GoldenGate Monitoring With User Separation

Typically, GoldenGate monitoring is performed by GoldenGate user.

However, there may be circumstances where monitoring is performed by another user and this is test case for such scenario.

I did not want to create yet another user; hence, GoldenGate will be monitored by user oracle.

GoldenGate 19.1.0.0.4 with Database 11.2.0.4.

Both users (ggs and oracle) belong to the same primary group oinstall:

[ggs@db-fs-1 ggs]$ id ggs
uid=54322(ggs) gid=54321(oinstall) groups=54321(oinstall),54322(dba)

[ggs@db-fs-1 ggs]$ id oracle
uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54318(asmdba),54320(asmadmin),54322(dba),54323(backupdba),54324(oper),54325(dgdba),54326(kmdba)
[ggs@db-fs-1 ggs]$

Permission for GoldenGate directories are 755:

[ggs@db-fs-1 ggs]$ ls -ld dir*
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 15:21 dirchk
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 15:12 dircrd
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 16:24 dirdat
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 14:52 dirdef
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 15:13 dirdmp
drwxr-xr-x 3 ggs oinstall 4096 Apr 24 14:25 diretc
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 14:25 dirout
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 16:24 dirpcs
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 15:20 dirprm
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 16:24 dirrpt
drwxr-xr-x 4 ggs oinstall 4096 Apr 24 14:25 dirsca
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 14:52 dirsql
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 16:24 dirtmp
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 14:52 dirwlt
[ggs@db-fs-1 ggs]$

Check lag as user ggs – no issues:

[ggs@db-fs-1 ggs]$ ./ggsci

Oracle GoldenGate Command Interpreter for Oracle
Version 19.1.0.0.4 OGGCORE_19.1.0.0.0_PLATFORMS_191017.1054_FBO
Linux, x64, 64bit (optimized), Oracle 11g on Oct 17 2019 23:13:12
Operating system character set identified as UTF-8.

Copyright (C) 1995, 2019, Oracle and/or its affiliates. All rights reserved.



GGSCI (db-fs-1) 1> info all

Program     Status      Group       Lag at Chkpt  Time Since Chkpt

MANAGER     RUNNING
EXTRACT     RUNNING     EXT1        00:00:00      00:00:02


GGSCI (db-fs-1) 2> info ext1

EXTRACT    EXT1      Last Started 2020-04-24 16:24   Status RUNNING
Checkpoint Lag       00:00:00 (updated 00:00:04 ago)
Process ID           18886
Log Read Checkpoint  Oracle Redo Logs
                     2020-04-24 17:12:08  Seqno 374, RBA 14901248
                     SCN 0.1622637 (1622637)


GGSCI (db-fs-1) 3> lag ext1

2020-04-24 17:12:26  INFO    OGG-14054  Lag from heartbeat table requires DBLOGIN.

Sending GETLAG request to EXTRACT EXT1 ...
Last record lag 2 seconds.
At EOF, no more records to process


GGSCI (db-fs-1) 4> dblogin useridalias gguser
Successfully logged into database.

GGSCI (db-fs-1 as gguser@hawk) 5> lag ext1

Sending GETLAG request to EXTRACT EXT1 ...
Last record lag 2 seconds.
At EOF, no more records to process


GGSCI (db-fs-1 as gguser@hawk) 6> exit
[ggs@db-fs-1 ggs]$

Check lag as user oracle – issue with permissions and extract is not visible:

[oracle@db-fs-1 ggs]$ ./ggsci

Oracle GoldenGate Command Interpreter for Oracle
Version 19.1.0.0.4 OGGCORE_19.1.0.0.0_PLATFORMS_191017.1054_FBO
Linux, x64, 64bit (optimized), Oracle 11g on Oct 17 2019 23:13:12
Operating system character set identified as UTF-8.

Copyright (C) 1995, 2019, Oracle and/or its affiliates. All rights reserved.



GGSCI (db-fs-1) 1> info all

Program     Status      Group       Lag at Chkpt  Time Since Chkpt

MANAGER     RUNNING


GGSCI (db-fs-1) 2> sh ls -l /u01/app/ggs/dirchk/*

-rwxr-xr-x 1 ggs oinstall  2048 Apr 24 15:21 /u01/app/ggs/dirchk/EXT1.cpb
-rwxr-xr-x 1 ggs oinstall 20480 Apr 24 17:14 /u01/app/ggs/dirchk/EXT1.cpe


GGSCI (db-fs-1) 3> sh chmod 775 /u01/app/ggs/dirchk/*

chmod: changing permissions of ‘/u01/app/ggs/dirchk/EXT1.cpb’: Operation not permitted
chmod: changing permissions of ‘/u01/app/ggs/dirchk/EXT1.cpe’: Operation not permitted


GGSCI (db-fs-1) 4> sh ls -l /u01/app/ggs/dirchk/*

-rwxrwxr-x 1 ggs oinstall  2048 Apr 24 15:21 /u01/app/ggs/dirchk/EXT1.cpb
-rwxrwxr-x 1 ggs oinstall 20480 Apr 24 17:14 /u01/app/ggs/dirchk/EXT1.cpe

GGSCI (db-fs-1) 5>

Change permission for dirchk to 775:

ggs@db-fs-1 ggs]$ chmod 775 /u01/app/ggs/dirchk/*

Check lag as user oracle – issue with permissions, extract appears, lag check failed:

GGSCI (db-fs-1) 5> info all

Program     Status      Group       Lag at Chkpt  Time Since Chkpt

MANAGER     RUNNING
EXTRACT     RUNNING     EXT1        00:00:00      00:00:07


GGSCI (db-fs-1) 6> lag ext1

2020-04-24 17:14:58  INFO    OGG-14054  Lag from heartbeat table requires DBLOGIN.

Sending GETLAG request to EXTRACT EXT1 ...

2020-04-24 17:14:58  ERROR   OGG-15161  Could not initialize the connection with EXTRACT EXT1 (Permission denied).


GGSCI (db-fs-1) 7> dblogin useridalias gguser
Successfully logged into database.

GGSCI (db-fs-1 as gguser@hawk) 8> lag ext1

Sending GETLAG request to EXTRACT EXT1 ...

******************************************************************************************************************************
***** 2020-04-24 17:16:34  ERROR   OGG-15161  Could not initialize the connection with EXTRACT EXT1 (Permission denied). *****
******************************************************************************************************************************

GGSCI (db-fs-1 as gguser@hawk) 9>

Change permissions for all GoldenGate directories to 775:

[ggs@db-fs-1 ggs]$ chmod 775 -R dir*

Check lag using as user oracle – works perfectly:

GGSCI (db-fs-1 as gguser@hawk) 10> lag ext1

Sending GETLAG request to EXTRACT EXT1 ...
Last record lag 2 seconds.
At EOF, no more records to process


GGSCI (db-fs-1 as gguser@hawk) 11>

You might be thinking about least privileges principle.

Change permissions for GoldenGate directories (dirchk and dirtmp) to 775:

[ggs@db-fs-1 ggs]$ chmod 775 -R /u01/app/ggs/dirchk/*
[ggs@db-fs-1 ggs]$ chmod 775 -R /u01/app/ggs/dirtmp/*

[ggs@db-fs-1 ggs]$ ls -ld dir*
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 15:21 dirchk
drwxrwxr-x 2 ggs oinstall 4096 Apr 24 15:12 dircrd
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 16:24 dirdat
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 14:52 dirdef
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 15:13 dirdmp
drwxr-xr-x 3 ggs oinstall 4096 Apr 24 14:25 diretc
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 14:25 dirout
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 16:24 dirpcs
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 15:20 dirprm
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 16:24 dirrpt
drwxr-xr-x 4 ggs oinstall 4096 Apr 24 14:25 dirsca
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 14:52 dirsql
drwxrwxr-x 2 ggs oinstall 4096 Apr 24 16:24 dirtmp
drwxr-xr-x 2 ggs oinstall 4096 Apr 24 14:52 dirwlt
[ggs@db-fs-1 ggs]$

Check lag as user oracle – SUCCESS:

[oracle@db-fs-1 ggs]$ ./ggsci

Oracle GoldenGate Command Interpreter for Oracle
Version 19.1.0.0.4 OGGCORE_19.1.0.0.0_PLATFORMS_191017.1054_FBO
Linux, x64, 64bit (optimized), Oracle 11g on Oct 17 2019 23:13:12
Operating system character set identified as UTF-8.

Copyright (C) 1995, 2019, Oracle and/or its affiliates. All rights reserved.



GGSCI (db-fs-1) 1> info all

Program     Status      Group       Lag at Chkpt  Time Since Chkpt

MANAGER     RUNNING
EXTRACT     RUNNING     EXT1        00:00:00      00:00:02


GGSCI (db-fs-1) 2> lag *

2020-04-25 00:02:13  INFO    OGG-14054  Lag from heartbeat table requires DBLOGIN.

Sending GETLAG request to EXTRACT EXT1 ...
Last record lag 1 seconds.
At EOF, no more records to process


GGSCI (db-fs-1) 3> sh ls -l /u01/app/ggs/dirchk

total 28
-rwxrwxr-x 1 ggs oinstall  4096 Apr 24 20:24 EXT1.cpb
-rwxrwxr-x 1 ggs oinstall 20480 Apr 25 00:02 EXT1.cpe


GGSCI (db-fs-1) 4> sh ls -l /u01/app/ggs/dirtmp

total 0
srwxrwxr-x 1 ggs oinstall 0 Apr 24 16:24 EXT1.s


GGSCI (db-fs-1) 5> exit
[oracle@db-fs-1 ggs]$

Q.E.D.