This topic describes how to create a normal account for an Oracle tenant in an OceanBase cluster instance and grant the minimum privileges required in different phases of data migration to the account.
Background
An OceanBase cluster instance in Oracle mode supports two types of database accounts: normal accounts and super accounts. When you use the data transmission service to migrate data from an OceanBase cluster instance, observe the following rules:
If you use a normal account, grant privileges to the account based on the descriptions in this topic.
If you use a super account, the super account has the read and write privileges on all databases by default.
In this example, a normal account is created for an OceanBase cluster instance. Specify this account for the Username field when you create an OceanBase data source.
If you want to migrate a table without a unique key, you must also create an __OCEANBASE_INNER_DRC_USER user with the read-only privilege before data migration, which is used to specify the password for __OCEANBASE_INNER_DRC_USER when you create an OceanBase data source.
Create a normal account for a cluster instance
Go to the Cluster Instance Workspace page.
Log on to the ApsaraDB for OceanBase console.
In the upper-left corner, select the region where the target instance is located.
In the left-side navigation pane, click Instances and then click the name of the target instance.
Go to the Accounts page.
On the Cluster Instance Workspace page, click Tenant Management in the left-side navigation pane.
On the Tenants page, click the name of the target Oracle tenant.
On the Tenant Workspace page, click Account Management in the left-side navigation pane.
On the Account Management page, click Create Account in the upper-right corner.
In the Create Account dialog box, configure the parameters.
Parameter
Description
Username
The account name can contain letters, digits, and underscores (_). It must start with a letter and end with a letter or digit, and cannot exceed 32 characters in length.
Account Type
Select Normal Account. Then, you can grant privileges on databases to the account. For more information about privileges, see Account privileges in Oracle mode.
Password
The password must be 10 to 32 characters in length and contain any three of the following character types: uppercase letters, lowercase letters, digits, and special characters. Supported special characters are the following ones: ! @ # $ % ^ & * ( ) _ + - =. You can click Randomly generated to automatically fill in a random password.
NoteYou can also click Copy Password to copy the password and keep it confidential.
Remarks (Optional)
Enter the description of the account.
Click OK.
Manage access objects
This section describes how to grant privileges on tables to a normal account in a cluster instance. You can grant privileges based on the privilege descriptions in the following sections.
Go to the Account Management page of an Oracle tenant of OceanBase Database.
Click Manage Access Objects next to the target normal account.
On the Manage Access Objects page, click Add Object in the upper-right corner.
In the Add Object dialog box, configure the parameters.
Parameter
Description
How to Add
You can select Specify Objects or Import Objects.
Object
If you select Specify Objects for How to Add, select the target table objects in the left-side Source Object list and click > to add them to the right-side list.
If you select Import Objects for How to Add, paste the target table objects in the
username/object nameformat in the text box and separate multiple objects with commas (,).
Grant privileges
You can grant the read-only or read/write privilege as needed.
Click OK.
Grant privileges to a normal account in a source cluster instance
The following table lists the minimum privileges required for a normal account in a source OceanBase cluster instance (Oracle mode) in different phases of data migration.
Table type | Schema migration | Full migration | Incremental Synchronization | Full verification | Reverse incremental migration |
Table with a primary key or not-null unique key | Read-only | Read-only | Read-only | Read-only | Read/Write |
Table without a primary key or not-null unique key | Read-only |
| Read-only | __OCEANBASE_INNER_DRC_USER required | Read/Write |
Grant privileges to a normal account in a destination cluster instance
The following table lists the minimum privileges required for a normal account in a destination OceanBase cluster instance (Oracle mode) in different phases of data migration.
Table type | Schema migration | Full migration | Incremental Synchronization | Full verification | Reverse incremental migration |
Table with a primary key or not-null unique key | Read/Write | Read/Write | Read/Write | Read-only | Read-only |
Table without a primary key or not-null unique key | Read/Write | Read/Write | Read/Write | Not supported | Read-only |
Create __OCEANBASE_INNER_DRC_USER and grant privileges to the user
Log on to the ApsaraDB for OceanBase console and go to the Tenant Workspace page.
On the Tenant Workspace page, click Log on to Database in the upper-right corner.
In the Enter a database account dialog box, enter the name of the database to log on or select it from the drop-down list and then click OK.
In the Enter the connection password dialog box, enter the password for logging on to the database and click OK.
After logon, run the following command to create the user
__OCEANBASE_INNER_DRC_USER:CREATE USER '__OCEANBASE_INNER_DRC_USER' IDENTIFIED BY <your_password>;Run the following command to grant privileges to the user:
GRANT CREATE SESSION TO '__OCEANBASE_INNER_DRC_USER'; GRANT SELECT ANY DICTIONARY TO '__OCEANBASE_INNER_DRC_USER';You can grant the
SELECTprivilege on database tables to be migrated in either of the following ways:// Grant system privileges. GRANT SELECT ANY TABLE TO '__OCEANBASE_INNER_DRC_USER'; // Grant privileges on specific database table objects. GRANT SELECT ON <schema>.<table> TO '__OCEANBASE_INNER_DRC_USER';