Issue

Choosing the User for Oracle Backup / Restore Operations via SSH Dump


Summary

For backups, DS-Client instructs RMAN to perform a database dump and then sends the files to the DS-System. The dump files are set to "640" permission and are owned by the Oracle user that RMAN used to create them (which is usually "oracle").

For restores, DS-Client places the dump files to be restored in the dump path with "777" permission and instructs RMAN to perform restore with those files.

Choosing a User for SSH

The combination of file ownerships and permissions (described above) restricts the range of eligible SSH users that can perform backup and restore operations in the absence of additional assistance. The possible users are:
- "root"
- "oracle"
- any user belonging to the same 'primary' group as "oracle"

Choosing other Users for SSH

If you cannot use "root", "oracle" or a member of "oracle"'s primary group, you must configure the dump path's extended attributes (POSIX ACL) to allow the designated user to perform backup and restore operations.

Setting up Extended Attributes

Both the designated and RMAN users need 'browse' access along the dump path, read/write access in the dump folder, and default ACL to read and write in the dump folder. Here is a small example for Linux to setup the necessary extended attributes:

dump path = /some_path/oraDump

RMAN user = "oracle"

designated user = "dscuser"

1. Make sure that the designated and RMAN users have browse access to the path. (-R makes the ACL settings apply recursively so ACL for oraDump is set as well):

setfacl -R -m user:dscuser:rx -m user:oracle:rx /some_path

2. Make sure that the designated and RMAN users have read/write permissions in the dump folder:

setfacl -m user:dscuser:rwx -m user:oracle:rwx /some_path/oraDump

3. Set default ACL for the dump folder so that files created in the folder will grant designated and RMAN users read/write permissions:

setfacl -m default:user:dscuser:rw -m default:user:oracle:rw /some_path/oraDump