The following section describes how the Db2 Plugin works with a Kerberos environment. Customers use principal (A user in Kerberos is called a principal ) to connect with DE. All operation where Plugin needs to execute commands using database users, in that case, privilege elevation script will be used.
Here is the example of how Db2 Plugin is working in Kerberos enabled customer’s environment :
All SSH connections to remote hosts use a single environment user which will be a principal in case of a Kerberos environment.
All Db2 commands which need to be executed using a particular OS user (in case of DB2 it’ll be an instance user) will pass through a privilege elevation script. Commands requiring privilege elevation will be executed under a script dlpx_db_exec, with the first parameter being the user to execute as, and the remaining parameters being the command to execute. This script may be customized by the customer, but it must always return the results of the executed command and exit with the return code from the executed command.
When a command is invoked with dlpx_db_exec then we’ll pass the instance IDs which was discovered during the discovery phase.
Customer will specify the same primary environment user for the execution of all Delphix object requests.
All SSH connections will then be made with this user.
A new utility dlpx_db_exec has been added to the Plugin.
The first param to this command will be the db2 instance user to execute the remaining args.
This script will be customizable by the customer to use their internal utility or command to essentially sudo to the requested instance user.
The Db2 Plugin is updated to pass the instance ID string to the dlpx_db_exec script such that customer can update this to use sudo (or some other custom elevation utility).
The Db2 Plugin scripts are updated to prefix all commands required to be executed as the instance ID with dlpx_db_exec.
All Db2 changes are based on top of the Db2 DB level changes.
Sample content of dlpx_db_exec script
# This script allows customization of command execution with an alternate user
# Arg $1 contains "-u<optional user account>" for the desired user under
# which database commands will be executed.
# By default this argument is ignored and the script is executed as the default
if [[ $1 != -u* ]]; then
echo "Incorrect command line parameters, -u<optional user account> is required as the first parameter"
user_id=`echo $1 | sed -e "s/^-u//"`
echo "$user_id" >> /tmp/test.log
echo "$user_id and $DB2_DB_NAME" >> /tmp/test.log
if [[ $user_id != "delphix_os" ]]; then
command=$(printf "%s " "$@")
sudo su - $user_id -c "cd /home/delphix_os;export DB2DBDFT=$DB2DBDFT;$command"