debezium-connector-mysql,debezium-core and debezium-embedded.
I use these debezium plugin in my java app.
Problem:
Method throws StopConnectorException then can't released "global read lock"
If using a hosted option that does not allow a global read lock, table-level locks are used to create the consistent snapshot. In this case, you need to also grant LOCK TABLES permissions to the user that you create.
https://debezium.io/documentation/reference/stable/connectors/mysql.html
Related
I am hoping to implement a trigger that fires a notify on table change in PostgreSQL, but I am unable to find any definite answer to if it would work in a cluster.
Does PostgreSQL listen/notify work on AWS Aurora (both provisioned and serverless), and can I expect all clients to receive notifications regardless of what instance they are connected to?
If yes, are there any major performance concerns?
Thanks :)
The best AWS Documentation implies - YES, it does work
Specifically for Aurora Serverless, there is an advisory that "LISTEN/NOTIFY" is NOT RECOMMENDED. This implies that it's possible with Aurora Serverless but not advisable. It also implies that normal RDS LISTEN/NOTIFY does work and is ok to use.
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html
Currently, certain SQL queries and commands, such as cursors with hold
(DECLARE name ... CURSOR WITH HOLD FOR query); session-level advisory
locks; temporary relations; and asynchronous notifications (LISTEN,
NOTIFY commands) prevent scaling and are not recommended
My own quick test on AWS shows - Yes, it does work
Launch Instance with Public Access
...
Allow Traffic
Run command in dbeaver
Note: This test doesn't show a successful receipt of a notification. That will need a quick console application to test that.
If the DB2 uses OS authentication and I delete a DB2 user at the OS level, what will be the impact? Will the DB2 still work fine, and will those privileges that I granted to the user still available after the user is created back?
When asking for help with Db2 please mention your Db2-server platform (Z/os , i-series, Linux/Unix/Windows). The reason is that the answer be different per platform. There are also special tags for your question that you can use to indicate the Db2-platform (db2-zos, db2-400, db2-luw).
If you remove the operating system user the impact is that user can no longer connect to the Db2-database(s) . But any GRANTS that were previously created and stored inside the database(s) will remain unchanged (unless something REVOKES them), even if they will not be used after all pre-existing connections by that removed-operating-system-user are terminated.
For Db2-Linux/Unix/Windows, if you recreate the user in the operating system the previous GRANTS will reapply only if they are still present inside the database and the user successfully reconnects. This behaviour may be different on other platforms.
If the Db2-server is configured with special plugins for security, or uses LDAP or other external tooling then the answer can also be different.
I would like the ability to protect against the deletion of a cloud SQL instance. This seems like a good step to take to avoid actions from an angry employee or a regretful click.
Google added a deletion protection flag for Cloud SQL in August 2022.
https://cloud.google.com/sql/docs/mysql/deletion-protection
I couldn't find anything like literally protecting the instance vs deletion, but, you could use the predefined roles in your instance to try to protect your instances from, as you said, angry employees.
For example:
Keeping the role owner to yourself (assuming you are, indeed, the owner of this project).
Depending on the needs of the employees, you can probably assign them the role cloudsql.editor or similar. If this is too much, you can create your own custom roles to narrow down what you need.
As for a regretful click, there is no much you can do. You could regularly create an export and save it on one of your buckets, just in case you need to create again your instance after a 'regretful' click.
Well, terraform certainly seems to have added some kind of deletion protection on the GCP sql instance. When I try to "terraform destroy" , I get this error
Error: Error, failed to delete instance because deletion_protection is set to true. Set it to false to proceed with instance deletion
Perhaps this functionality was added after the OP had reported the issue - which is quite possible given how old this thread is.
A related issue which talks about this.
I'm using MongoDB as my database, and as a first-time back-end developer the ease with which I can delete an entire database/collection really bothers me.
Simply typing db.collection.remove() removes all records from that collection!
I know that an effective backup strategy should render this a non-issue, but I occasionally do run .remove() on some collections, and I'd hate to type in the wrong collection name by accident and (a) have to go through a backup restore, and (b) lose whatever data I had gathered between the backup and the restore, especially as my app gathers a lot of user data.
Is there any 'safeguard' I can set up my database to use, even if it's just a warning/confirmation that says
"Yo, are you sure you want to remove everything from <collectionname>? Choose: Yes/No"
User roles won't fix your problem. If your account has permissions to delete one user, you could accidentally delete them all. If your account has permissions to update an attribute for one user, you could accidentally update all of your users.
There's a simple fix for this however.
Step 0: Backup your database. And test your backups regularly. And make sure you get alerted if the backup did not run, or errored. Replica sets are not backups. I know this is obvious, but evidentally it's not obvious to everybody.
Step 1: Write a web admin GUI interface for your database. This it will only take a day or two -- and it should be simple enough that a secretary or intern could use it without fear for your data. (If you think this will take a long time, find a framework with more bells and whistles. Your admin console doesn't even need to be written in the same language as your app.)
Step 2: Data migrations (maintenance transformations of your database) should always be run from scripts checked into source control and tested on non-prod beforehand. The script could be as simple as mongo -e "foo.update(blah)", but you should run it as a script to avoid cut-n-paste errors. Ideally, you would even have a checklist for all migrations. (Check that you have a recent backup. Check the database log and system load beforehand. Write a before and after query that will tell you if the migration was successful...)
Step 3: You now no longer need to use the production Mongo console. So don't. It's a useful tool for development, but that's only needed on local development databases.
The above-mentioned Roles might be useful for read-only queries. But you can already do that against the non-master replica set member.
tl;dr: You can go pretty far using cowboy admin techniques, but eventually you're going to figure out that it's better (and not much more work) to automate everything.
There is nothing you can do in the current version to provide this functionality.
In a future version when user defined roles are available you could define a role which allows insert() and update() but not remove() or drop() etc. and therefore make yourself log-in as a different higher-role user, but that's not available in the current (2.4) version.
Our new security policies require data access restriction for developers to the production database. Setting up -RO parameter does not work for several reasons (extracts from 'Startup command and Parameter reference' http://documentation.progress.com/output/OpenEdge102b/pdfs/dpspr/dpspr.pdf)
1) "If you use the -RO parameter when other users are updating the database, you might see invalid data, such as stale data or index entries pointing to records that have been deleted."
2) "A read-only session is essentially a single-user session. Read-only users do not share database resources (database buffers, lock table, index cursors)."
3) "When a read-only session starts, it does not check for the existence of a lock file for the database. Furthermore, a read-only user opens the database file, but not the log or before-image files.
Therefore, read-only user activity does not appear in the log file."
We would like to be able to access data on the production database from OpenEdge Architect, but not being able to edit data. Is it possible?
In most security conscious companies developers are not allowed to access production. Period. Full stop.
One thing that you could do as a compromise... if the need is to occasionally query data you could give them access to a replicated database via OpenEdge Replication Plus. This is a read-only db connection without the drawbacks of -RO. It is real-time, up to date and access is separately controlled -- you could, for instance, put the replicated db on a different server that is on a different subnet.
The short answer is no, they can't access it directly and read-only.
If you have an appserver, you could write some code which would provide a level of dynamic RO data access via appserver or webservice calls.
The other question I'd have is - what are your developers doing accessing the production database? That should be a big no-no.