26 May

Amazon RDS for Oracle: First Impressions

On Tuesday, Amazon announced availability of an Oracle version of their Relational Database Service (RDS). RDS is one of Amazon’s cloud services. You can think of it as “database as a service.” Amazon provides a running database, storage, horsepower and a variety management tasks. And all you have to do is store you data in it. RDS has been available with a MySQL engine for some time, but the Oracle version of this service has been long anticipated.

As with Amazon’s other cloud services, you control and manage RDS services using a web application API.  You can either write your own software to do this, or use Amazon’s command line API tools or Amazon’s web-based console.

RDS Oracle instances are available in a variety of Oracle editions, hardware and storage sizes. For the first time, you can license Oracle by the hour through RDS. Unfortunately, this utility licensing model is limited to RDS instances running Standard Edition One. For the other editions, customers must “bring their own” Oracle licenses.

When you start an RDS Oracle instance you provide the web API with a variety of specifications, including:

  • The Oracle edition (Standard Edition One, Standard Edition, Enterprise Edition)
  • The license model (Bring-your-own or License-included for SE1)
  • The instance class (Small, Large, Extra large, 2x extra large or 4x extra large)
  • Automatic minor-version upgrades (yes or no)
  • Storage allocation (10G – 1024G)
  • Instance ID, database name and listener port
  • A username and password for logging in
  • A parameter group (a set of Oracle initialization parameters defined via the web API)
  • Security groups (what machines can connect)
  • Backup retention
  • backup and maintenance windows

I fired up an instance of Enterprise Edition with the name bg01 and master user bg just to test drive the product. Once the instance is up and running, Amazon gives you an endpoint address, like bg01.csmmbl5fszl6.us-west-1.rds.amazonaws.com.  If you have added your own IP address to the security group under which you started the RDS instance, the you will be able to connect to your database using SQL*Plus:

sqlplus bg/foobar123@bg01.csmmbl5fszl6.us-west-1.rds.amazonaws.com:3306/bg01

The username you provided on startup has DBA privileges, but they are limited. It can:

  • Create users
  • Create tablespaces
  • Create tables, indexes, and all other usual objects

A full listing of the privileges available to the master user can be obtained using Pete Finnigan’s find_all_privs.sql script.

Notably, DDL triggers are in place to prevent this master user, and other users it might create, from doing certain things that might make it possible to do things outside the scope of the database. The users that RDS customers can access cannot:

  • Grant alter system or database
  • Grant restricted session
  • Grant create or drop any directory
  • Grant any privilege
  • DATAPUMP_EXP_FULL_DATABASE, DATAPUMP_IMP_FULL_DATABASE, IMP_FULL_DATABASE, EXP_FULL_DATABASE
  • DDL on any object owned by SYS
  • Alter user, revoke or any DDL on SYS, SYSTEM or RDSADMIN (a special user installed by Amazon)
  • Drop tablespace RDSADMIN
  • Create public synonyms for objects belonging to SYS, SYSTEM or RDSADMIN

There is currently no support for any implementation of Enterprise Manager (Grid Control or Database Control). Amazon instead brings essential monitoring metrics for the instance into the CloudWatch API, which you can monitor using your own software via the API, or via the RDS web console.

I’ll post more soon on the new Oracle RDS service, but I will leave you with one piece of advice:  If you don’t want to permanently break your Oracle RDS instance, don’t try to use your master user to create a public synonym named v$database.

2 Responses to “Amazon RDS for Oracle: First Impressions”

  1. Brian Poissant 03. Jun, 2011 at 2:17 pm #

    Really good insight. We had scripts that I had been using to create our central DB instance, and it was dying all over the place. This post explained quite a bit as to why. Synonyms particularly concern me, along with the inability to ALTER User as when initiating our db instance, the master user creates application level users and then grants privileges to them…which seems to be an issue too. I will try Pete’s script to see what other limitations may exist. Have you attempted to create a local instance of a database and then copy it into the RDS instance?

  2. harraz 04. Oct, 2012 at 3:40 pm #

    Thanks for the information. I was wondering if you were able to connect to the Oracle SE1 on RDS using sqlplus from another AWS box like a linux EC2 instance?

    Thanks,
    harraz

Leave a Reply