Oracle R Enterprise includes components on the Oracle Database Enterprise Edition server that enable an Oracle R Enterprise client to interact with Oracle R Enterprise Server.
The components are:
Oracle R Distribution or open source R
Oracle R Enterprise Server
The RQSYS schema, described in About the RQSYS Schema
Metadata and executable code in sys
Oracle R Enterprise Server libraries in $ORACLE_HOME/lib (Linux and UNIX) or %ORACLE_HOME%\bin (Windows)
Oracle R Enterprise R packages in $ORACLE_HOME/R/library (%ORACLE_HOME%\R\library on Windows)
The Oracle R Enterprise packages and supporting packages on the server support embedded R execution. These same packages must be installed separately on each client computer. (See About the Oracle R Enterprise Packages).
See Also:
Figure 1-2 for an illustration of the server and client components of Oracle R Enterprise.
The RQSYS schema is the system account for Oracle R Enterprise in Oracle Database.
It contains metadata, PL/SQL packages, and other executable code that is used internally by Oracle R Enterprise Server.
The Oracle R Enterprise Server installation process creates RQSYS as a locked account with an expired password. The rqsys user does not have the CREATE SESSION privilege.
To minimize the risk of compromising the security of an Oracle R Enterprise Server in Oracle Database, Oracle recommends the following security best practices.
Oracle R Enterprise Server components in an Oracle Database instance include the locked and password-expired RQSYS schema, which contains and manages Oracle R Enterprise metadata. Users connect to Oracle R Enterprise Server through their database connection credentials. The RQADMIN role grants a user the privilege of creating R functions as scripts in the Oracle R Enterprise R script repository; those scripts can be executed using Oracle R Enterprise embedded R execution.
Oracle recommends the following security best practices.
Do not unlock the RQSYS schema or enable its login.
Grant the RQADMIN role only to database users who are responsible for creating and managing the R script repository.
Create private R scripts and grant access to other users as needed. Global R scripts are visible to and can be executed by any Oracle R Enterprise user.
Use parameters or the Oracle R Enterprise datastore to transfer data between embedded R execution scripts and Oracle Database. R scripts should not interact with the server file system or the network.
Set the Oracle R Enterprise embedded R execution memory limit properly based upon the Oracle Database server resources and usage patterns. The default value is 2 GB per connection.
Use the auto-connect feature (connect=TRUE) instead of providing explicit database credentials when connecting back to the Oracle Database server in an R script that uses embedded R execution.
Do not allow unauthorized R packages or C libraries to be loaded on the Oracle Database server for use in embedded R execution.
Load dependent shared libraries from the $ORACLE_HOME/lib directory to prevent the use of unauthorized libraries.
Related Topics