概述:exadata提供很多维度的安全策略设置来满足业务的需求,默认情况一台exadata cell节点使用开放的存储安全策略,对于ASM或者数据库客户端上访问griddisk没有限制;exadata提供两个级别的安全策略:ASM范围和数据库范围的安全策略;此文对两种策略进行测试:
ASM级别:
1、关闭数据库计算节点上的ASM实例和所有数据库实例
2、在一个cell节点中创建key
3、在对应的目录为ASM实例创建cellkey.ora文件
4、asm实例分配安全策略
5、griddisk修改 availableto 属性(可针对性的对部分griddisk进行修改)
6、重启asm实例和数据库实例
[grid@dmdb01 ~]$ srvctl stop database -d celldb
[grid@dmdb01 ~]$ crsctl stop res ora.asm -f
CellCLI> create key
2964568367c36eff117f80673e73be2a
[root@dmdb01 ~]# cd /etc/oracle/cell/network-config/
[root@dmdb01 network-config]# pwd
/etc/oracle/cell/network-config
[root@dmdb01 network-config]# cat cellkey.ora
key=2964568367c36eff117f80673e73be2a
asm=+ASM
CellCLI> assign key for '+ASM'='2964568367c36eff117f80673e73be2a'
Key for +ASM successfully created
CellCLI> list griddisk
DATA_CD_disk01_cell01 active
DATA_CD_disk02_cell01 active
DATA_CD_disk03_cell01 active
DATA_CD_disk04_cell01 active
DATA_CD_disk05_cell01 active
DATA_CD_disk06_cell01 active
DATA_CD_disk07_cell01 active
DATA_CD_disk08_cell01 active
DATA_CD_disk09_cell01 active
DATA_CD_disk10_cell01 active
DATA_CD_disk11_cell01 active
DATA_CD_disk12_cell01 active
RECO_CD_disk01_cell01 active
RECO_CD_disk02_cell01 active
RECO_CD_disk03_cell01 active
RECO_CD_disk04_cell01 active
RECO_CD_disk05_cell01 active
RECO_CD_disk06_cell01 active
RECO_CD_disk07_cell01 active
RECO_CD_disk08_cell01 active
RECO_CD_disk09_cell01 active
RECO_CD_disk10_cell01 active
RECO_CD_disk11_cell01 active
RECO_CD_disk12_cell01 active
CellCLI> alter griddisk all availableto='+ASM'
如果是授权部分的griddisk给对用asm实例使用的话:
alter griddisk DATA_CD_disk01_cell01,DATA_CD_disk02_cell01,RECO_CD_disk01_cell01,RECO_CD_disk01_cell02 availableto='+ASMX'
GridDisk DATA_CD_disk01_cell01 successfully altered
GridDisk DATA_CD_disk02_cell01 successfully altered
GridDisk DATA_CD_disk03_cell01 successfully altered
GridDisk DATA_CD_disk04_cell01 successfully altered
GridDisk DATA_CD_disk05_cell01 successfully altered
GridDisk DATA_CD_disk06_cell01 successfully altered
GridDisk DATA_CD_disk07_cell01 successfully altered
GridDisk DATA_CD_disk08_cell01 successfully altered
GridDisk DATA_CD_disk09_cell01 successfully altered
GridDisk DATA_CD_disk10_cell01 successfully altered
GridDisk DATA_CD_disk11_cell01 successfully altered
GridDisk DATA_CD_disk12_cell01 successfully altered
GridDisk RECO_CD_disk01_cell01 successfully altered
GridDisk RECO_CD_disk02_cell01 successfully altered
GridDisk RECO_CD_disk03_cell01 successfully altered
GridDisk RECO_CD_disk04_cell01 successfully altered
GridDisk RECO_CD_disk05_cell01 successfully altered
GridDisk RECO_CD_disk06_cell01 successfully altered
GridDisk RECO_CD_disk07_cell01 successfully altered
GridDisk RECO_CD_disk08_cell01 successfully altered
GridDisk RECO_CD_disk09_cell01 successfully altered
GridDisk RECO_CD_disk10_cell01 successfully altered
GridDisk RECO_CD_disk11_cell01 successfully altered
GridDisk RECO_CD_disk12_cell01 successfully altered
CellCLI> list key
+ASM 2964568367c36eff117f80673e73be2a
[grid@dmdb01 ~]$ srvctl start database -d celldb
[grid@dmdb01 ~]$ crsctl stat res -t
--------------------------------------------------------------------------------
NAME TARGET STATE SERVER STATE_DETAILS
--------------------------------------------------------------------------------
Local Resources
--------------------------------------------------------------------------------
ora.ARCH.dg
ONLINE ONLINE dmdb01
ora.DATA.dg
ONLINE ONLINE dmdb01
ora.LISTENER.lsnr
ONLINE ONLINE dmdb01
ora.asm
ONLINE ONLINE dmdb01 Started
ora.ons
OFFLINE OFFLINE dmdb01
--------------------------------------------------------------------------------
Cluster Resources
--------------------------------------------------------------------------------
ora.celldb.db
1 ONLINE ONLINE dmdb01 Open
ora.cssd
1 ONLINE ONLINE dmdb01
ora.diskmon
1 ONLINE ONLINE dmdb01
ora.evmd
1 ONLINE ONLINE dmdb01
数据库基本:
数据库基本的安全配置是在基于asm实例加密之上的
1、关闭数据库计算节点上的ASM实例和所有数据库实例
2、在一个cell节点中创建key
3、在每个计算机节点的$ORACLE_HOME/admin/<db_name>/pfile目录下创建cellkey.ora秘钥文件
4、为所有存储服务器上的数据库分配安全秘钥
5、griddisk修改 availableto 属性(可针对性的对部分griddisk进行修改)
6、重启asm实例和数据库实例
[grid@dmdb01 ~]$ srvctl stop database -d celldb
[grid@dmdb01 ~]$ crsctl stop res ora.asm -f
CellCLI> create key
823d3c3e409793bacdb5dd81c1465550
[oracle@dmdb01 ~]$ cd /u01/app/oracle/product/11.2.0.4/db_1/admin/celldb/pfile/
[oracle@dmdb01 pfile]$ cat cellkey.ora
key=823d3c3e409793bacdb5dd81c1465550
asm=+ASM
CellCLI> assign key for celldb='823d3c3e409793bacdb5dd81c1465550'
Key for celldb successfully created
CellCLI> alter griddisk all availableto='+ASM,celldb'
GridDisk DATA_CD_disk01_cell01 successfully altered
GridDisk DATA_CD_disk02_cell01 successfully altered
GridDisk DATA_CD_disk03_cell01 successfully altered
GridDisk DATA_CD_disk04_cell01 successfully altered
GridDisk DATA_CD_disk05_cell01 successfully altered
GridDisk DATA_CD_disk06_cell01 successfully altered
GridDisk DATA_CD_disk07_cell01 successfully altered
GridDisk DATA_CD_disk08_cell01 successfully altered
GridDisk DATA_CD_disk09_cell01 successfully altered
GridDisk DATA_CD_disk10_cell01 successfully altered
GridDisk DATA_CD_disk11_cell01 successfully altered
GridDisk DATA_CD_disk12_cell01 successfully altered
GridDisk RECO_CD_disk01_cell01 successfully altered
GridDisk RECO_CD_disk02_cell01 successfully altered
GridDisk RECO_CD_disk03_cell01 successfully altered
GridDisk RECO_CD_disk04_cell01 successfully altered
GridDisk RECO_CD_disk05_cell01 successfully altered
GridDisk RECO_CD_disk06_cell01 successfully altered
GridDisk RECO_CD_disk07_cell01 successfully altered
GridDisk RECO_CD_disk08_cell01 successfully altered
GridDisk RECO_CD_disk09_cell01 successfully altered
GridDisk RECO_CD_disk10_cell01 successfully altered
GridDisk RECO_CD_disk11_cell01 successfully altered
GridDisk RECO_CD_disk12_cell01 successfully altered
[grid@dmdb01 ~]$ srvctl start database -d celldb
[grid@dmdb01 ~]$ crsctl stat res -t
--------------------------------------------------------------------------------
NAME TARGET STATE SERVER STATE_DETAILS
--------------------------------------------------------------------------------
Local Resources
--------------------------------------------------------------------------------
ora.ARCH.dg
ONLINE ONLINE dmdb01
ora.DATA.dg
ONLINE ONLINE dmdb01
ora.LISTENER.lsnr
ONLINE ONLINE dmdb01
ora.asm
ONLINE ONLINE dmdb01 Started
ora.ons
OFFLINE OFFLINE dmdb01
--------------------------------------------------------------------------------
Cluster Resources
--------------------------------------------------------------------------------
ora.celldb.db
1 ONLINE ONLINE dmdb01 Open
ora.cssd
1 ONLINE ONLINE dmdb01
ora.diskmon
1 ONLINE ONLINE dmdb01
ora.evmd
1 ONLINE ONLINE dmdb01
如果需要制定的数据库访问制定的griddisk时:
create key
CellCLI> ASSIGN KEY FOR 'db1'='51a826646ebe1f29e33c6ed7c4965c9a',
'db2'='bd0843beeed5e18e6664576cf9805b69',
'db3'='6679ef9ec02fa664582c3464d4b0191f'
直接创建:
CellCLI> CREATE GRIDDISK sales_CD_00_cell01, sales_CD_01_cell01 size=75G, -
availableTo='+asm,db1'
CellCLI> CREATE GRIDDISK sales_CD_02_cell01, sales_CD_03_cell01 size=75G, -
availableTo='+asm,db2'
CellCLI> CREATE GRIDDISK sales_CD_04_cell01, sales_CD_05_cell01 size=75G, -
availableTo='+asm,db3'
或者修改现有:
CellCLI> ALTER GRIDDISK sales_CD_01_cell01, sales_CD_02_cell01 -
availableTo='+asm,db1'
CellCLI> ALTER GRIDDISK sales_CD_03_cell01, sales_CD_04_cell01 -
availableTo='+asm,db2'
CellCLI> ALTER GRIDDISK sales_CD_05_cell01, sales_CD_06_cell01 -
availableTo='+asm,db3'
如果对应ASM实例的权限是没有授权的asm实例将会起不来数据库也就无法启动
将报权限错误:
CRS-2672: Attempting to start 'ora.ARCH.dg' on 'dmdb01'
CRS-5017: The resource action "ora.ARCH.dg start" encountered the following error:
ORA-15032: not all alterations performed
ORA-15017: diskgroup "ARCH" cannot be mounted
ORA-15063: ASM discovered an insufficient number of disks for diskgroup "ARCH"
. For details refer to "(:CLSN00107:)" in "/u01/app/11.2.0.4/grid/log/dmdb01/agent/ohasd/oraagent_grid/oraagent_grid.log".
CRS-2674: Start of 'ora.ARCH.dg' on 'dmdb01' failed
CRS-2679: Attempting to clean 'ora.ARCH.dg' on 'dmdb01'
CRS-2681: Clean of 'ora.ARCH.dg' on 'dmdb01' succeeded
CRS-4000: Command Start failed, or completed with errors.
[grid@dmdb01 ~]$ crsctl start res ora.DATA.dg
CRS-2672: Attempting to start 'ora.DATA.dg' on 'dmdb01'
CRS-5017: The resource action "ora.DATA.dg start" encountered the following error:
ORA-15032: not all alterations performed
ORA-15017: diskgroup "DATA" cannot be mounted
ORA-15063: ASM discovered an insufficient number of disks for diskgroup "DATA"
. For details refer to "(:CLSN00107:)" in "/u01/app/11.2.0.4/grid/log/dmdb01/agent/ohasd/oraagent_grid/oraagent_grid.log".
CRS-2674: Start of 'ora.DATA.dg' on 'dmdb01' failed
CRS-2679: Attempting to clean 'ora.DATA.dg' on 'dmdb01'
CRS-2681: Clean of 'ora.DATA.dg' on 'dmdb01' succeeded
CRS-4000: Command Start failed, or completed with errors.
如果数据库需要访问的griddisk权限没有授权也将起不动数据库ORA-15025: could not open disk "o/10.0.0.15/DATA_CD_disk08_cell01"
WARNING: failed to read mirror side 1 of virtual extent 0 logical extent 0 of file 269 in group [2.3604065482] from disk DATA_CD_DISK08_CELL01 allocation unit 235 reason error; if possible, will try another mirror side
ORA-00204: error in reading (block 1, # blocks 1) of control file
ORA-00202: control file: '+DATA/celldb/controlfile/current.269.994690737'
ORA-15081: failed to submit an I/O operation to a disk