One of the huge benefits of Oracle GoldenGate Microservices is the security framework which comes standard when you install GoldenGate. As you setup the ServiceManager and first deployment, you are prompted to build an administration account. As a best practice we recommend that the account be named “oggdmin” with the password you define.
Although it is expected that you create an “oggadmin” account, this account has some risk to it. Afterall, it is a “security” role account. The “security” role allows the “oggadmin” account the ability to do anything it likes within the ServiceManager and associated deployments. The “oggadmin” account is created within the ServiceManager level and can be seen in all deployments. This account is likened to the SYS user in the Oracle Database. As a result, should be handled with care and limited to who has access at this elevated account. How can we make Oracle GoldenGate Microservices more secure?
Before we can answer this question, it is good to understand the security model within Oracle GoldenGate Microservices. There are two layers of security; the first is at the ServiceManager and the second is at the deployment layer (no matter how many deployments you have running). Within each of these layers, you have the ability to create a user in one of four roles. These roles are:
- Security – Full access to ServiceManager and assocated deployments
- Administrator – Full access with the ability create, delete, start, stop, etc…
- Operator – Access with the ability start and stop processes
- User – Read-Only access
At a high level the model looks like this:
As you can tell all four roles are avaliable in the ServiceManager layer and the Deployment layer. This is by designed; however, what would be a recommended is to religate the Security role to ServiceManager and all other roles to the Deployments. Something like this:
Just because this is an recommended approach, doesn’t mean that there isn’t a reason for the other roles at the ServiceManager layer. Just use those with caution.
Now back to the questions – How can we make Oracle GoldenGate Microservices more secure?
The answer is simple – create any additional users need for administration at the deployment layer and in a role other than security. Hence the question in the titel of this post – Where is my StreamAdmin account?
The “streamadmin” account is an “Administrator” role account that is created at a per deployment bases. The whole purpose for this user is to provide seperation of duties from the “oggadmin” account; yet still have the ability to create, start, stop, modify, and remove any administration tasks within a deployment.
To create a “streamadmin” account; this can be done from the Administration Service within one or more deployments. The steps to do this are:
1. Access the Administrion Service
2. Open the context menu and select Administrator
3. Under Users, click the plus ( + )
4. Provide the requested information – ensure to select “Administrator” role and “Basic” type
5. Click Submit
Creating the “streamadmin” per deployment manually could and more than likely will be come a pain. This process can be automated using the REST APIs. After all, isn’t that the purpose of the microservices architecture?
To create the “streamadmin” user using REST, all you have to do is run a cURL command like this:
curl -X POST \
https://<a href="http://localhost:16001/services/v2/authorizations/Administrator/streamadmin" target="_blank" rel="noopener">localhost:16001/services/v2/authorizations/Administrator/streamadmin \
-H 'cache-control: no-cache' \
-d '{
"credential”:”********",
"info":"Stream Administration",
"type":"Basic",
"user":"streamadmin"
}'
Within the URL, you are telling GoldenGate that you want to create a user names “streamadmin” with the role of “Administrator”. Everything else is filling in the required information needed for the user.
More than likely, you will need to create this user in multiple deployment. You can simply wrap the above cURL command in a shell script or some other language and connect to multiple Administration Services to create the user.
With the “streamadmin” user created, you can now provide more security to the Oracle GoldenGate environment while still allowing DBAs, SysAdmins, or any one else access to needed resources. All awhile not giving up full control at the ServiceManager layer.
Enjoy and God Bless!
Please follow and like:
Current Oracle Certs
Bobby Curtis
I’m Bobby Curtis and I’m just your normal average guy who has been working in the technology field for awhile (started when I was 18 with the US Army). The goal of this blog has changed a bit over the years. Initially, it was a general blog where I wrote thoughts down. Then it changed to focus on the Oracle Database, Oracle Enterprise Manager, and eventually Oracle GoldenGate.
If you want to follow me on a more timely manner, I can be followed on twitter at @dbasolved or on LinkedIn under “Bobby Curtis MBA”.
Follow if you like:
