Oracle structures on database applications development

Slides:



Advertisements
Similar presentations
The Architecture of Oracle
Advertisements

10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
System Administration Accounts privileges, users and roles
Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.
Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.
Harvard University Oracle Database Administration Session 2 System Level.
About physical design After you have provided your scripts Understand the problems Present a template that can be used to report on the physical design.
Administering User Security
MD807: Relational Database Management Systems Introduction –Course Goals & Schedule –Logistics –Syllabus Review RDBMS Basics –RDBMS Role in Applications.
Chapter 9 Overview  Reasons to monitor SQL Server  Performance Monitoring and Tuning  Tools for Monitoring SQL Server  Common Monitoring and Tuning.
10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Manage & Configure SQL Database on the Cloud Haishi Bai Technical Evangelist Microsoft.
Getting Started with Oracle11g Abeer bin humaid. Create database user You should create at least one database user that you will use to create database.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Data Administration & Database Administration
Chapter Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.
Database Technical Session By: Prof. Adarsh Patel.
9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Profiles, Password Policies, Privileges, and Roles
To Presentation on SECURITY By Office of the A.G. (A&E) Punjab, Chandigarh.
IS 221: DATABASE ADMINISTRATION Lecture 6:Create Users & Manage Users. Information Systems Department 1.
The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.
7 Copyright © 2004, Oracle. All rights reserved. Administering Users.
Controlling User Access. Objectives After completing this lesson, you should be able to do the following: Create users Create roles to ease setup and.
Anton TopurovIT-DB 23 April 2013 Introduction to Oracle2.
Metadata, Security, and the DBA Chapter 8.1 V3.0 Napier University Dr Gordon Russell.
What is a schema ? Schema is a collection of Database Objects. Schema Objects are logical structures created by users to contain, or reference, their data.
Roles & privileges privilege A user privilege is a right to execute a particular type of SQL statement, or a right to access another user's object. The.
Dale Roberts 1 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Computer Science, IUPUI
Nitin Singh/AAO RTI ALLAHABAD1 DATABASE SECURITY DATABASE SECURITY.
Controlling User Access Fresher Learning Program January, 2012.
CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.
Controlling User Access. 2 home back first prev next last What Will I Learn? Compare the difference between object privileges and system privileges Construct.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Module 6: Data Protection. Overview What does Data Protection include? Protecting data from unauthorized users and authorized users who are trying to.
Kansas State University Department of Computing and Information Sciences CIS 560: Database System Concepts Tuesday, November 1, 2000 “Transaction processing”
CERN IT Department CH-1211 Genève 23 Switzerland t DBA Experience in a multiple RAC environment DM Technical Meeting, Feb 2008 Miguel Anjo.
IST 318 Database Administration Lecture 9 Database Security.
Oracle for Physics Services and Support Levels Maria Girone, IT-ADC 24 January 2005.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Oracle 11g: SQL Chapter 7 User Creation and Management.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
7 Copyright © 2007, Oracle. All rights reserved. Administering User Security.
Intro To Oracle :part 1 1.Save your Memory Usage & Performance. 2.Oracle Login ways. 3.Adding Database to DB Trees. 4.How to Create your own user(schema).
6 Copyright © 2007, Oracle. All rights reserved. Managing Security and Metadata.
8 Copyright © 2005, Oracle. All rights reserved. Managing Schema Objects.
Database Systems Slide 1 Database Systems Lecture 4 Database Security - Concept Manual : Chapter 20 - Database Security Manual : Chapters 5,10 - SQL Reference.
Oracle for Physics Services and Support Levels Maria Girone, IT-ADC 6 April 2005.
15 Copyright © Oracle Corporation, All rights reserved. Managing Users.
1 Chapters 19 and 20  Ch. 19: By What Authority? Users Roles Grant and revoke Synonyms  Ch. 20: Changing the Oracle Surroundings Indexes Clusters Sequences.
6 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
What is Database Administration ?
Controlling User Access
Controlling User Access
Table spaces.
Managing Privileges.
Controlling User Access
Objectives User access Create users Create roles
TABLES AND INDEXES Ashima Wadhwa.
Controlling User Access
Managing Privileges.
Database Security.
Naming convention for Database Services at CERN
Database Security.
OER- UNIT 3 Authorization
Database Security OER- Unit 1-Authentication
Index Index.
Presentation transcript:

Oracle structures on database applications development LCG Database Deployment and Persistency Workshop 18-Oct-2005 Miguel Anjo (CERN-IT) Don’t know which title to put...

Objectives Increase security Improve scalability Allow resource management Better definition of development stages Smother transition between stages Facilitate DBAs work (better organization) Give some rules and policy that will help the life to both users and DBAs, plus ... Show the inside of dba work Sparse ideas to keep in mind

Oracle reference (oradoc.cern.ch) Schemas (users, accounts) Collection of database objects owned by a database user and with the same name as that user. Profiles a named set of specified resource limits Roles named groups of related privileges that you grant, as a group, to users or other roles. Tablespaces logical storage units which group related logical structures together Services groups of applications with common attributes, service level thresholds, and priorities Copied from oracle documentation

Development stages Development Validation Production one shared cluster 8/5 monitoring and availability No backups Validation Limited time dedicated cluster for testing application performance with expected data volume and concurrency 8/5 monitoring and availability DBA consultancy by e-mail, phone to optimize application Production Dedicated cluster per experiment 24/7 monitoring and availability Backups every 10 minutes Limited number and scheduled planned interventions Development – username and development purposes Production – valid workload (can use validation service), schema, expected size and concurrency, security schema

Naming convention Restriction: maximum 30 characters Base: name of project / application Prefix: experiment / project Sufix: free _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ C M S _ T R A N S F E R M N G M _ R C M S _ T R A N S F E R M N G M _ S C 3 _ R L H C B _ R I C H H P D _ T E S T _ A P P A T L A S _ B O O K K E E P I N G _ R O L E _ L Y O N L C G _ F T S _ L H C B _ W Read/writer, time precise, role...

Profiles Developer / owner (cern_dev_profile) Account locked for 1 minute after 5 failed login attempts Password expires every 365 days 10 days to change password after first warning then account locked Maximum 10 simultaneous sessions of same user Sessions killed after 2 full days of inactivity Password needs to comply with secure password function Application (cern_app_profile) Account locked for 1 minute after 10 failed login attempts Password never expires (might change to a general password policy) Unlimited simultaneous sessions (DB limit ~500 for all users) Password function requested by security team (8 chars, include 2 of number, letters, symbols) Limited lock not to stop production

Roles Developer / owner (cern_dev_role) ALTER SESSION CREATE CLUSTER Creates/drops objects (tables, indexes, …) ALTER SESSION CREATE CLUSTER CREATE DATABASE LINK CREATE MATERIALIZED VIEW CREATE PROCEDURE CREATE ROLE CREATE SEQUENCE CREATE SESSION CREATE SYNONYM CREATE TABLE CREATE TRIGGER CREATE TYPE CREATE VIEW QUERY REWRITE ADVISOR PLUSTRACE Advantages of this approach: - security: if one has access to application computer and application db password, cannot delete rows/drop tables, if application cannot do it. - deleted rows are easier to recover (flashback) than dropped tables (backups) - similar to not use root user on unix... PLUSTRACE – allows use of AUTOTRACE to see execution plan and number of blocks read from disk/memory SYNONYM – allows transparent usage of objects from other schema VIEW – allows transparent usage of a subset of a different object Application (cern_app_role) No object creation ALTER SESSION CREATE VIEW CREATE SESSION QUERY REWRITE CREATE SYNONYM

Accounts, policy & convention Development Developer profile and role If 1 account with no suffix LCG_GRIDVIEW If more accounts login as suffix CMS_TRACKER_MANJO CMS_TRACKER_CANALI Production Owner account Developer profile and role LHCB_COOL Reader/writer, application accounts Application profile and role (ATLAS_DAQ_R and ATLAS_DAQ_W) or, ALICE_COOL_APP

Application roles Objective: Fine grain access control Roles with specific access privileges to objects Can be password protected Administrated by application owner OWNER (LCG_FTS): SQL> create role lcg_fts_role_alice identified by x1z; SQL> create view lcg_fts_alice_transfers as select * from lcg_fts_transfers where VO=‘ALICE’; SQL> grant select, insert, update on lcg_fts_alice_transfers to lcg_fts_role_alice; - some application DETECTOR needs write access to conditions table and ANALYSIS app needs read access to that table. APPLICATION (LCG_FTS_APP): SQL> set role lcg_fts_role_alice identified by x1z; SQL> insert into lcg_fts_alice_tranfers values ...

Application roles connect to lcg_fts_app set role lcg_fts_role_alice set role lcg_fts_role_atlas GRANT GRANT Select lcg_fts_w.atlas_mon_view Insert lcg_fts_w.atlas_tranfers_view Update lcg_fts_w.atlas_status_view Select lcg_fts_w.alice_mon_view Insert lcg_fts_w.alice_tranfers_view Update lcg_fts_w.alice_status_view lcg_fts.fts_mon lcg_fts.fts_transfers lcg_fts.fts_status subset of subset of

Tablespaces and quotas Transparent to user Tablespace name should not be application dependent Do not specify tablespace on object creation Development Shared tablespace (DATA01) Maximum 500MB quota Production Dedicated tablespace (project_DATA01) Unlimited quota (disk space limit) Special tablespaces for certain datatypes, data (read-only)

Services Allows set priorities, monitor individual applications Same as application name Preferred cluster node or least loaded node Better scalability and resource management Individual monitor and statistics Easier management by DBAs

Connection to DB tnsnames.ora Server + service name One entry per application Allow client side load-balancing Might change without warning (application should be ready to read from afs/dfs) Server + service name Service name = application_name.cern.ch Server and service name might change without warning (application should be ready to change at any time, not hard coded) We try to keep as stable as possible (with IP alias)

Questions? Support and Accounts https://uimon.cern.ch/twiki/bin/view/ADCgroup/PhysicsDatabasesSection Physics-databases.support@cern.ch Questions? Users - Account Request, SessionsManager, GeneralAdvices, NamingConvention, DevelopmentStages, Consultancy, OracleDocumentation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.