Proxy user connection
A proxy connection allows you to connect to a database as one user account and operate with the access and privileges of a different account.
It is typically used to share one database account that has required privileges to other database users without sharing its password. An example of this type of account sharing means that you can allow help desk support personnel to connect to the database using a "helpdesk" account that has correct roles and privileges without sharing the password for this account with them.
There are two terms you need to know when setting up the proxy connection—proxy user and client user.
...
| Anchor | ||||
|---|---|---|---|---|
|
create user proxyuser_test identified by proxypasswordto to create a database user accountAnchor _Hlk41552211 _Hlk41552211 grant create session to proxyuser_testto to grant the permissions to create sessionalter user daticaltest grant connect through proxyuser_testto to enable the client user, which is daticaltest account, to connect to the database using the proxy account.
...
As an authentication method, Kerberos is handled by a different mechanism. To set up a proxy connection with Kerberos, you need to connect to your database and get an authentication ticket first. Pay attention to the expiration date and of the ticket and whether it is valid.
Also, make sure that one of the following environment variables is set—DDB_KRB5_CONFIG or KRB5_CONFIG. They contain Kerberos configuration information and indicate the location.
Here is the example of connecting to an Oracle database and getting a Kerberos ticket: Create the tnsnames.ora file
1. Example 'tnsnames.ora' file
| Code Block |
|---|
KRB= |
...
(DESCRIPTION = |
...
(ADDRESS = |
...
(PROTOCOL = TCP) |
...
(HOST = oracle-ee-kerberos.example.us-east-1.rds.amazonaws.com) |
...
(PORT = 1521)) |
...
(CONNECT_DATA = |
...
(SERVER = DEDICATED) |
...
(SERVICE_NAME = KRB) |
...
) |
...
) |
...
2. Example sqlnet.ora file
| Code Block |
|---|
SQLNET.KERBEROS5_CC_NAME=/tmp/kerbache |
...
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5PRE,KERBEROS5) |
...
SQLNET.KERBEROS5_CONF=/tmp/kerberos/krb5.conf |
...
TRACE_LEVEL_CLIENT=16 |
...
SQLNET.KERBEROS5_CONF_MIT = TRUE |
...
NAMES.DIRECTORY_PATH=(TNSNAMES) |
NOTE: WINDOWS use following services in sqlnet.ora: SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
...
3. Example krb5.conf file
| Code Block |
|---|
[libdefaults] |
...
default_realm = TEST.DATICAL.NET |
...
default_ccache_name = /tmp/kerbcache |
...
[realms] |
...
TEST.DATICAL.NET = { |
...
kdc = test.datical.net |
...
admin_server = test.datical.net |
...
} |
...
[domain_realm] |
...
.test.datical.net = TEST.DATICAL.NET |
...
test.datical.net = TEST.DATICAL.NET |
4. Get a Kerberos authentication ticket
| Code Block |
|---|
kinit <ADusername>@TEST.DATICAL.NET |
...
example: kinit jnew@TEST.DATICAL.NET |
NOTE: For dblinks, you will need forwardable ticket, so use kinit -f instead.To set
5. Set up a proxy connection with Kerberos
...
Add the AD user to the database by first connecting as the client user. Enter the following in your command prompt or terminal by putting your information:
| Code Block |
|---|
CREATE USER "JNEW@TEST.DATICAL.NET" IDENTIFIED EXTERNALLY; |
...
GRANT CREATE SESSION TO "JNEW@ADTEST.DATICAL.NET"; |
Using proxy connection
There are four options you can choose to connect to your database:
...
The following table provides the format of credentials for each authentication method.
...
BASIC | TNS/LDAP | Kerberos | |
Username | proxy_user[proxy_client_user] | proxy_user[proxy_client_user] | [proxy_client_user] |
Password | proxypass | proxypass | <none> |
...