Oracle Analytics Cloud and Server

OAC: Automatically Take Snapshot Using Rest API and Store in OCI Bucket

385
Views
7
Comments

Manage snapshots using Rest API has become more simpler than earlier.

https://docs.oracle.com/en/cloud/paas/analytics-cloud/acabi/manage-snaphots-using-rest-apis.html

All steps are similar as mentioned in above link , except "Understand OAuth 2.0 token authentication" .

Detailed steps : -

  1. Create a storage bucket and a folder inside storage bucket.
  2. Generate API Keys for your user, recommendation to have a service user.

Use Terminal in MacOS:

Use below commands in your local laptop Terminal/GitBash to generate Private Key, Public Key and base 64 encoded wrapped private key.

umask 0077; openssl genrsa -out ./file_name.pem 2048

openssl rsa -pubout -in ./file_name.pem -out ./file_name_pub.pem

openssl rsa -pubin -outform DER -in ./file_name_pub.pem | openssl md5 -c

cat file_name.pem| base64 -o file_name-wrapped-private-key.pem

Use GitBash in Windows

umask 0077; openssl genrsa -out ./file_name.pem 2048

openssl rsa -pubout -in ./file_name.pem -out ./file_name_pub.pem

openssl rsa -pubin -outform DER -in ./file_name_pub.pem | openssl md5 -c

Run the below command in any Linux Machine:

cat file_name.pem | base64 -w 0 > file_name-wrapped-private-key.pem

Under API Keys → Click Add API Key →

Click on radio button Paste Public Key → copy content of file_name_pub.pem → paste it in the box under Public Key → Click Add .

3. Instead of creating a confidential application, you can use the Analytics instance IDCS app to get client ID and client secret.

Click Additional Details tab of the OAC instane, Under Identity Provider click on the App:

From the above screenshot :

1: Access token expiration which is by default 100 seconds. If you need more time than it can be changed using edit OAuth Configuration button above this section in the same page.

2 & 3: Using Primary Audience and Scope construct the scope URL as below:
<Primary_Audience_Url><Scope>

Primary audience: https://xxxyyyzzz123.analytics.ocp.oraclecloud.com

Scope urn:opc:resource:consumer::all

Scope url: https://xxxyyyzzz123.analytics.ocp.oraclecloud.comurn:opc:resource:consumer::all

4&5 : Combine Client ID & Client Secret and convert it into Base64:

Client ID ukov3eqigzdi6375nutaksgzhyjohxha_APPID

Client Secret 98f20a4d-7829-4815-a505-5393778f3e04

Client ID:Client Secret - ukov3eqigzdi6375nutaksgzhyjohxha_APPID:98f20a4d-7829-4815-a505-5393778f3e04

echo -n ClientID:ClientSecret | base64

echo -n ukov3eqigzdi6375nutaksgzhyjohxha_APPID:98f20a4d-7829-4815-a505-5393778f3e04 | base64

dWtvdjNlcWlnemRpNjM3NW51dGFrc2d6aHlqb2h4aGFfQVBQSUQ6OThmMjBhNGQtNzgyOS00ODE1LWE1MDUtNTM5Mzc3OGYzZTA0

4. Generate Bearer Token:

curl --request POST \

--url https://<IDCS-instance>.identity.oraclecloud.com/oauth2/v1/token \

--header 'authorization: Basic <base64 encoded clientID:ClientSecret>' \

--header 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \

-d 'grant_type=password&username=<username>&password=<password>&scope=<scope copied from resource section in IDCS confidential application>'

My curl command will look like:

curl --request POST \

--url https://<IDCS-instance>.identity.oraclecloud.com/oauth2/v1/token \

--header 'authorization: Basic dWtvdjNlcWlnemRpNjM3NW51dGFrc2d6aHlqb2h4aGFfQVBQSUQ6OThmMjBhNGQtNzgyOS00ODE1LWE1MDUtNTM5Mzc3OGYzZTA0' \

--header 'content-type: application/x-www-form-urlencoded;charset=UTF-8' \

-d 'grant_type=password&username=<username>&password=<password>&scope=https://xxxyyyzzz123.analytics.ocp.oraclecloud.comurn:opc:resource:consumer::all'

Output will look like this:

From the above the token is marked in between () in red.

create a JSON file called
new_snapshot.json that looks like this:

{
    "type": "CREATE",
    "name": "myfirstsnapshot",
    "storage": {
        "type": "OCI_NATIVE",
        "bucket": "mysnapshot-bucket",
        "auth": {
            "type": "OSS_AUTH_OCI_USER_ID",
            "ociRegion": "us-ashburn-1",
            "ociTenancyId": "ocid1.tenancy.oc1..aaaaa...",
            "ociUserId": "ocid1.user.oc1..aaaaaaaayuvg...",
            "ociKeyFingerprint": "ae:df:79:d2:...",
            "ociPrivateKeyWrapped": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tL..."
        }
    },
    "bar": {
        "uri": "file:///myfolder/myfirstsnapshot.bar",
        "password": "snapshotPassword123"
    }
}

Then run the cURL command calling the JSON:

curl -i \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --request POST 'https://<hostname>/api/20210901/snapshots' \
  -d @new_snapshot.json

5. Automate Snapshot Backup:

Create a shell script for the token generate command constructed in Step 4 and name it as OAC_gen_token.sh

Update the below details in API_Snapshopt_backup_daily.sh

Run API_Snapshopt_backup_daily.sh

API_Snapshopt_backup_daily.sh can be scheduled in any server in OCI or that have connectivity to the OAC instance using crontab or any other scheduling tool.

Comments

  • Please find the script attached.
    Save the script as API_Snapshopt_backup_daily.sh and replace the variables as per your requirement and run the script in crontab.

    You can utilize RDG server to schedule this script to run daily backups.

  • Hi @Subha_Tripathy-Oracle

    Nice Post and more useful info/process for customers.

    Regards,

    Arjun

  • Hi Very useful post, I was able to automate the process and able to create snapshot backup's in oci buckets, which is very high ROI implementation for our team. thank you for all information.

  • Very well written! Thank you for sharing this wealth of information!

  • Subha_Tripathy-Oracle I guess this solution would work for the tenancies with identity domain, In identity domain tenancies, App under Identity Provider (Click Additional Details tab of the OAC instane) is not a hyper link. We need to to go to cloud services under domain to make those changes.

  • @Krishnamoorthy Rasappan-Oracle We have Identity Domain setup and the App under Identity Provider is a hyperlink and takes you to the right Cloud Service location under the Identity Domain.

  • Subha_Tripathy-Oracle
    Subha_Tripathy-Oracle ✭✭✭✭✭

    @Krishnamoorthy Rasappan-Oracle - For the instance provisioned prior to IDCS domain migration, the app under Identity Provider is a hyperlink, but it takes you to IDCS domain home page.

    In that case you need to search your App name under Oracle Cloud Services as below

    Thanks
    Subha