ASM SecurityThis section mainly describes the various security configuration topics related to ASM, such asConfigure ASM Required UserIDs, groupids;asm permissions such assysoper,sysdba and new sysasm permissions, and finally ASMUse the Oraclepassword file, Orapwd.
an ASM instance of multiple UNIX UserIDsSuppose you use a user different from an RDBMS instance and a separate asm_home,then the Oracle user for each RDBMS instance must be an ASM instance of the DBA groupThe Oracle user of ASM does not have to be a member of the RDBMS instance DBA group. Suppose you want to use a different UNIX UserID and have multiple other Unix userid creatorsASM instances to manage their own storage, you can create a database for eachCreate your own DBA group (different from the ASM DBA Group), such as a database that can usethe DBA group named Dba1,dba2. Suppose you want an RDBMS instance to share withthe same disk group, all RDBMS instances need to be interviewed with Read/write permissionsDisk Group. ASM instances require access to all disks with Read/write permissions. ForRDBMS instances, you can restrict which disks an instance can access.
ASM Permissionsin Oracle 10G, access the ASM instance and Access standards database via Sqlplusinstance, you can access it with SYSDBA or sysoper permissions. However, note that it isbecause there is no data dictionary in the ASM instance, permission authentication is done through the operating system level orORACLE password file is complete. Representative is the SYSDBA permission throughthe operating system user group is assigned the right. On UNIX systems, the DBA group is generally used. The default DBA group has access to SYSDBA permissions for all instances on this node, including ASM instances. Connect asm with SYSDBA permissions, with complete management of the local system disk groupaccess permissions. Note In Windows systems, Oracle typically executes in the local system or Administratorunder Users, the Osoper and OSDBA groups are hard-coded groups that are associated with ora_oper and ORA_DBA, respectively. starting with Oracle DATABASE 11g, a permission called Sysasm becomes an access ASMThe primary means of the instance is that most ASM instance management commands are no longer used with SYSDBA. SYSDBAbackwards compatibility is still available, assuming that SYSDBA is used, there is information such as the following in the ASM alert logWrite:
| warning:deprecated privilege SYSDBA for command ' STARTUP ' |
The purpose of SYSASM permissions is to separate ASM authentication from RDBMS authentication. Sysasm permissions haveall control over the ASM instance. Authentication through the OSASM user group, similar to SYSDBA permissions,only the SYSDBA certification is implemented through OSDBA. For Oracle Database 11g ASM,using SYSASM instead of SYSDBA certification is a best practice. The following shows how to use Sysasm and configure a new user with the Sysasm role:
[Email protected]~]$ sqlplus "/As Sysasm"
Create Asmuser, using the following command, for example:
Sql> CREATE USER Asmuser identified by ASMUSER1;
Sql> GRANT sysasm, sysoper to Asmuser;
To connect an ASM instance using Asmuser:
[Email protected] ~]$ sqlplus "Asmuser/asmuser as Sysasm"
Sql> select * from V$pwfile_users;
USERNAME SYSDBA Sysoper sysasm
---------------------------- ----- ------- ------
SYS true True FALSE
Asmuser FALSE True True |
in Oracle ASM 10g, users connect to ASM instance permissions using Sysoper and connect using SYSDBApermissions are roughly the same, except for querying v$ View permissions. Use Sysoper to connect ASM instances using such as the following command:
| [Email protected]~]$ sqlplus "as Sysoper" |
from Oracle Database 11g, the responsibility for ASM Sysoper permissions is essentially the same as for databases Sysoper. The following command is a command available to the Sysoper User:
Startup/shutdown
ALTER DiskGroup Mount/dismount
ALTER DiskGroup Online/offline DISK
ALTER DiskGroup REBALANCE
ALTER DiskGroup CHECK |
all other commands like create Diskgroup,add/drop/resize DISK, and so on-all need sysasmpermissions, these commands cannot be used by Sysoper rights users. all management commands--including Startup,shutdown, and Alter/create/drop diskgroupare logged into the ASM instance. For example, all alter DiskGroup commands are always recorded in alert log when an instance is emittedcommand later. If necessary, an operation from an ASM instance via SYS user will be logged to. Aud file. To do this, you need to configure such as the following initialization parameters:
Audit_sys_operations = TRUE
_disable_instance_params_check = TRUE |
Note that unlike RDBMS instances, the audit trail information cannot be stored in the aud$ of an ASM instance becauseASM does not have a database to hold these tables. So the output is usually dump in the. aud file, these filesusually stored in the default location-$ORACLE _home/rdbms/audit. Init.ora in the Audit_file_dest control audit file default location on Windows, theseThe logs are printed to Windows SYSTEM log.
ASM and OrapwdASM Instances Use Oracle password files for remote ASM Access, much like RDBMS instancesfor remote database access.
Note
The RDBMS instance is completely separate from the ASM instance, so ASM has its own password file,not shared with RDBMS instances. in order to configure the EM remote access asm,asm The password file does not need to exist. Assuming an ASM instanceis dbca configured, the Orapwd file will be created on its own initiative. Assuming that the ASM instance is manually configuredYou must manually create the password file using the owapwd command:
[Email protected]~]$ orapwd file= $ORACLE _home/asm/orapw+asm1 \
Password=oracle |
The standard ORAPWD tool is used to manage password files for ASM instances, only to restrict changes syspassword.
Noteeach ASM instance in a cluster in a RAC system must have a owapwd file. Use the V$pwfile_users view in the ASM instance to view the contents of the password file:
Sql> SELECT * from V$pwfile_users;
USERNAME Sysdb SYSOP Sysas
------------------------------ ----- ----- -----
SYS true True FALSE |
in Oracle DATABASE 11g, you can use the same commands as in the RDBMS to change the Asmpassword file. However, only local orapwd files can be updated.
ASM Managementwith the advent of ASM, the responsibility for volume management and storage management seems to have become blurred. ASM Management Definitionroles can have a few variants, depending on the organization layer (management level). For example, here are some typical deployments (cases):
- A specific ASM instance is managed by an ASM administrator. ASM administrators can come from the sysadmin (SA)
- ASM software can be installed by RDBMS users. This will strengthen the ASM management role.
- Responsible for managing the enterprise database DBA or Oracle software owner managing ASM Instance Storage at the same time.
system Administrator (SA) manages OS LUNs (logical unit numbers), changes device file groupthe same time the ASM disk with other host Logical Volume Manager
no matter how you decentralize and divide your responsibilities, the following actions are still for ASM storage:Identify ASM Storage requirementsdetermine the storage type based on the application/database, such as SATA (Serial advanced TechnologyAttachment) or FC (Fibre Channel). Suppose you deploy a tiered storage which is a veryimportant issue. For example, the data disk group may require a high-end FC disk, and the Flash Disk group requires only SATAthe disk is available. determine how much space the database needs. determine the number of IOPS for database operations. Combined with IOPS requirements to determine the database-to-backend storage diskrequirements. This step will require the storage administrator and system administrator system to complete.
pre-allocating disks from a disk arrayCreate a LUNs from the storage array. These LUNs can be removed from RAID (RAID 10 or RAID 5) groupsmapped to the appropriate host. pre-allocating disks at the host level. The root user confirms on the OS that these LUNs can be identified by the host. Adjust for these LUNspermissions and the genus Group.
after the group and permissions have been changed, ASM will be able to find these disks. These disks can be added to thea disk group that already exists or is used to create a new disk group.
create the necessary disk groupsafter ASM identifies the disks provided by the storage array, it determines how these disks are assigned to the disk group. Use an existing disk group or create a new disk group.
For example, the following ASM v$ view describes the data structure and organization of ASM:
V$asm_alias This view displays all System-and user-defined aliases.
There is a row for every alias present in every diskgroup mounted by the
ASM instance. The RDBMS instance displays no rows in this view.
V$asm_attribute This Oracle Database 11gview displays one row
For each ASM attribute defined. These attributes is listed when they is
Defined in CREATE diskgroupor ALTER diskgroupstatements.
Disk_repair_timeris An example of a attribute.
V$asm_client This view displays one row for each RDBMS instance
That have an opened ASM diskgroup.
V$asm_disk This view contains specifics on all disks discovered by
The ASM instance, including Mount status, disk state, and size. There is one
Row for every disk discovered by the ASM instance.
V$asm_disk_iostat This displays information about DISK I/O statistics
For each ASM client. If This view was queried from the database instance, only
The rows for that instance is shown.
V$asm_disk_stat This view contains similar content as the V$asm_
disk, except V$asm_disk_statreads disk information from cache and
Thus performs no disk discovery. This view are primarily used for quick access
To the disk information without the overhead of disk discovery.
V$asm_diskgroupv$asm_diskgroupdisplays one row for every ASM
DiskGroup discovered by the ASM instance on the node.
V$asm_diskgroup_stat This view contains all the similar view contents
As the v$asm_diskgroup, except that v$asm_disk_statreads DISK
Information from the cache and thus performs no disk discovery. This view
is primarily used for quick access to the DiskGroup information without the
Overhead of disk discovery.
V$asm_file The V$asm_fileview displays information about ASM
Files. There is a row for every ASM file in every diskgroup mounted by the
ASM instance. In a RDBMS instance, v$asm_filedisplays no rows.
V$asm_operation This view describes the progress of a influx ASM
Rebalance operation. In a RDBMS instance, v$asm_operationdisplays
No rows.
V$asm_template This view contains information on User-and systemdefined templates.
V$asm_templatedisplays one row for every template
Present in every diskgroup mounted by the ASM instance. In a RDBMS
Instance,v$asm_templatedisplays one row for every template present
In every diskgroup mounted by the ASM instance with which the RDBMS
Instance communicates |
For example, the following views can be interviewed in RDBMS and ASM instancesSee P68
SummaryASM Instance Management ASM metadata. ASM instances are similar to Oracle instances and also haveSGA and most of the background processes. ASM is able to run commands similar to RDBMS instances. ASM instances do not hang in the database, but mount disk groups. ASM Management metadata makesASM data files can be used by the database. ASM instances and DB instances must be able to accessall of the ASM disks. The ASM instance provides extent map to the RDBMS instance when the file is opened or created. RDBMS instances are directly read and written to disk based on extent map. The ASM instance is not in the i/0 path.
--------------------------------------------------------------------------------------------------------------- --
This site is marked original and translated are original articles, the article agreed to reprint, but must be linked to the source address,
otherwise be held responsible for legal ! there are inevitably omissions in the article welcome netizens to criticize correct.
qq:173386747
Email: [Email protected]
blog:http://blog.csdn.net/card_2005
ORACLE AUTOMATIC STORAGE Management Translator-Chapter II ASM Instance (4) Finish
