Site icon Ron Ekins' – Oracle Technology, DevOps and Kubernetes Blog

Securing Oracle 19c / 26ai RMAN backups with File System Snapshots

@RonEkins
Database administrator smiling at computer showing successful Oracle RMAN backup status

A database administrator reviews a successful RMAN backup on her workstation in a server room

Introduction

In this Blog, I will share how you we can secure Oracle RMAN backups written to an Everpure FlashBlade File System using a Python script to automate a REST API call to perform a File System Snapshot.

A FlashBlade snapshot is immutable, this means that any files including Oracle Recovery Manger (RMAN) backups written to a FlashBlade file system can be secured by a snapshot as they can’t be changed or modified.

Additionally, FlashBlade SafeMode snapshots extends the protection by being indelible, this means the Oracle RMAN backup is entirely immune from being deleted or destroyed by an erroneous RMAN policy, ransomware, human error or a rogue administrator until its enforced retention period expires.

Python SDK Installation

Before we can start we need to install the Pure Storage FlashBlade Python SDK, which we can using pip.

# pip install –upgrade pip
# pip install purity_fb

In this blog I will be using the example pureTakeFBsnapshot.py Python script which you can find at the Everpure GitHub public repository.

FlashBlade Documentation

You can find the latest Everpure FlashBlade REST API Guide at the Everpure Support Site, the FlashBlade Python SDK documentation is available at https://purity-fb.readthedocs.io/en/latest/ this includes installation and usage details, so definitely a good place to start.

FlashBlade Fine-Grained RBAC

With the release of FlashBlade Purity 4.8.1 we can now configure fine-grained RBAC (Role Based Access Control), and lock-down REST API access to a sub-set of operations, for example Snapshot management only.

To configure fine-grain RBAC, from the FlashBlade WebUI navigate to Policies -> Management Access Roles and click + and create an Access Role.

Step 1: Create Management Access Role

Next, Add File System Snapshot permissions

Step 2: Add Permissions to Role ‘oracle_AP’

And, create a Management Access Policy.

Step 1: Create Management Access Policy

Now add the access role to policy role, and select scope, for this example the scope is array wide.

Step 2: Add Management Access Policy Rule

Now navigate to Settings -> Users to create a Service Account providing a User Name and assigning the previously created Access Policy.

New User

Finally, select the New User and Create API Token, remember to copy provided API Token.

Create API Token

Note: the pureTakeFBsnapshot.py Python script also supports the use of FlashBlade REALMS. To use a REALM simply prefix the File System with REALM name, for example <REALM NAME>::<File System Name>.

Available Options

Using python3 pureTakeFBsnapshot.py -h you can see a list of available command line options, for example:

$ python3 pureTakeFBsnapshot.py -h
Usage: pureTakeFBsnapshot.py [options]
Tested with FlashBlade fine-grain granual RBAC, available from Purity
4.8.1. To use FlashBlade REALMS, prefix File System with Real name, seperated
with double-colon for example <Realm Name>::<File System>

Options:
  --version            show program's version number and exit
  -h, --help           show this help message and exit
  -d, --debug          Debug [default: False]
  -f FS, --filesystem=FS
                       FlashBlade File System
  -r FLASHBLADEREP, --replicant=FLASHBLADEREP
                       FlashBlade Replicant array
  -s FLASHBLADE, --server=FLASHBLADE
                       FlashBlade array
  -t API_TOKEN, --token=API_TOKEN
                       Everpure API Token
  -S SUFFIX, --suffix=SUFFIX
                       File system snapshot suffix
  -v, --verbose Verbose [default: False]

Securing Oracle RMAN Backups

To secure your Oracle database 19c or Oracle AI Database 26ai RMAN (Recovery Manager) backup your database to a FlashBlade file system using NFS or preferably dNFS, and include the below within your Bash script after the RMAN backup section to initiate a file system snapshot using the FlashBlade REST API.

python3 pureTakeFBsnapshot.py -f <File System> -s <FlashBlade> -t <API Token> 

python3 pureTakeFBsnapshot.py -f z-re-ora1 -s fbstaines03.uklab.purestorage.com -t T-a70a008e-935e-4cb6-88af-dd380d6d0fae
===================================================================================================
Everpure Take FlashBlade Snapshot (2.1.0) - fbstaines03.uklab.purestorage.com
22/05/2026 14:59:18 GMT
===================================================================================================
Snapshot created for z-re-ora1 suffix 2026_05_22_16_02
===================================================================================================
22/05/2026 14:59:18 GMT
===================================================================================================

Revisiting the FlashBlade WebUI, navigate to Storage -> File Systems to see the newly created snapshot.

Alternatively, from the FlashBlade CLI use the purefs snapshot list <file system> command, for example:

pureuser@fbstaines03> purefs snapshot list z-re-ora1
Name                        Source     Created                  Policies
z-re-ora1.2026_05_22_16_02  z-re-ora1  2026-05-22 16:02:39 BST  -

Summary

In this blog post I have shared how to install the FlashBlade Python SDK, configure fine-grained RBAC and then take a file system snapshot using a FlashBlade REST API.

If you want to further lock-down access to your Oracle RMAN backups, you may want to check-out this blog post on the use of AutoFS.

Exit mobile version