Unable to add security to an existing Oracle NoSQL Database CE installation

User_GX5XX

I deployed Oracle NoSQL Database CE on Minikube using this image: oracle/nosql:19.5-ce [https://github.com/oracle/docker-images/tree/main/NoSQL]

I followed this doc to make the db secure: https://docs.oracle.com/en/database/other-databases/nosql-database/19.5/security/single-node-secure-deployment.html#GUID-03A2067A-64CD-4CF4-99DC-D430DA8FD290

In the 3rd step, I used -pwdfile option since my db is CE version.

However, in the 7th step of this doc, I could not log in admin as anonymous as it should be. Instead, I was asked to provide a username and a password as you can see in the picture below:

My Oracle NoSQL Database deployment and service yaml:

https://gist.github.com/nilayasiktoprak/b34863d8badb9dd17cc0f756897a5482

So, what is that I am missing here?

Tim Blackman-Oracle

First, in step 3, did you specify '-pwdmgr pwdfile' to use a password file? Note that the Oracle Wallet is not supported in EE.

In step 7, are you calling runadmin while running on the same machine as the SNA? The anonymous login is only permitted when logging in from the local machine.

User_GX5XX

Thanks for the quick reply.

Yes, I did specify pwdfile option as I said in my post above.

Yes, you can see in the picture that I'm entering the pod with "kubectl exec" and running the runadmin command inside the pod.

Tim Blackman-Oracle

Hmmm. Maybe there is something funny about the networking that is preventing the server from realizing that the call is coming from the local machine. Maybe you could try experimenting with this first in a simpler deployment environment to see if that might be the issue? If it is, we'll need to track it down, but it might be helpful to rule out other issues first.

User_GX5XX

What do you suggest as a simpler deployment environment?

Tim Blackman-Oracle

Oh, sorry, maybe I missed what you are trying to do. I guess your use case is specifically with our docker image, not just with the 19.5 release. I'll check with others about this.

User_GX5XX

Exactly, my use case is specifically with this docker image.

And I think it is important to point out that in the Dockerfile that I'm using to build my existing image, the version is 19.5.19 and not 19.5.25 which is the current one on Github (You can see the diff here: https://github.com/oracle/docker-images/commit/179caac4b43a484559334d38cb06e698aa1bb4b5#diff-ffc3de684b4fa40e629e7977082eeb3bae8300053414c948ebb38d829f450372 ).

Even this may cause the problem itself but I'm not sure.

Tim Blackman-Oracle

So the issue here is that the docker image has a non-secure kvlite configured in it by default. The directions in the documentation don't work for upgrading a kvlite from non-secure to secure mode. Instead, you should modify the Docker file to create a secure kvlite. We'll update the directions about this.

User_GX5XX

Exactly. That's the issue here.

Just to sum up:

I got stuck in the 7th step of the doc that I mentioned in my post because it does not login admin as anonymous right after I start the runadmin command (instead it asks me to provide a username and a password), and I need to be able to achieve to login admin as anonymous and go further in the doc to make my non-secure kvlite secure.

So, as I understand, I should wait for the update, right?

davega-Oracle

Those images are based on KVLite feature. KVLite is a simplified version of the Oracle NoSQL Database. It provides a single storage node, single shard store, that is not replicated. It runs in a single process without requiring any administrative interface.

https://docs.oracle.com/en/database/other-databases/nosql-database/19.5/kvlite/index.html

KVLite is intended for use by application developers who need to develop and unit test their Oracle NoSQL Database applications. It can be used as a development platform for developers to get familiar with Oracle NoSQL APIs, and test different ways of interacting with these APIs. KVLite runs on a single machine. It is not intended for production deployment, or for performance measurements.

The documentation that You mentioned does not apply here. We are using a specific version called KVLITE.

That said, You need to change the last line in the Dockerfile from disable to enable and you will have a secure configuration.

CMD ["java", "-jar", "lib/kvstore.jar", "kvlite", "-secure-config", "enable", "-root", "/kvroot"]

then

docker build -t oracle/nosql .
docker run -d --name=kvlite --hostname=kvlite  oracle/nosql

Then you can test using docker exec -ti kvlite

docker exec -ti kvlite /bin/bash
docker exec -ti kvlite java -Xmx64m -Xms64m -jar lib/kvstore.jar version
docker exec -ti kvlite java -Xmx64m -Xms64m -jar lib/kvstore.jar ping -host localhost -port 5000 -security /kvroot/security/user.security
docker exec -ti kvlite java -jar lib/kvstore.jar runadmin -host localhost -port 5000 -store kvstore -security /kvroot/security/user.security
docker exec -ti kvlite java -jar lib/sql.jar -helper-hosts localhost:5000 -store kvstore -security /kvroot/security/user.security

The real challenge here is to have access from another container because you need to copy the /kvroot/security/ from the kvlite container to the new one. Otherwise, you will have the following error

$ docker run --rm -ti --link kvlite:store oracle/nosql   java -jar lib/sql.jar -helper-hosts store:5000 -store kvstore -security /kvroot/security/user.security
Picked up _JAVA_OPTIONS: -Djava.security.egd=file:/dev/./urandom
Exception in thread "main" java.lang.IllegalStateException: /kvroot/security/user.security (No such file or directory)
        at oracle.kv.impl.security.util.KVStoreLogin.createSecurityProperties(KVStoreLogin.java:382)
        at oracle.kv.impl.security.util.KVStoreLogin.loadSecurityProperties(KVStoreLogin.java:164)
        at oracle.kv.impl.security.util.KVStoreLogin.updateLoginInfo(KVStoreLogin.java:139)
        at oracle.kv.util.shell.CommonShell$LoginHelper.updateStoreLogin(CommonShell.java:704)
        at oracle.kv.util.shell.CommonShell.connectStore(CommonShell.java:215)
        at oracle.kv.util.shell.CommonShell.connectStore(CommonShell.java:208)
        at oracle.kv.impl.query.shell.OnqlShell.init(OnqlShell.java:124)
        at oracle.kv.util.shell.CommonShell.start(CommonShell.java:1372)
        at oracle.kv.impl.query.shell.OnqlShell.main(OnqlShell.java:861)

And here, there are multiple options, but we need to understand the use case to provide accurate guidance.

You are talking about a simpler deployment environment. Could you help me understand why you need to activate the security for a development env? Why are you deploying using oracle/nosql:19.5-ce ? and most important, Which driver or SDK will you use for your developments?

User_GX5XX

Thank you for the explanation.

I'm developing an Oracle NoSQL scaler for KEDA (Kubernetes Based Event-Driven Autoscaling)[https://github.com/kedacore/keda#readme] and you can see my issue here: https://github.com/kedacore/keda/issues/2289

So, what this scaler basically does is that it connects to the Oracle NoSQL db and listens to it, and does some scaling if necessary. While connecting, it has to have an authentication mechanism like providing a username and a password. That's why I need to make the db secure and then see if my scaler works correctly.

I'm using this Go SDK (https://github.com/oracle/nosql-go-sdk) to connect to on-prem and cloud. For now, I only have Oracle NoSQL on Minikube which is on-prem, not cloud yet. So, the thing is, I need to have a secure db to be able to test my scaler and I cannot produce that environment right now.

Regarding why I'm using the oracle/nosql:19.5-ce image, it was the one I found at that time while I was searching for a Docker image to deploy the db on Minikube.

I hope this makes what I'm trying to do more clear.