Scripting Node with Limited Privileges
In some environments, especially those requiring secure automation or API integration, it is desirable to have a lightweight dbWatch node dedicated to scripting tasks. This configuration uses a headless Control Center node running the CCC (Control Center Commandline) tool, with tightly controlled domain access and limited privileges.
This setup supports:
- Scripted automation using dbWatch’s Unified Scripting Language (USL)
- Controlled task execution from CI/CD pipelines, scheduled jobs, or external systems
- Centralized security control through domain configuration and firewall rules
- Enhanced security posture by restricting UI, management, and monitoring capabilities
Typical Use Cases
- Scheduled data exports to third-party platforms
- Automated instance registration and metadata updates
- Batch installation of jobs to new instances
- Integration with DevOps tools or centralized orchestration systems
Architecture Overview
A scripting node runs only the core dbWatch Control Center services necessary for domain authentication and CCC execution. It does not host a full GUI client, nor does it act as a monitoring node.
This node is configured in the domain with restricted roles and certificate routing controls. Firewall rules can ensure that only specific IP ranges or systems can communicate with it.
Installation and Setup
1. Install dbWatch Control Center on Target Node
Install the product using your platform’s guide:
- Console installation on Linux Ubuntu
- Console installation on Linux RedHat
- Installing on Windows Server
Skip starting the GUI or adding monitoring roles. This node will act as a scripting node only.
2. Configure Node in the Domain
From an existing GUI client or server with full access:
- Open the Domain Configuration
- Add the new scripting node to the domain.
- Assign only the minimum required privileges (e.g., script execution, metadata modification).
Enable the certificate routing for the domain and configure the Internal Control Center Firewall to accept only whitelisted IPs or hosts.
Suggested Privileges for a Scripting Node
The following privileges should be assigned based on the specific CCC scripts intended to be used. Privileges can be scoped tightly using roles associated with nodes in the Security System or Domain Configuration.
Action | CCC Script | Required Privilege | On Security Object |
---|---|---|---|
Add new instance | add_instance.script | Write | Instance System |
Register instance config | register_instance.script | Write | Instance System |
Retrieve instance config | get_instance.script | Read | Instance |
Install jobs | jobs.script | Write | Instance |
Set metadata | metadata.script | Configure | Instance |
Run FDL/USL scripts | fdl.script | Write | Instance |
Connect/disconnect instance | instance_action.script | Configure | Instance |
Note:
- Do not assign elevated permissions like domain shutdown, user management, or job template editing.
- Group permissions logically into roles such as `ccc-script-runner` or `automation-node`.
For the full list of actions and required privileges, refer to:
Assigning the Privileges
To create and assign a minimal-access role:
- Go to Domain Configuration > Roles
- Create a new role: `scripting-node`
- Assign the minimum required privileges as described above
- Go to Nodes and assign this role to the scripting node
Using the Scripting Node in Secure Topologies
In multi-node deployments, the scripting node can be configured to connect to a central domain via a cloud router.
Common features:
- The node will authenticate using domain-issued certificates.
- All connections are encrypted over TLS (default port 7100/TCP or custom).
- The internal firewall and routing privileges can be configured to further isolate this node.
Read more:
Example Role XML Snippet
If editing the configuration manually, here’s an example role that can be adapted:
<role>
<name>ccc-script-runner</name>
<privilege>write_instance_system</privilege>
<privilege>read_instance</privilege>
<privilege>write_instance</privilege>
<privilege>configure_instance</privilege>
</role>
This pattern enables you to automate and integrate dbWatch safely in production environments while retaining strong governance and traceability over every action executed.
3. Use CCC for Script Execution
On the scripting node, use the Control Center Commandline tool to trigger tasks.
Example: Running metadata update
Running Metadata Update with CCC
To apply metadata to a database instance using the command-line tool CCC, you must prepare a properties file containing your metadata keys and values. This file is then passed to the `metadata.script`.
1. Create the metadata definition file
Create a file named `metadata.properties` with the desired key-value pairs. For example:
env=prod
team=finance
2. Run the metadata update script
Use the following command syntax to apply the metadata:
./ccc.sh metadata.script --instanceName=mydb01 --definition=metadata.properties
Replace `mydb01` with the name of your database instance, and adjust the filename if you named your metadata file differently.
This approach ensures that the metadata is properly parsed and assigned by the CCC scripting engine. Directly passing metadata via a `--metadata=` flag is not supported by `metadata.script`.
Scripts are available in the following archive:
Refer to these pages for usage details: