2.5.3 Controlling Storage Access

Oracle Exadata System Software supports the access control modes of open security, Oracle ASM-scoped security, and database-scoped security.

• Open security allows any database to access any of the grid disks.

• Oracle ASM-scoped security allows multiple databases assigned to one or more Oracle ASM clusters to share specific grid disks.

  In addition to its overall access control mode, Oracle ASM supports access controls at the disk group and file level to ensure that access to content stored on disk is only available to authorized users.

  Note:

  • The /etc/oracle/cell/network-config/cellkey.ora file needs to be readable only by the software installation owner of Oracle Grid Infrastructure with its specific unique group, such as asmadmin.

  • Use the kfod utility in the Oracle Grid Infrastructure home to troubleshoot or verify which disks are accessible for your cluster.

• Database-scoped security, the most fine-grained level of access control, ensures that only specific databases are able to access specific grid disks.

  Database-scoped security works on a container level. This means that grid disks must be made available to the DB_UNIQUE_NAME of the container database (CDB) or non-CDB. Because of this, it is not possible to have database-scoped security per pluggable database (PDB).

  Note:

  You should only set up database-scoped security after configuring and testing Oracle ASM-scoped security.

By default, SSH is enabled on storage servers. If required, you can "lock" the storage servers to block SSH access. You can still perform operations on the storage server using exacli, which runs on compute nodes and communicates using HTTPS and REST APIs to a web service running on the cell. At a high-level, this is accomplished by creating users and roles in CellCLI and then disabling remoteLogin.