@@ -142,7 +142,7 @@ use the following setting:
142
142
}
143
143
```
144
144
145
- ## 5. Create a user for the connector
145
+ ## 5. Create a user for the connector {#create-dbz-user}
146
146
147
147
The Debezium Oracle connector must run as an Oracle LogMiner user with
148
148
specific permissions. The following example shows some SQL that creates
@@ -166,39 +166,130 @@ CREATE USER c##dbzuser IDENTIFIED BY dbz
166
166
QUOTA UNLIMITED ON logminer_tbs
167
167
CONTAINER= ALL;
168
168
169
- GRANT CREATE SESSION TO c# #dbzuser CONTAINER=ALL;
170
- GRANT SET CONTAINER TO c# #dbzuser CONTAINER=ALL;
171
- GRANT SELECT ON V_$DATABASE to c# #dbzuser CONTAINER=ALL;
172
- GRANT FLASHBACK ANY TABLE TO c# #dbzuser CONTAINER=ALL;
173
- GRANT SELECT ANY TABLE TO c# #dbzuser CONTAINER=ALL;
174
- GRANT SELECT_CATALOG_ROLE TO c# #dbzuser CONTAINER=ALL;
175
- GRANT EXECUTE_CATALOG_ROLE TO c# #dbzuser CONTAINER=ALL;
176
- GRANT SELECT ANY TRANSACTION TO c# #dbzuser CONTAINER=ALL;
177
- GRANT LOGMINING TO c# #dbzuser CONTAINER=ALL;
178
-
179
- GRANT CREATE TABLE TO c# #dbzuser CONTAINER=ALL;
180
- GRANT LOCK ANY TABLE TO c# #dbzuser CONTAINER=ALL;
181
- GRANT CREATE SEQUENCE TO c# #dbzuser CONTAINER=ALL;
182
-
183
- GRANT EXECUTE ON DBMS_LOGMNR TO c# #dbzuser CONTAINER=ALL;
184
- GRANT EXECUTE ON DBMS_LOGMNR_D TO c# #dbzuser CONTAINER=ALL;
185
-
186
- GRANT SELECT ON V_$LOG TO c# #dbzuser CONTAINER=ALL;
187
- GRANT SELECT ON V_$LOG_HISTORY TO c# #dbzuser CONTAINER=ALL;
188
- GRANT SELECT ON V_$LOGMNR_LOGS TO c# #dbzuser CONTAINER=ALL;
189
- GRANT SELECT ON V_$LOGMNR_CONTENTS TO c# #dbzuser CONTAINER=ALL;
190
- GRANT SELECT ON V_$LOGMNR_PARAMETERS TO c# #dbzuser CONTAINER=ALL;
191
- GRANT SELECT ON V_$LOGFILE TO c# #dbzuser CONTAINER=ALL;
192
- GRANT SELECT ON V_$ARCHIVED_LOG TO c# #dbzuser CONTAINER=ALL;
193
- GRANT SELECT ON V_$ARCHIVE_DEST_STATUS TO c# #dbzuser CONTAINER=ALL;
194
- GRANT SELECT ON V_$TRANSACTION TO c# #dbzuser CONTAINER=ALL;
195
-
196
- GRANT SELECT ON V_$MYSTAT TO c# #dbzuser CONTAINER=ALL;
197
- GRANT SELECT ON V_$STATNAME TO c# #dbzuser CONTAINER=ALL;
169
+ GRANT CREATE SESSION TO c# #dbzuser CONTAINER=ALL;
170
+ GRANT SET CONTAINER TO c# #dbzuser CONTAINER=ALL;
171
+ GRANT SELECT ON V_$DATABASE to c# #dbzuser CONTAINER=ALL;
172
+
173
+ -- See `Limiting privileges` below if the privileges
174
+ -- granted by these two commands raise security concerns.
175
+ GRANT FLASHBACK ANY TABLE TO c# #dbzuser CONTAINER=ALL;
176
+ GRANT SELECT ANY TABLE TO c# #dbzuser CONTAINER=ALL;
177
+ --
178
+
179
+ GRANT SELECT_CATALOG_ROLE TO c# #dbzuser CONTAINER=ALL;
180
+ GRANT EXECUTE_CATALOG_ROLE TO c# #dbzuser CONTAINER=ALL;
181
+ GRANT SELECT ANY TRANSACTION TO c# #dbzuser CONTAINER=ALL;
182
+ GRANT LOGMINING TO c# #dbzuser CONTAINER=ALL;
183
+
184
+ -- See `Limiting privileges` below if the privileges
185
+ -- granted by these two commands raise security concerns.
186
+ GRANT CREATE TABLE TO c# #dbzuser CONTAINER=ALL;
187
+ GRANT LOCK ANY TABLE TO c# #dbzuser CONTAINER=ALL;
188
+ --
189
+
190
+ GRANT CREATE SEQUENCE TO c# #dbzuser CONTAINER=ALL;
191
+
192
+ GRANT EXECUTE ON DBMS_LOGMNR TO c# #dbzuser CONTAINER=ALL;
193
+ GRANT EXECUTE ON DBMS_LOGMNR_D TO c# #dbzuser CONTAINER=ALL;
194
+
195
+ GRANT SELECT ON V_$LOG TO c# #dbzuser CONTAINER=ALL;
196
+ GRANT SELECT ON V_$LOG_HISTORY TO c# #dbzuser CONTAINER=ALL;
197
+ GRANT SELECT ON V_$LOGMNR_LOGS TO c# #dbzuser CONTAINER=ALL;
198
+ GRANT SELECT ON V_$LOGMNR_CONTENTS TO c# #dbzuser CONTAINER=ALL;
199
+ GRANT SELECT ON V_$LOGMNR_PARAMETERS TO c# #dbzuser CONTAINER=ALL;
200
+ GRANT SELECT ON V_$LOGFILE TO c# #dbzuser CONTAINER=ALL;
201
+ GRANT SELECT ON V_$ARCHIVED_LOG TO c# #dbzuser CONTAINER=ALL;
202
+ GRANT SELECT ON V_$ARCHIVE_DEST_STATUS TO c# #dbzuser CONTAINER=ALL;
203
+ GRANT SELECT ON V_$TRANSACTION TO c# #dbzuser CONTAINER=ALL;
204
+
205
+ GRANT SELECT ON V_$MYSTAT TO c# #dbzuser CONTAINER=ALL;
206
+ GRANT SELECT ON V_$STATNAME TO c# #dbzuser CONTAINER=ALL;
198
207
199
208
exit;
200
209
```
201
210
211
+ ### Limiting privileges
212
+
213
+ The privileges granted in the example above are convenient,
214
+ but you may prefer to restrict them further to improve security. In particular,
215
+ you might want to prevent the Debezium user from creating tables, or
216
+ selecting or locking any table.
217
+
218
+ The Debezium user needs the ` CREATE TABLE ` privilege to create the
219
+ ` LOG_MINING_FLUSH ` and ` signals ` tables when it connects for the first
220
+ time. After this point, it doesn't need to create any more tables,
221
+ so you can safely revoke this privilege with the following command:
222
+
223
+ ``` sql
224
+ REVOKE CREATE TABLE FROM c# #dbzuser container=all;
225
+ ```
226
+
227
+ [ The example above] ( #create-dbz-user ) grants the ` SELECT ANY TABLE ` and
228
+ ` FLASHBACK ANY TABLE ` privileges for convenience, but only the tables synced to RDI,
229
+ the ` signals ` table, and the ` V_$XXX ` tables strictly need these privileges.
230
+ You can replace the ` GRANT SELECT ANY TABLE ` command with explicit
231
+ commands for each table. For example, you would use commands like the
232
+ following for the tables in our sample
233
+ [ ` chinook ` ] ( https://github.com/Redislabs-Solution-Architects/rdi-quickstart-postgres )
234
+ database. (Note that Oracle 19c requires you to run a separate ` GRANT `
235
+ command for each table individually.)
236
+
237
+ ``` sql
238
+ GRANT SELECT ON signals TO c# #dbzuser;
239
+ GRANT SELECT ON chinook .album TO c# #dbzuser;
240
+ GRANT SELECT ON chinook .artist TO c# #dbzuser;
241
+ GRANT SELECT ON chinook .customer TO c# #dbzuser;
242
+ ...
243
+ ```
244
+
245
+ Similarly, instead of ` GRANT FLASHBACK ANY TABLE ` , you would use the following
246
+ commands:
247
+
248
+ ``` sql
249
+ GRANT FLASHBACK ON signals TO c# #dbzuser;
250
+ GRANT FLASHBACK ON chinook .album TO c# #dbzuser;
251
+ GRANT FLASHBACK ON chinook .artist TO c# #dbzuser;
252
+ GRANT FLASHBACK ON chinook .customer TO c# #dbzuser;
253
+ ...
254
+ ```
255
+
256
+ The ` LOCK ` privilege is automatically granted by the ` SELECT `
257
+ privilege, so you can omit this command if you have granted ` SELECT `
258
+ on specific tables.
259
+
260
+ ### Revoking existing privileges
261
+
262
+ If you initially set the Debezium user's privileges on all tables,
263
+ but you now want to restrict them, you can revoke the existing
264
+ privileges before resetting them as described in the
265
+ [ Limiting privileges] ( #limiting-privileges ) section.
266
+
267
+ Use the following commands to revoke and reset the ` SELECT ` privileges:
268
+
269
+ ``` sql
270
+ REVOKE SELECT ANY TABLE FROM c# #dbzuser container=all;
271
+ ALTER SESSION SET container= orclpdb1;
272
+
273
+ GRANT SELECT ON chinook .album TO c# #dbzuser;
274
+ -- ...etc
275
+ ```
276
+
277
+ The equivalent commands for ` FLASHBACK ` are:
278
+
279
+ ``` sql
280
+ REVOKE FLASHBACK ANY TABLE FROM c# #dbzuser container=all;
281
+ ALTER SESSION SET container= orclpdb1;
282
+ GRANT FLASHBACK ON chinook .album TO c# #dbzuser;
283
+ ```
284
+
285
+ The ` SELECT ` privilege automatically includes the ` LOCK `
286
+ privilege, so when you grant ` SELECT ` for specific tables
287
+ you should also revoke ` LOCK ` on all tables:
288
+
289
+ ``` sql
290
+ REVOKE LOCK ANY TABLE FROM c# #dbzuser container=all;
291
+ ```
292
+
202
293
## 6. Configuration is complete
203
294
204
295
Once you have followed the steps above, your Oracle database is ready
0 commit comments