Proxy user connection
A proxy connection allows you to connect to a database as one user account and operate with the access and privileges of a different account.
It is typically used to share one database account that has required privileges to other database users without sharing its password. An example of this type of account sharing means that you can allow help desk support personnel to connect to the database using a "helpdesk" account that has correct roles and privileges without sharing the password for this account with them.
There are two terms you need to know when setting up the proxy connection—proxy user and client user.
- A proxy user is a user who connects to the database on behalf of another user. This user connects with the username and password set up for him without knowing the client user password.
- A client user is a user on behalf of whom the proxy user connects.
Let's imagine that you connect to the database as the owner and want your employee who has limited privileges to work with the same schemas and database links. Instead of granting all the permissions one by one, you can set up a proxy connection.
In this way, your employee signs into the database under your account with his credentials or by specifying the properties that depend on the connection type.
In this topic, we will discuss the following types:
- Basic and proxy connection
- TNS/LDAP and proxy connection
- Kerberos and proxy connection
Setting up a proxy connection with BASIC and TNS/LDAP
Before setting up any proxy connection, you need to have two users:
- The proxy user - the user that will initiate the connection under the proxy client user account.
- The proxy client user - the user whose privileges, schema, and objects will be available for the session.
To set up a proxy connection with BASIC and TNS/LDAP, enter the following at the command prompt or terminal but mention your information:
- create user proxyuser_test identified by proxypassword to create a database user account
- grant create session to proxyuser_test to grant the permissions to create session
- alter user daticaltest grant connect through proxyuser_test to enable the client user, which is daticaltest account, to connect to the database using the proxy account.
Setting up a proxy connection with Kerberos
As an authentication method, Kerberos is handled by a different mechanism. To set up a proxy connection with Kerberos, you need to connect to your database and get an authentication ticket first. Pay attention to the expiration date and of the ticket and whether it is valid.
Also, make sure that one of the following environment variables is set—DDB_KRB5_CONFIG or KRB5_CONFIG. They contain Kerberos configuration information and indicate the location.
Here is the example of connecting to an Oracle database and getting a Kerberos ticket:
- Create the tnsnames.ora file
KRB=
(DESCRIPTION =
(ADDRESS =
(PROTOCOL = TCP)
(HOST = oracle-ee-kerberos.example.us-east-1.rds.amazonaws.com)
(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = KRB)
)
)
- Create the sqlnet.ora file
SQLNET.KERBEROS5_CC_NAME=/tmp/kerbache
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5PRE,KERBEROS5)
SQLNET.KERBEROS5_CONF=/tmp/kerberos/krb5.conf
TRACE_LEVEL_CLIENT=16
SQLNET.KERBEROS5_CONF_MIT = TRUE
NAMES.DIRECTORY_PATH=(TNSNAMES)
- WINDOWS use following services in sqlnet.ora: SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
- Create the krb5.conf file
[libdefaults]
default_realm = TEST.DATICAL.NET
default_ccache_name = /tmp/kerbcache
[realms]
TEST.DATICAL.NET = {
kdc = test.datical.net
admin_server = test.datical.net
}
[domain_realm]
.test.datical.net = TEST.DATICAL.NET
test.datical.net = TEST.DATICAL.NET
- Get a Kerberos authentication ticket
kinit <ADusername>@TEST.DATICAL.NET
example: kinit jnew@TEST.DATICAL.NET
- For dblinks, you will need forwardable ticket, so use kinit -f instead.
To set up a proxy connection with Kerberos, add the AD user to the database by first connecting as the client user. Enter the following in your command prompt or terminal by putting your information:
CREATE USER "JNEW@TEST.DATICAL.NET" IDENTIFIED EXTERNALLY;
GRANT CREATE SESSION TO "JNEW@ADTEST.DATICAL.NET";
Using proxy connection
There are four options you can choose to connect to your database:
- BASIC proxy connection
- BASIC and Kerberos proxy connection
- TNS/LDAP proxy connection
- TNS/LDAP and Kerberos proxy connection
The following table provides the format of credentials for each authentication method.
|
BASIC |
TNS/LDAP |
Kerberos |
Username |
proxy_user[proxy_client_user] |
proxy_user[proxy_client_user] |
[proxy_client_user] |
Password |
proxypass |
proxypass |
<none> |
Here is the example of one of the ways to connect to your database:
By selecting Kerberos, you don't have to specify the proxy_user [proxy_client_user] format and can just enter [proxy_client_user]. If you clear the check box for Kerberos, you have to specify the username and password, so it takes the form proxy_user [proxy_client_user].