs to the disks of the specific diskgroups and also start the DB instances with different users and group.
If you are using PDBs Path_Prefix and Create_File_Dest can partially help - at least for datafiles.
hth,
Martin
Am Mi., 16. März 2022 um 20:58 Uhr schrieb Sourav Biswas <biswas.sourav_at_hotmail.com>:
Hello Everyone,
Current environment:
OS: RHEL 7.9 Grid OS User: grid
Grid: 19.14
Oracle OS User: oracle
CDB: 19.14 We are running multiple CDBs with one PDB each, on a single Grid. As per our architecture, for every CDB, we have 3 sets of asm diskgroups(DATA_CDBn,REDO_CDBn,ARCH_CDBn) created.
For example,
CDB1 database will have DATA_CDB1, REDO_CDB1, ARCH_CDB1 diskgroups
CDB2 database will have DATA_CDB2, REDO_CDB2, ARCH_CDB2 diskgroup
Since, at ASM level we can see all of the above 6 diskgroups, I would like to introduce some restrictions to every database to read and write to their dedicated diskgroups. I want to ensure that even the sysdba privilege user of a database cannot create datafile on diskgroups belonging to other database.
Please advise how to implement this restriction.
Regards,
Sourav Biswas
-- Martin Berger Oracle ♠ martin.a.berger_at_gmail.com <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fmartinberx&data=04%7C01%7C%7C81fc01db57e54401060208da09078032%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637832225084079489%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Nj61kapBv7tQbEh%2BhAeRKaOtAzySDnamyRgLxPIln7M%3D&reserved=0> _at_martinberx ^∆x http://berxblog.blogspot.com <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fberxblog.blogspot.com%2F&data=04%7C01%7C%7C81fc01db57e54401060208da09078032%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637832225084079489%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ilIbxTWVaSle%2F8GtxIwWGFOPEYwCT42lFsYx%2BlPMJo4%3D&reserved=0> -- http://www.freelists.org/webpage/oracle-lReceived on Fri Mar 18 2022 - 22:22:11 CET