1. SecureFiles and Large Objects Developer's Guide
  2. DBFS Access Using OFS
  3. Accessing DBFS with an NFS Account

22.2 Accessing DBFS with an NFS Account

NFS is a widely used protocol to access any local file system across network. OFS makes use of this protocol and enables access to any DBFS file system that is mounted on the compute node.

NFS enables the compute node to be accessible across all nodes that are authorized to access the file system.

22.2.1 Prerequisites to Access Storage Through NFS Server

Learn about the prerequisites to access storage through NFS server.

Following are the prerequisites:

  • DBFS file system must be created before using OFS.

  • You should be able to mount the file systems exported by the database.

  • NFS server must be configured with KERNEL module.

    Note:

    The KERNEL module is supported through FUSE driver for Linux.

22.2.2 NFS Security

OFS uses the OS authentication model to authorize NFS client users. If the user is accessing a local node (where the Oracle instance is running), the access to each file in the file system is controlled through Unix Access Control List set for each object.

On Linux, OFS uses FUSE to receive file system requests from the OS kernel or NFS client. This requires user_allow_other parameter to be set in /etc/fuse.conf configuration file if an OS user other than the root user and oracle user need to access the file system.

Note:

Users can also be configured with an Oracle password to log into Oracle client tools like SQL* Plus to execute SQL statements.

If the network is not secure, the customer is advised to setup Kerberos to authenticate the user using OS NFS.

Note:

  • The Kerberos authentication is available from NFS version 4 onwards. If the OFS is exported via NFS version 3, then the authentication is performed using AUTH_SYS.

  • For local node, the authentication is performed using AUTH_SYS irrespective of how the OFS is exported (NFS version 3 or NFS version 4).

22.2.2.1 Kerberos

Kerberos uses encryption technology, Key Distribution Center(KDC), and an arbitrator to perform secure authentication on open networks.

Kerberos is the widely used security mechanism that provides all three flavors of security:

  • Authentication

  • Integrity check

  • Privacy

Kerberos Infrastructure consists of Kerberos software, secured authentication servers, centralized account and password store, and systems configured to authenticate through the Kerberos protocol. The OS NFS server handles the complete authentication and integrity checks by using kerberos principal name as the user name. Once the authentication is performed, the requests passed to the Oracle kernel are handled based on the user name passed through the VFS I/O request.

Configuring Kerberos Server in Linux

The steps to configure Kerberos server in a Linux system is as follows:

  1. Install Kerberos software in the Linux system.

  2. Check if the daemons are running using the following commands.
    # /sbin/chkconfig krb5kdc on
# /sbin/chkconfig kadmin on
  3. If the daemons are not running use the following commands to start the daemons manually:
    # /etc/rc.d/init.d/krb5kdc start
# /etc/rc.d/init.d/kadmin start

  4. Add user principal using the kadmin.local command.

    Example:
    kadmin.local: addprinc <scott>