Re: Question To Test My Sanity

From: Dba DBA <oracledbaquestions_at_gmail.com>
Date: Thu, 11 Apr 2019 10:14:07 -0400
Message-ID: <CAE-dsOJwdqodDHJP_5Y0C+hHoFuWnJ6CWVUo2rh26puymoMKKA_at_mail.gmail.com>

We had jump servers at a previous employer. It was a hosting/Cloud company. Each customer had its own VPN and was totally separate. DBs were not exposed directly to the internet. So we would connect through jump servers with 2 factor authentication. The admins had linux set up so we could log in about once every hour or 2 to a linux server and then would not have to enter our passwords again for a while.
This worked out since we had a dump spot that we all used to leave software downloads, scripts, patches, etc... For windows it was annoying. You had to remote PC to a jump box, then remote PC again. We did not have many Oracle DBs running on windows.

This was necessary for us since we had 100s of customers all on their own VPN and silo'd. The only downside was that if we wanted to use SQL Developer ,we would have to set up a tunnel for each DB server, so we rarely used it. I prefer SQL developer when I have to do a select * or something so i dont have to format or some little thing like that. So i was purely command line there. We did not run a lot of queries so it was not that bad.

The issues came when we had an outage and lost jump servers. We had a few backups in different locations, but sometimes when a main one would go down all the others would get really slow.

On Thu, Apr 11, 2019 at 9:25 AM Kellyn Pot'Vin-Gorman <dbakevlar_at_gmail.com> wrote:

> "Hey, Kellyn answered on two threads today!" :)
>
> Having worked on both sides of the house, as a SQL DBA and an Oracle DBA,
> the one thing I learned was that server admins on the Linux/Unix side
> rarely thought they were DBAs. Windows admins very often thought they
> could do a SQL Server DBAs job because they could run the install...:) The
> best administrators, no matter server, database or application, have some
> control issues. They need to for security reasons to ensure the
> environment they are responsible for is taken care of. These control
> issues can get a bit out of control and that's what you're experiencing
> here.
> Jump box designs leads to DBAs working through critical issues on a host
> that is not as familiar to them as their own workstation and tools. It
> leads to human error and in my experience, leads to more critical outages
> and longer outages. Having the right balance of security and letting
> people be the best they can at their job is not something we in IT prevail
> at very often. Egos and control issues just get in the way.
> The best way to address this is to have an open conversation, not about
> what they aren't letting you do, but to have management in the room, and
> maybe even the business and discuss the risks around not having access to
> the server- lacking ability to respond immediately to issues, missing
> tools that provide more insight and how Oracle support is best when the DBA
> is able to manage their database over a Windows admin. How many Windows
> server admins would have no problem deleting a very large log from a
> server- like one called redo02.log, etc? We don't expect them to be DBAs,
> but they need to respect that our role is needed for a reason.
>
>
>
>
>
> *Kellyn Pot'Vin-Gorman*
> DBAKevlar Blog <http://dbakevlar.com>
> President Denver SQL Server User Group <http://denversql.org/>
> about.me/dbakevlar
>
>
>
> On Thu, Apr 11, 2019 at 8:07 AM Scott Canaan <srcdco_at_rit.edu> wrote:
>
>> This is not so much of a technical question, but more of a procedural
>> question.
>>
>>
>>
>> Here’s the back story. Yesterday, we were told by the Windows Sys Admins
>> that they’ve decided that we (DBAs) are no longer allowed to access
>> databases running on Windows servers directly from our PCs. We now have to
>> remote into another server, called dbatools, and only from there can we
>> directly access databases. They’ve loaded our tools (TOAD, PL/SQL
>> Developer, SQL Server Management Studio, etc.) on that server and are in
>> the process of removing our IP addresses from the firewalls on the Windows
>> servers, forcing us to use this one server for all of our access.
>>
>>
>>
>> When I asked why, the only answer I got was “security”. What I read into
>> that is “We don’t trust you”. This is being done without any input from us
>> or any discussion, it’s just happening.
>>
>>
>>
>> The question: Has anyone else run into this kind of setup? Is this a
>> common configuration?
>>
>>
>>
>> Thank you,
>>
>>
>>
>> *Scott Canaan ‘88*
>>
>> *Sr Database Administrator *Information & Technology Services
>> Finance & Administration
>>
>>
>> *Rochester Institute of Technology *o: (585) 475-7886 | f: (585) 475-7520
>>
>> *srcdco_at_rit.edu <srcdco_at_rit.edu>* | c: (585) 339-8659
>>
>> *CONFIDENTIALITY NOTE*: The information transmitted, including
>> attachments, is intended only for the person(s) or entity to which it is
>> addressed and may contain confidential and/or privileged material. Any
>> review, retransmission, dissemination or other use of, or taking of any
>> action in reliance upon this information by persons or entities other than
>> the intended recipient is prohibited. If you received this in error, please
>> contact the sender and destroy any copies of this information.
>>
>>
>>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Apr 11 2019 - 16:14:07 CEST

This message: [ Message body ]
Next message: Dba DBA: "Opinions on Oracle cloud? Anyone using it?"
Previous message: Rich J: "Re: XFS vs Ext4 redux -- preferences/warnings/etc"
In reply to Kellyn Pot'Vin-Gorman: "Re: Question To Test My Sanity"
Next in thread: Howard Latham: "Re: Question To Test My Sanity"
Reply: Howard Latham: "Re: Question To Test My Sanity"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message