Professional Documents
Culture Documents
RedThunder.Blog
Demystifying cloud technologies…
An enterprise can use single tenancy shared by various business units, teams, and
individuals while maintaining the necessary security, isolation, and governance, and
this post will go into the concepts involved in this.
Unlike most OCI services are regionally scoped but IAM services resources are
global. Customers can have single tenancy across multiple regions. Following are the
key IAM primitives:
Resource: A cloud object that a company’s employees create and use when
interacting with OCI services, for example, compute instances, block storage
volumes, virtual cloud networks (VCNs), subnets, and route tables. Each resource is
assigned with a unique, Oracle assigned identifier called Oracle Cloud ID (OCID)
Policy: A set of authorization rules that define access to resources within a
tenancy.
Compartment: A heterogeneous collection of resources for the purposes of
security isolation and access control.
Tenancy: The root compartment that contains all of an organization’s
resources. Within a tenancy, administrators can create one or more compartments,
create more users and groups, and assign policies that grant groups the ability to use
resources within a compartment.
User: A human being or system that needs access to manage their resources.
Users must be added to groups in order to access resources. Users have one or more
credentials that must be used to authenticate to Oracle Cloud Infrastructure services.
Federated users are also supported.
Group: A collection of users who share a similar set of access privileges.
Administrators can grant access policies that authorize a group to consume or
manage resources within a tenancy. All users in a group inherit the same set of
privileges.
Identity Provider: A trusted relationship with a federated identity provider.
Federated users who attempt to authenticate to the Oracle Cloud Infrastructure
console are redirected to the configured identity provider. After successfully
authenticating, federated users can manage Oracle Cloud Infrastructure resources in
the console just like a native IAM user. Currently, Oracle Cloud Infrastructure
supports the SAML-2 compliant Oracle Identity Cloud Service (IDCS) and Microsoft
Active Directory Federation Service (ADFS) as identity providers. Federated groups
are mapped to native IAM groups to define the policies apply to a federated user.
Principals
Authentication
Username, Password
Use the password to sign in to web console
Administrator will provide you OTP (One Time Password) when
setting-up your account
at your first log in, you are prompted to reset the password
API Signing Key
Required when using the OCI API in conjunction with SDK/CLI
Key is an RSA key-pair in the PEM format (min 2048 bits)
In the instances, you can copy and paste the PEM public key
User creates the public key pair and uploads the public key in the
Console
Auth-Tokens
Oracle-generated token strings to authenticate with 3rd party APIs that
do not support OCI signature-based authentication (eg. ADW)
Following depicts the steps that are needed to be taken in order to granting an access
to the OCI resource or service:
Step 1: Create a Dynamic Group called “FrontEnd” that matches a set of instances.
For example, the statement in italics [ All {instance.compartment.id =
‘<compartment_ocid>’, instance.id != ‘<instance1_to_exclude_ocid>’, instance.id !
= ‘<instance2_to_exclude_ocid>‘} ]
Step 2: Create a Policy with Permissions for instances. For example, Create a policy
called “DynamicGroupPolicy” with policy statements in italics [ allow dynamic-
group FrontEnd to manage buckets in tenancy ] and [ allow dynamic-group
FrontEnd to manage objects in tenancy ]
Step 3: Customer deploys code to an instance. OCI SDK/CLI is able to make calls to
OCI APIs without customer configured credentials. Following figure 3 depicts the
screenshots for the same:
Figure 3: Screenshot of OCI API calls
Java and Python SDKs and Terraform also support Instance Principal authorization.
One can use curl command to query X.509 certioficates. The following figure 4
presents the screenshot:
Figure 4: X.509 Certificate using curl command
HOW IT WORKS
The internal PKI Service issues X.509 certificates for every compute instance
These compute instance certificates are signed by our internal CA and contain
information about the instance (instance Id, compartment Id, etc)
If the OCI SDK/CLI can not find locally configured credentials, it will call the
Instance Metadata service and use the provided X.509 certificate to call the Identity
Auth Service, getting back a token to use in calling OCI APIs
The Auth Service will verify the certificate was issued by us and issue a token
with the key information from the certificate
Calls made using that token will be authorized against any matching policy
(using the new “instances” subject)
The PKI Agent, running on the SmartNIC, will refresh the certificate
periodically and the SDK, running on the instance, will get a new token from the
Auth Service as necessary
Authorisation
POLICY SYNTAX
The following figure 6 provides depicts the Verbs and Permissions for the Volume
family:
Figure 6: Verbs and Permissions
COMMON POLICIES
Audit Service
Tagging
OCI Tagging allows you to customise the organisation of your resources, control tag
spam and script bulk actions based on Tags. There are two types of Tags – Free Form
and Defined.
They are the basic kind in which we have key value pairs only. For example, you can
tag Environment = Production; Project = Alpha
DEFINED TAGS
They have more features and controls associated. They are contained in Namespaces
and have defined schema and they are secured with Policy.
TAG NAMESPACE
A Tag Namespace is a container for tag keys with tag key definitions. Tag key
definition specifies its key (environment) and what types of values are allowed
(string, number, text, date, enumerations, etc). Tag key definition or a tag namespace
cannot be deleted, but retired. Retired tag namespaces and key definitions can no
longer be applied to resources. You can reactivate a tag namespace or tag key
definition that has been retired to reinstate its usage in your tenancy. This is depicted
in figure 8 below:
Share this:
Share
4. Amal K Msays:
Like
Reply
Leave a Reply
Post navigation
PREVIOUSPrevious post:Oracle Cloud Infrastructure OCI Gen-2 Cloud Security
– Part I
NEXTNext post:Oracle Cloud Infrastructure OCI Gen-2 Cloud Security – Part
III (Networking)
Search for:SEARCH
RECENT POSTS
#BuildWithAI Announces Winners
#BuildWithAI – A Hackathon Experience
Kiron – A #VisFSG Project
Configure to completion a site-to-site VPN tunnel on OCI using the
VPN Wizard
Triggering an OIC integration via OCI Events – the Oracle
Functions Approach
RECENT COMMENTS
ARCHIVES
August 2020
June 2020
May 2020
April 2020
March 2020
January 2020
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
March 2016
CATEGORIES
ADWC
Analytics
APIs
App Dev
Application Builder Cloud Service
Application Container Cloud Service
Architecture
Autonomous
Bitnami
Blockchain
Business
chatbots
Cloud Native
Community
Containers
Content & Experience Cloud Service
Data Science
Database Cloud Service
Delivery
Design
Developer Cloud Service
DevOps
Docker
Docker Hub
Docker-Compose
Documents Cloud Service
Eloqua
ERP Cloud
Functions
GitHub
Governance
HCM Cloud
How To
IaaS
IDCS
Insight
Integration Analytics
Integration Cloud Service
IOT
Java Cloud Service
Javascript
JET
Kubernetes
Linux
Machine Learning
Marketing and Workshops
Messaging Cloud Service
MFT
Microservices
Mobile Cloud Service
Mobility
MongoDB
NodeJS
OCI
OMC
Oracle API Platform
Oracle Cloud Infrastructure
Oracle Container Cloud Service
Oracle Container Registry
Oracle Database
Oracle Identity Cloud Service
Oracle Instant Client
Oracle Integration Cloud
Oracle Public Cloud
Oracle SQL Developer
PaaS
PeopleSoft
Process
Process Cloud Service
Provisioning
Ravello
Real Time Integration Business Insight
RPA
SCM Cloud
Security
Service Cloud
SOA Cloud Service
SOA Suite
StackEngine
Storage Cloud Service
Testing
Transformation
Uncategorized
Vagrant
VisualBuilder
Weblogic
WebLogic Server
Workshops
Search for:SEARCH
RECENT POSTS
#BuildWithAI Announces WinnersAugust 18, 2020
#BuildWithAI – A Hackathon ExperienceAugust 11, 2020
Kiron – A #VisFSG ProjectJune 19, 2020
Configure to completion a site-to-site VPN tunnel on OCI using the
VPN WizardMay 26, 2020
Triggering an OIC integration via OCI Events – the Oracle
Functions ApproachMay 14, 2020
ARCHIVES
Archives
CATEGORIES
Categories
CONTRIBUTORS
Alessia Sacchi
Anton Koren
Solutions ANZ
Sergio J. Castro
CallanHP
chrisadianto
David Reid
deepaksekar2101
francoucci
John Graves
HuntersView
jeetendrabhardwaj
Jason Grogan
Jason Lowe
Tam Nguyen
Labanish
lmukadam
manishkugupta
Mounash
Jin Park
Raminder Bhrara
Manish Kumar Gupta
Rakesh Singh
Serene Tan
Stan Tanev
Sunny Chua
Tom Walker
Vladimir Dmitriev
vijaykumaryenne
BLOGROLL
Jason Lowe
RedThunder.blog and contributors. All Rights Reserved. The views expressed in this
blog are our own and do not necessarily reflect the views of Oracle Corporation. All
content is provided on an ‘as is’ basis, without warranties or conditions of any kind,
either express or implied, including, without limitation, any warranties or conditions
of title, non-infringement, merchantability, or fitness for a particular purpose. You
are solely responsible for determining the appropriateness of using or redistributing
and assume any risks.
FOLLOW BLOG VIA EMAIL
Enter your email address to follow this blog and receive notifications of new posts by
email.
FOLLOW
RedThunder.Blog