On Tuesday, Amazon announced availability of an Oracle version of their Relational Database Service (RDS). RDS is one of Amazon’s cloud services. You can think of it as “database as a service.” Amazon provides a running database, storage, horsepower and a variety management tasks. And all you have to do is store you data in it. RDS has been available with a MySQL engine for some time, but the Oracle version of this service has been long anticipated.
As with Amazon’s other cloud services, you control and manage RDS services using a web application API. You can either write your own software to do this, or use Amazon’s command line API tools or Amazon’s web-based console.
RDS Oracle instances are available in a variety of Oracle editions, hardware and storage sizes. For the first time, you can license Oracle by the hour through RDS. Unfortunately, this utility licensing model is limited to RDS instances running Standard Edition One. For the other editions, customers must “bring their own” Oracle licenses.
When you start an RDS Oracle instance you provide the web API with a variety of specifications, including:
- The Oracle edition (Standard Edition One, Standard Edition, Enterprise Edition)
- The license model (Bring-your-own or License-included for SE1)
- The instance class (Small, Large, Extra large, 2x extra large or 4x extra large)
- Automatic minor-version upgrades (yes or no)
- Storage allocation (10G – 1024G)
- Instance ID, database name and listener port
- A username and password for logging in
- A parameter group (a set of Oracle initialization parameters defined via the web API)
- Security groups (what machines can connect)
- Backup retention
- backup and maintenance windows
I fired up an instance of Enterprise Edition with the name bg01 and master user bg just to test drive the product. Once the instance is up and running, Amazon gives you an endpoint address, like bg01.csmmbl5fszl6.us-west-1.rds.amazonaws.com. If you have added your own IP address to the security group under which you started the RDS instance, the you will be able to connect to your database using SQL*Plus:
The username you provided on startup has DBA privileges, but they are limited. It can:
- Create users
- Create tablespaces
- Create tables, indexes, and all other usual objects
A full listing of the privileges available to the master user can be obtained using Pete Finnigan’s find_all_privs.sql script.
Notably, DDL triggers are in place to prevent this master user, and other users it might create, from doing certain things that might make it possible to do things outside the scope of the database. The users that RDS customers can access cannot:
- Grant alter system or database
- Grant restricted session
- Grant create or drop any directory
- Grant any privilege
- DATAPUMP_EXP_FULL_DATABASE, DATAPUMP_IMP_FULL_DATABASE, IMP_FULL_DATABASE, EXP_FULL_DATABASE
- DDL on any object owned by SYS
- Alter user, revoke or any DDL on SYS, SYSTEM or RDSADMIN (a special user installed by Amazon)
- Drop tablespace RDSADMIN
- Create public synonyms for objects belonging to SYS, SYSTEM or RDSADMIN
There is currently no support for any implementation of Enterprise Manager (Grid Control or Database Control). Amazon instead brings essential monitoring metrics for the instance into the CloudWatch API, which you can monitor using your own software via the API, or via the RDS web console.
I’ll post more soon on the new Oracle RDS service, but I will leave you with one piece of advice: If you don’t want to permanently break your Oracle RDS instance, don’t try to use your master user to create a public synonym named v$database.