一、报错
Ogg12.1版本,DB11.2.0.4
安装OGG软件后,MGR进程看起来是running状态,后续配置抽取进程无法启动,观察mgr进程日志显示上述报错!!!
OGG 12.2: WARNING OGG-00936 Access denied (request from xxxx, rule #0)
OGG MGR参数配置
ACCESSRULE,PROG SERVER,ALLOW
二、问题处理
2.1 MOS 2095174.1
OGG无法启动和停止MGR的使用!!!
OGG 12.2: WARNING OGG-00936 Access denied (request from xxxx, rule #0) (Doc ID 2095174.1)
APPLIES TO:
Oracle GoldenGate - Version 12.1.2.1.1 and later
Information in this document applies to any platform.
SYMPTOMS
In ogg version 12.2, by default, the manager (and related extract/replicat) cannot be stopped/started remotely.
1. start manager from a shared drive, then try to stop from another server with same shared directory (like different RAC nodes)
2. start direct initial load.
error:
WARNING OGG-00936 Access denied (request from xxxx, rule #0)
ERROR OGG-01201 Error reported by MGR : Access denied.
CAUSE
In ogg version 12.2, by default, the manager (and related extract/replicat) cannot be stopped/started remotely.
SOLUTION
The manager parameter ACCESSRULE can be used to control connection access to the Manager process and the processes under its control.
It can be specified in the manager parameter file (the default location for the Oracle GoldenGate parameter files is the dirprm sub-directory
of the Oracle GoldenGate directory)
ACCESSRULE, PROG *, IPADDR *, ALLOW
按照MOS的建议,调整后,kill mgr,start mgr 恢复使用! 但是为什么无法启动停止MGR呢??? 这个参数代表什么含义?
2.2 参数说明
https://docs.oracle.com/en/middleware/goldengate/core/19.1/reference/accessrule.html#GUID-6C74776D-2E05-429A-8B86-EBE882B4CF49
ACCESSRULE
Valid for Manager
以控制连接访问管理器进程,并在其控制下的过程。
Use ACCESSRULE to control connection access to the Manager process and the processes under its control. You can establish multiple
rules by specifying multiple ACCESSRULE statements in the parameter file and control their priority. There is no limit to the number
of rules that you can specify. To establish priority, you can either list the rules in order from most important to least important,
or you can explicitly set the priority of each rule with the PRI option.
Default None
程序名称
PROG program_name
配置访问规则适用于MGR的启动、停止、或者Kill,*统配符号,代表指定上述所有操作!
Specifies connection security for a specific Oracle GoldenGate program or multiple programs specified with a wildcard. If one of these
options is not specified, the access rule applies to all programs that Manager starts, stops, or kills.
Valid values:
GGSCI: Secures access to the GGSCI command-line interface.
GUI: Secures access to Oracle GoldenGate from the Activity Console.
MGR | MANAGER: Secures access to all inter-process commands controlled by Manager, such as START, STOP, and KILL
REPLICAT: Secures connection to the Replicat process.
COLLECTOR | SERVER: Secures the ability to dynamically create a Collector process.
* (asterisk): Wildcard. Use a wildcard to specify all of the preceding options.
IPADDR address
允许指定IP的主机,访问MGR
Permits access to Manager from the host with the specified IP address.
优先规则
PRI rule
为每个ACCESSRULE访问语句指定优先级别,有效值1-99,1是优先级别最高!
Specifies a priority for each ACCESSRULE statement. Valid values are from 1 through 99, with 1 being the highest priority and 99 being
the lowest. Rules that have priorities assigned can appear in any order in the parameter file.
login_ID
允许基于用户密码的访问,此参数需要指定USER and PASSWORD选项,或者使用秘钥
Permits access based on a user password. This option requires specifying USER and PASSWORD options with the RMTHOST parameter.
The syntax for login_ID is:
USER user, PASSWORD password, [ENCRYPTKEY keyname]
Valid values:
user : The user specified with the USER option of the RMTHOST parameter.
password: The password specified with the PASSWORD option of the RMTHOST parameter.
keyname: Optional. Specifies an encryption key in the ENCKEYS file.
When ENCRYPTKEY keyname is used as part of the login ID, Oracle GoldenGate looks up the key in the ENCKEYS file on the target system and
uses it to decrypt the corresponding password. If the decrypted password matches the password supplied with the password portion of the
login ID option, the rule passes.
ALLOW | DENY
指定的规则是允许访问还是拒绝访问
Determines whether the rule specified with ACCESSRULE permits or denies access. Either ALLOW or DENY is required.
Example 1
以下访问规则允许任何以 IP 地址 205 或节点 194.168.11.102 开头的节点访问请求的服务。所有其他人都被拒绝。
The following access rules allow any nodes that begin with IP address 205 or the node 194.168.11.102 to access the requested services.
All others are denied.
ACCESSRULE, PROG *, IPADDR 194.168.11.102, ALLOW ACCESSRULE, PROG *, IPADDR 205.*, ALLOW ACCESSRULE, PROG *, IPADDR *, DENY
Example 2
以下访问规则已通过 PRI 选项指定了明确的优先级。这些规则允许任何用户访问收集器进程(SERVER 程序),此外,允许 IP 地址 122.11.12.13 访问 GGSCI 命令。
拒绝访问所有其他 Oracle GoldenGate 程序。
ACCESSRULE、PROG *、DENY、PRI 99ACCESSRULE、PROG SERVER、ALLOW、PRI 1ACCESSRULE、PROG GGSCI、IPADDR 122.11.12.13、PRI 1
Example 3
以下访问规则与示例 2 相同,但它们通过它们在参数文件中的顺序而不是PRI选项来分配优先级。
ACCESSRULE, PROG SERVER, ALLOWACCESSRULE, PROG GGSCI, IPADDR 122.11.12.13 ACCESSRULE, PROG *, DENY
Example 4
以下访问规则授予用户JOHN具有访问所有程序的权限。
ACCESSRULE, PROG *, USER JOHN, PASSWORD OCEAN1
Example 5
以下访问规则授予用户 JOHN 访问所有程序的权限,并指定一个加密密钥来解密密码。如果提供的密码与查找文件中的密码PASSWORD匹配ENCKEYS,则授予连接。
ACCESSRULE, PROG *, USER JOHN, PASSWORD OCEAN1, ENCRYPTKEY lookup1
看完这个参数,我们可以理解,最初的配置是ACCESSRULE,PROG SERVER,ALLOW ,即允许其它人访问,获取Secures the ability to dynamically create a Collector process.
但是呢? 并没有启动和关闭MGR的能力,因此按照MOS调整后,大家都有stop,start,kill的权限了!!!
但是这个问题12.2的OGG是没有问题的! 我的测试参数是从12.2 OGG MGR Copy过来的!