Ordinarily, SQL Relay logs into the database as a particular user several times and and hands those sessions off to SQL Relay clients, thus avoiding the cost of connecting to and disconnecting from the database over and over. A sometimes undesirable side-effect of this approach is that it is impossible to distinguish which queries were run by which SQL Relay users from within the database since SQL Relay uses the same database user to run all queries.
Oracle n-tiered authentication provides a way around this side-effect.
If you set up a proxy role, a proxy user and a set of users that can be proxied by that proxy user in Oracle and configure SQL Relay to use the "database" authentication tier, SQL Relay users will map to Oracle users.
Setting Up OracleFirst, locate the initSID.ora file for the database. This file can be found in the $ORACLE_BASE/admin/$ORACLE_SID/pfile directory. Edit it, changing the "compatibility" parameter to a version equal to or higher than "8.1.0". Restart the database.
Next, log into the database as system and create a set of users:
CREATE USER user1 IDENTIFIED BY user1;
GRANT CREATE SESSION TO user1;
CREATE USER user2 IDENTIFIED BY user2;
GRANT CREATE SESSION TO user2;
CREATE USER user3 IDENTIFIED BY user3;
GRANT CREATE SESSION TO user3;
Now, create a proxy role and give the users access to it:
CREATE ROLE proxyrole;
GRANT proxyrole to user1;
GRANT proxyrole to user2;
GRANT proxyrole to user3;
Create a proxy user:
CREATE USER proxyuser IDENTIFIED BY proxyuser;
GRANT CREATE SESSION TO proxyuser;
Give the users access through the proxy user:
ALTER USER user1 GRANT CONNECT THROUGH proxyuser WITH ROLES proxyrole;Setting Up SQL Relay
ALTER USER user2 GRANT CONNECT THROUGH proxyuser WITH ROLES proxyrole;
ALTER USER user3 GRANT CONNECT THROUGH proxyuser WITH ROLES proxyrole;
SQL Relay should be set up to use the database authentication tier and to log into Oracle as the proxy user. Below is an sqlrelay.conf file that does this. Note the authtier attribute of the instance tag. Note also that there are no users defined as they are unnecessary for this kind of configuration.
Running SQL Relay<?xml version="1.0"?> <!DOCTYPE instances SYSTEM "sqlrelay.dtd"> <instances> <instance id="proxyuser" port="9000" socket="/tmp/proxyuser.socket" dbase="oracle8" connections="1" maxconnections="3" maxqueuelength="0" growby="1" ttl="60" endofsession="commit" sessiontimeout="600" runasuser="nobody" runasgroup="nobody" cursors="5" authtier="database"> <users> </users> <connections> <connection connectionid="proxyuser" string="user=proxyuser;password=proxyuser;oracle_sid=ora1;" metric="1"/> </connections> </instance> </instances>
Now that Oracle and SQL Relay are configured, you can run SQL Relay as follows:
sqlr-start -id proxyuser
You can use sqlrsh to access it as any of the database level users that you created earlier:
sqlrsh localhost 9000 "/tmp/proxyuser.socket" user1 user1
or
sqlrsh localhost 9000 "/tmp/proxyuser.socket" user2 user2
or
sqlrsh localhost 9000 "/tmp/proxyuser.socket" user3 user3
You can audit the queries that the users have run using the following commands as the system user:
AUDIT SELECT BY proxyuser ON BEHALF OF user1;
AUDIT SELECT BY proxyuser ON BEHALF OF user2;
AUDIT SELECT BY proxyuser ON BEHALF OF user3;