Where is my StreamAdmin account?

One of the huge benefits of Oracle GoldenGate Microservices is the security framework which comes standard when you install GoldenGate. As you setup the ServiceManager and first deployment, you are prompted to build an administration account. As a best practice we recommend that the account be named “oggdmin” with the password you define.

Although it is expected that you create an “oggadmin” account, this account has some risk to it. Afterall, it is a “security” role account. The “security” role allows the “oggadmin” account the ability to do anything it likes within the ServiceManager and associated deployments. The “oggadmin” account is created within the ServiceManager level and can be seen in all deployments. This account is likened to the SYS user in the Oracle Database. As a result, should be handled with care and limited to who has access at this elevated account. How can we make Oracle GoldenGate Microservices more secure?

Before we can answer this question, it is good to understand the security model within Oracle GoldenGate Microservices. There are two layers of security; the first is at the ServiceManager and the second is at the deployment layer (no matter how many deployments you have running). Within each of these layers, you have the ability to create a user in one of four roles. These roles are:

  • Security – Full access to ServiceManager and assocated deployments
  • Administrator – Full access with the ability create, delete, start, stop, etc…
  • Operator – Access with the ability start and stop processes
  • User – Read-Only access

At a high level the model looks like this:

As you can tell all four roles are avaliable in the ServiceManager layer and the Deployment layer. This is by designed; however, what would be a recommended is to religate the Security role to ServiceManager and all other roles to the Deployments. Something like this:

Just because this is an recommended approach, doesn’t mean that there isn’t a reason for the other roles at the ServiceManager layer. Just use those with caution.

Now back to the questions – How can we make Oracle GoldenGate Microservices more secure?

The answer is simple – create any additional users need for administration at the deployment layer and in a role other than security. Hence the question in the titel of this post – Where is my StreamAdmin account?

The “streamadmin” account is an “Administrator” role account that is created at a per deployment bases. The whole purpose for this user is to provide seperation of duties from the “oggadmin” account; yet still have the ability to create, start, stop, modify, and remove any administration tasks within a deployment.

To create a “streamadmin” account; this can be done from the Administration Service within one or more deployments. The steps to do this are:

1. Access the Administrion Service
2. Open the context menu and select Administrator
3. Under Users, click the plus ( + )
4. Provide the requested information – ensure to select “Administrator” role and “Basic” type
5. Click Submit

Creating the “streamadmin” per deployment manually could and more than likely will be come a pain. This process can be automated using the REST APIs. After all, isn’t that the purpose of the microservices architecture?

To create the “streamadmin” user using REST, all you have to do is run a cURL command like this:

curl -X POST \
https://<a href="http://localhost:16001/services/v2/authorizations/Administrator/streamadmin" target="_blank" rel="noopener">localhost:16001/services/v2/authorizations/Administrator/streamadmin \
-H 'cache-control: no-cache' \
-d '{
"credential”:”********",
"info":"Stream Administration",
"type":"Basic",
"user":"streamadmin"
}'

Within the URL, you are telling GoldenGate that you want to create a user names “streamadmin” with the role of “Administrator”. Everything else is filling in the required information needed for the user.

More than likely, you will need to create this user in multiple deployment. You can simply wrap the above cURL command in a shell script or some other language and connect to multiple Administration Services to create the user.

With the “streamadmin” user created, you can now provide more security to the Oracle GoldenGate environment while still allowing DBAs, SysAdmins, or any one else access to needed resources. All awhile not giving up full control at the ServiceManager layer.

Enjoy and God Bless!

Please follow and like:

Leave a Reply

Your email address will not be published.

Enquire now

Give us a call or fill in the form below and we will contact you. We endeavor to answer all inquiries within 24 hours on business days.