- Posted by Gavin Soorma
- On July 30, 2014
- 0 Comments
- GoldenGate, goldengate director, goldengate director client
The GoldenGate Director (Server and Client) is part of the Oracle GoldenGate Management pack suite of products.
Let us see how security is managed in the Director.
We launch the Director Administration tool on Unix via the run-admin.sh shell script.
If we are using Oracle WebLogic Server 12c and above the default admin user is ‘diradmin’ and for other releases it is ‘admin’.
When we create a user via the Director Admin tool it creates a WebLogic domain user in the backround and we will see this in the example when we connect using the WebLogic Administration Console.
After creating a user we then have to create a Data Source and here is where we define the security layer.
A Data Source is essentially where we define the connection details to a particular instance of GoldenGate like the manager port and host where the manager is running, the GoldenGate version and operating system and also the database username and password used by the GoldenGate schema.
In the Access Control section of the interface screen, we have a few options.
If we leave the Owner field blank, then it means that the Data Source in the Director Client will be visible as well as manageable by all other admin users.
If we explicitly define an owner for the Data Source by selecting one of the users we had earlier created (or the default out of the box users like diradmin or admin), then the Data Source in the Director Client will only be visible to that particular user. If another user connects to Director Client, they will not see that Data Source.
The next option is to define an owner for the Data Source and click the Host is Observable check box. That means that users other than the owner will be able to see the Data Source in Director Client and will be able to see the extract and replicat processes associated with that Data Source , but will not be able to perform any administrative type activity like start or stop extract/replicat, modify parameter files or even use the GGSCI interface to connect to the Golden Gate instance associated with that particular Data Source.
What happens if we want some more fine grained access control in the director security and control which Data Sources are visisble as well as manageable by which Director Admin users. We do this at the WebLogic end of things. Remember when we install the GoldenGate Director, we need to have an existing WebLogic Server environment and a domain for GoldenGate Director is created and managed by that WebLogic Server.
We have two admin users usera and userb which we have created using the Director Admin utility. We do not want usera to be able to perform any administrative type tasks in the GoldenGate environment via the Director Client but should just be able to view the environment while userb has full access.
We launch the WebLogic Server Administration Console (note the out-of-box usernane and password is weblogic)
If we click on the Security Realms link, we see that the installation has created a realm called ggRealm.
Click on ggRealm link and expand Users and Groups tab. We will see a list of weblogic users. We had earlier created admin users (usera and userb) in Director Administration utility and we see that a WebLogic Server users havealso been created as well.
Let us see the groups this user usera is currently a member of – in this case only chosen group for usera is the group User.
Now connect as usera using the Director Client.
We can see that while the Data Sources are visible, they have a lock symbol attached to them meaning that usera can only see the processes associated with the Data Source when he drags the data source to the Diagram panel. He cannot create, modify, start or stop any of the extract or replicat processes associated with that Data Source.
Even in GGSCI tab, we see that he cannot connect to any of the associated GoldenGate instances as none are available.
Go back to the WebLogic Administration Console and make userb a member of the Admin group.
Now when we connect as userb in the Director Client, all the Data Sources are visible and none are locked and if we use the GGSCI tab we can see in the drop-down list we can connect to all the Data Sources via GGSCI