Oracle Appliance Manager command-line utility requires root
system privileges for most administration actions. You may want to use SUDO as part of your system auditing and security policy.
For most tasks, Oracle recommends that you log in as root
to use the Oracle Appliance Manager command-line interface on Oracle Database Appliance. If you are not logged in as root
, then you cannot carry out most actions on the appliance. For example, if you are not logged in as root
, then you can view storage information, but you cannot modify the storage.
Allowing Root User Access Using SUDO
In environments where system administration is handled by a different group than database administration, or where security is a significant concern, you may want to limit access to the root
user account and password. SUDO enables system administrators to grant certain users (or groups of users) the ability to run commands as root
, while logging all commands and arguments as part of your security and compliance protocol.
A SUDO security policy is configured by using the file /etc/sudoers
. Within the sudoers
file, you can configure groups of users and sets of commands to simplify and audit server administration with SUDO commands.
Caution:
Configuring SUDO to allow a user to perform any operation is equivalent to giving that user root
privileges. Consider carefully if this is appropriate for your security needs.
SUDO Example 1: Allow a User to Perform Any OAKCLI Operation
This example shows how to configure SUDO to enable a user to perform any OAKCLI operation. You do this by adding lines to the commands section in the /etc/sudoers
file:
## The commands section may have other options added to it. ## Cmnd_Alias OAKCLI_CMDS=/opt/oracle/oak/bin/oakcli * jdoe ALL = OAKCLI_CMDS
In this example, the user name isjdoe
. The file parameter setting ALL= OAKCLI_CMDS
grants the user jdoe
permission to run all oakcli
commands that are defined by the command alias OAKCLI_CMDS
. After configuration, you can copy one sudoers
file to multiple hosts. You can also create different rules on each host.
Note:
Before database creation, you must set up user equivalency with SSH for the root user on each server. If you do not set up user equivalency and configure SSH on each server, then you are prompted to provide the root password for each server during database creation.
After you configure the sudoer
file with the user, the user jdoe can run the set of oakcli
commands configured with the command alias OAKCLI_CMDS
. For example:
$ sudo oakcli create database -db newdb INFO: 2015-08-05 14:40:55: Look at the logfile '/opt/oracle/oak/log/scaoda1011/tools/12.1.2.4.0/createdb_newdb_91715.log' for more details INFO: 2015-08-05 14:40:59: Database parameter file is not provided. Will be using default parameters for DB creation Please enter the 'SYSASM' password : (During deployment we set the SYSASM password to 'welcome1'): Please re-enter the 'SYSASM' password: INFO: 2015-08-05 14:41:10: Installing a new home: OraDb12102_home3 at /u01/app/oracle/product/12.1.0.2/dbhome_3 Please select one of the following for Database type [1 .. 3]: 1 => OLTP 2 => DSS 3 => In-Memory
SUDO Example 2: Allow a User to Perform Only Selected OAKCLI Operations
To configure SUDO to allow a user to perform only selected OAKCLI operations, add lines to the commands section in the /etc/sudoers
file as follows:
[jdoe2@servernode1 ~]$ sudo /opt/oracle/oak/bin/oakcli create database -db test INFO: 2015-09-30 15:49:07: Look at the logfile '/opt/oracle/oak/log/servernode1/tools/12.1.2.4.0/createdb_test_59955.log' for more details INFO: 2015-09-30 15:49:12: Database parameter file is not provided. Will be using default parameters for DB creation Please enter the 'SYSASM' password : (During deployment we set the SYSASM password to 'welcome1'): Please re-enter the 'SYSASM' password: INFO: 2015-09-30 15:49:27: Installing a new home: OraDb12102_home2 at /u01/app/oracle/product/12.1.0.2/dbhome_2 Please select one of the following for Database type [1 .. 3]: 1 => OLTP 2 => DSS 3 => In-Memory
In this example, the user jdoe2
tries to run the oakcli show databases
command, which is not part of the set of commands that is configured for that user. Sudo prevents jdoe2
from running the command.
[jdoe2@servernode1 ~]$ sudo /opt/oracle/oak/bin/oakcli show database Sorry, user jdoe2 is not allowed to execute '/opt/oracle/oak/bin/oakcli show database' as root on servernode1.
See Also:
The SUDO man pages ror more information about configuring and using SUDO: