Oracle and SQL Server Under One Roof Joe Yong Chief Architect Scalability Experts Inc. jyong@scalabilityexperts.com About This Session Goals Architectural and functional overview of SQL Server vis-à-vis Oracle Explore design philosophies and implementation results Non-goals Deep dive into SQL Server Better/worse comparisons Make you a SQL Server expert Pre-requisites Experience as an Oracle DBA, Architect or Developer DBA Open mind Oracle DBA vs. SQL Server DBA I manage an enterprise class database system I pretty much have to be rocket a scientist to manage my DBs I am paranoid about security and lock my database down real tight Developers sometimes driver me crazy with their unoptimized code I manage an enterprise class database system I built a rocket for a science project while managing my DBs After slammer, my DB makes Fort Knox look like 7-eleven I threw away the key and welded the basement doors on my 1st day Dev: Those DBA dudes need to chill out a little Dev: We have more than one tunneling protocol I’d rather deal with a corrupted DB on my Nasdaq system at 11am Monday than deal with pricing/licensing Product development leadership: I’d rather deal with a corrupted DB on my Dow Jones system at 11am Monday than deal with pricing/licensing Product development leadership: Chuck Rozwat, Vice President Ex-DEC RDB Peter Spiro, Distinguished Engineer Ex-DEC RDB Agenda Why you should care Database architecture Security Management tools Data movement & interoperability Case study Summary Why you should care This used to be your world SUN, HP, Digital, etc… *NIX / Windows Server Mainframe, Mini, etc… Oracle Database Basic network Client PCs KRON, SQL Loader, external tables, etc… Flat-files Why you should care This is your world now Why you should care Mono-cultures don’t exist; heterogeneity is a fact Right tool for the right job; you can’t build a data center with a Swiss army knife and duct tape Data sharing is a necessity not a luxury Knowledge puts you in control (as much as possible) It pays to know both Oracle & $QL $erver Agenda Why you should care Database architecture Security Management tools Data movement & interoperability Case study Summary Database Architecture What is SQL Server the Platform? Database Architecture What is SQL Server the Database? Memory Process Data Process System Data Data Process Process PC Log Temp CPU Control CPU Storage Server CLIENT INSTANCE DATABASE Multiple instances per server, multiple databases per instance, multiple schemas per database Some shared components Between instances: Tools, Books Online, Common Files Between databases: System databases, Agents, Logs, resources Database Architecture SQL Server: Quick Peek Under The Hood SQL Messages HTTP messages RPC Messages Results SQL OS Deadlock Monitor Memory Manager Scheduler Buffer Pool Synchronization Services Lock Manager SQL CLR Hosting Layer T-SQL Compiler CLR Query Optimizer SQL Manager Algebraizer Execution Environment METADATA Interface Storage Engine T-SQL Execution Query Execution Expression Service P A R S E R Database Architecture Physical SQL Server: Storage Overview Data File Data File Data File Data File Logical Temporary Tablespace Groups Tablespace Tablespace Segment File Group Segment Heap/Index Heap/Index Extent Extent Extent Extent Extent Extent Extent Extent Blocks Blocks Blocks Blocks Pages Pages Pages Pages ORACLE SQL SERVER Database storage architecture covers physical and logical structures Physical structures are data files, log files, and so on. Logical structures are subdivisions of data files used to manage storage space Database Architecture SQL Server: Storage Blocks 2K block 2K block 2K 2K block 6 x 2K block = 12K 8K block 8K block 8K block 2K block 2K block 2K block EXTENT 2K block 8K block 8K block 8K 8 x 8K2K = 64K block EXTENT block 2K block 2K block 2K block 2K block 8K block 8K block 8K block 2K block 2K block 2K block 2K block 2K block 8K block 8K block 8K block 2K block 2K block 2K block 2K block 2K block 8K block 8K block 8K block 2K block 2K block 2K 8 x 2K 2K= 16K 2K block EXTENT block block 8K block 8K block = 64K 8K 8 x 8K2K block EXTENT block 2K block 2K block 2K block 2K block 8K block 8K block 8K block 2K block 2K block 2K block 2K block 2K block 8K block 8K block 8K block 2K block 12K + 16K = 28K SEGMENT (Table/Index) 2K block Oracle SQL Server Variable Fixed 64K + 64K = 128K HEAP/INDEX Database Architecture SQL Server: Query Processing New Statement Language Processing Found Executable Plan Lookup in Plan Cache Found Compiled Plan Not Found Parse Auto-Param Bind, Expand Views Query Optimization Generate Executable Plan Fix Memory Grant & DoP Execute Return Plans to Cache (Parse/Bind, Statement/Batch Execution, Plan Cache Management) Query Optimization (Plan Generation, View Matching, Statistics, Costing) Query Execution (Query Operators, Memory Grants, Parallelism, Showplan) Stored procedures Parameterized queries Query hints Dynamic SQL Agenda Why you should care Database architecture Security Management tools Data movement & interoperability Case study Summary Security Features and Design Principles Data encryption, granular permissions, surface area configuration, auditing, network packet encryption, default traces, alerts, etc… Security tenets Secure by design, out of the box default settings are secure difficult to choose less secure settings Principle of least privileges Minimum, granular permissions for specific tasks Low privileged service accounts Reduction of surface area Install, run only necessary components Tools to simplify lockdown Security Users, Schemas and Objects A database can contain multiple schemas Each schema has an owning principal – user or role Each user has a default schema for name resolution Object creation inside schema requires CREATE permission on the object and ALTER or CONTROL permission on the schema Database Approle1 User1 Role1 Has default schema Owns Schema1 Owns Schema2 Schema3 SP1 Fn1 Tab1 Owns Security Logins and Users A LOGIN give you connection rights Is stored in the MASTER database Applies to the instance Has no permissions directly per se Exception: Server Role membership Mapped to a user for permissions A database USER is the permissions container Also the schema owner Permissions are granted to database users, not logins Specific to a single database Endpoint Based Authentication SQL Server 2005 Endpoint: Point of entry into an instance Binds transport protocol to payload Transport Protocol Named pipes Shared Memory TCP HTTP VIA Payloads TDS SOAP SSB Database Mirroring HTTP, Service Broker, Database Mirroring: Endpoints need to be explicitly created No permissions on endpoint by default TCP, Named Pipes, Shared Memory Default endpoint created at start up CONNECT permissions granted to authenticated logins Permissions can be denied on a per endpoint basis SQL Server Security Model Network connection request/pre-login handshake Connect to the SQL Server computer Login authentication request to SQL Server Establish login credentials; Authorize against EP Switch to a database and authorize access Establish a database context Attempt to perform some action Verify permissions for all actions Access and Authentication Principals Windows-level principals Windows Domain Login Windows Local Login SQL Server-level principal SQL Server Login Database-level principals Database User Database Role Application Role General Permissions Scheme Grantee Logins for Server level permissions Database principals for database permissions Securable Entity to be secured Example: Tables, assemblies, databases, server, etc… Same permission can be at multiple scopes Example CONTROL at schema or table level DENY at any level always take precedence Permissions Hierarchy Principal Individuals, groups & processes Requests resources Can be hierarchical Securable Resources to which the authorization system regulates access Can be nested (scope) and secured individually or collectively Scope Server Database Schema Covering Permissions Permissions can be derived from grants at higher scope Example EXECUTE granted at schema level Permissions can be implied by other permissions Example, CONTROL on a table implies SELECT Sys.fn_my_permissions() Ability to find out what permissions a user has Scope and Granularity Database Table1 Schema 1 Schema 2 View1 View 2 Schema 3 Stored Proc Function Where are permissions recorded? Sys.Server_permissions server level permissions Sys.database_permissions Database level permissions Sys.securable_classes Lists all securables Sys.fn_builtin_permissions Shows all permissions grantable on a securable Includes covering permissions Execution context Token: 1 principal as primary identity N principals as secondary identities Zero or more authenticators Authenticator: Vouches for authenticity of the token Can be a principal or a certificate Execution context: 1 server token 1 or more database tokens (one for each database that is accessed) Impersonation model Login as one context, and at run time, ask the system to switch your context to some other context. EXECUTE AS (SQL Server2005 model) Server level: Server-level triggers Database level: Stored procedures Functions Triggers Queues EXPLICIT impersonation. IMPLICIT impersonation. (stand alone) (module) Explicit Impersonation EXECUTE AS login Syntax: EXECUTE AS login = ‘<server principal>’. Must have Impersonate permission on login::<server principal> Token is valid across the server Server level authenticator = system. Server level permissions and role memberships are honored Revert to previous context by calling REVERT Implicit Impersonation Permissions checked against module creator’s context at module creation time Server level authenticator = system. Database level authenticator = dbo. Context is reverted back when the module execution finishes. To call a module marked with Execute as, the caller doesn’t need permission to impersonate anyone. Only permission to execute the module. Encryption Network Data/table Let’s just see how it’s done Agenda Why you should care Database architecture Security Management tools Data movement & interoperability Case study Summary Management Tools Configuration Manager Configuration manager Management Studio Business Intelligence Development Studio Profiler Database Tuning Advisor Agenda Why you should care Database architecture Security Management tools Data movement & interoperability Case study Summary Data Movement & Interoperability Tiers and Options Client-tier Web browsers (duh?!) Clients that wrap web services Middle-tier Web Services Application/Web server, gateways, etc…. Btw, J2EE is fully supported Data-tier Direct ODBC, OLEDB, .NET, JDBC SQL Server wrapped OLEDB Data Movement & Interoperability Data Import/Export BCP SELECT INTO SSIS Let’s see how they work Data Movement & Interoperability Replication Transactional and Snapshot Publications Administered like SQL Server Publishers No Oracle side software install necessary v8+ Oracle on any OS supported Improvements for Oracle and DB2 subscribers SQL Server Distributor Subscribers Data Movement & Interoperability Linked Servers <<wip>> Agenda Why you should care Database architecture Security Management tools Data movement & interoperability Case study Summary Case Study 1 Joint Standards <<WiP>> Case Study 2 Maintain, Expand, Extend <<WiP>> Agenda Why you should care Database architecture Security Management tools Replication Integration Services Case study Summary Summary <<WiP>> <<WiP>> Resources www.microsoft.com/sql/ msdn.microsoft.com/sqlserver/ www.microsoft.com/technet/ www.scalabilityexperts.com www.sqldev.net www.sqlservercentral.com/