generated from oracle-devrel/repo-template
-
Notifications
You must be signed in to change notification settings - Fork 45
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Moving location under compute-cloud-at-customer
- Loading branch information
Showing
7 changed files
with
0 additions
and
99 deletions.
There are no files selected for viewing
98 changes: 0 additions & 98 deletions
98
...d-infrastructure/private-cloud-and-edge/compute-cloud-at-customer/hsp/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,99 +1 @@ | ||
| # C3 Hosting Service Provider - IAM Policies for Isolation | ||
|
|
||
| Reviewed: 18.11.2024 | ||
|
|
||
| The Hosting Service Provider (HSP) model on Compute Cloud@Customer (C3) allows | ||
| hosting for multiple end customers, each isolated in a dedicated compartment | ||
| with separate VCN(s) per customer. To ensure the end customer can only | ||
| create resources in just their own compartment, a set of IAM policies are | ||
| required. | ||
|
|
||
| The HSP documentation suggests the following policies per end customer | ||
| based on an example with two hosting customers, A & B. They assume that | ||
| each end customer will have two roles for their | ||
| staff: Customer Administrator and Customer End User. | ||
|
|
||
| ## Example Policies for Customer Administrator | ||
| ``` | ||
| Allows the group specified to use all C3 services in the compartment | ||
| listed: | ||
| Allow group CustA-Admin-grp to manage all-resources in compartment | ||
| path:to:CustA | ||
| Allow group CustB-Admin-grp to manage all-resources in compartment | ||
| path:to:CustB | ||
| ``` | ||
| Note that the above policy grants permissions in the CustA and CustB | ||
| compartments of the C3 but **also in the same compartment in the OCI | ||
| tenancy**! To prevent permissions being granted in the OCI tenancy | ||
| append a condition such as: | ||
|
|
||
| ```Allow group CustA-Admin-grp to manage all-resources in compartment | ||
| path:to:CustA where all {request.region != 'LHR',request.region != | ||
| 'FRA'} | ||
| Allow group CustB-Admin-grp to manage all-resources in compartment | ||
| path:to:CustB where all {request.region != 'LHR',request.region != | ||
| 'FRA'} | ||
| ``` | ||
| In the example above the condition prevents resource creation in London | ||
| and Frankfurt regions. Adjust the list to include all regions the | ||
| tenancy is subscribed to. | ||
|
|
||
| The path to the end user compartment must be explicitly stated, using | ||
| the colon delimited format, relative to the compartment where the policy is | ||
| created. | ||
|
|
||
| ## Example Policies for Customer End User | ||
| ``` | ||
| Allow group CustA-Users-grp to manage instance-family in compartment | ||
| path:to:CustA | ||
| Allow group CustA-Users-grp to use volume-family in compartment | ||
| path:to:CustA | ||
| Allow group CustA-Users-grp to use virtual-network-family in compartment | ||
| path:to:CustA | ||
| Allow group CustB-Users-grp to manage instance-family in compartment | ||
| path:to:CustB | ||
| Allow group CustB-Users-grp to use volume-family in compartment | ||
| path:to:CustB | ||
| Allow group CustB-Users-grp to use virtual-network-family in compartment | ||
| path:to:CustB | ||
| ``` | ||
| As above append a condition to limit permissions to the C3 and prevent | ||
| resource creation in OCI regions: | ||
| ``` | ||
| Allow group CustA-Users-grp to manage instance-family in compartment | ||
| path:to:CustA where all {request.region != 'LHR',request.region != | ||
| 'FRA'} | ||
| Allow group CustA-Users-grp to use volume-family in compartment | ||
| path:to:CustA where all {request.region != 'LHR',request.region != | ||
| 'FRA'} | ||
| Allow group CustA-Users-grp to use virtual-network-family in compartment | ||
| path:to:CustA where all {request.region != 'LHR',request.region != | ||
| 'FRA'} | ||
| Allow group CustB-Users-grp to manage instance-family in compartment | ||
| path:to:CustB where all {request.region != 'LHR',request.region != | ||
| 'FRA'} | ||
| Allow group CustB-Users-grp to use volume-family in compartment | ||
| path:to:CustB where all {request.region != 'LHR',request.region != | ||
| 'FRA'} | ||
| Allow group CustB-Users-grp to use virtual-network-family in compartment | ||
| path:to:CustB where all {request.region != 'LHR',request.region != | ||
| 'FRA'} | ||
| ``` | ||
| ## Common Policy | ||
|
|
||
| Currently any user of a C3 needs access to certain resources located at | ||
| the tenancy level to use IaaS resources in the web UI. | ||
| Backup policies, tag namespaces, platform images, all reside at the | ||
| tenancy level and need a further policy to allow normal use of C3 IaaS | ||
| services. Note that this is a subtle difference to the behaviour on OCI. | ||
|
|
||
| An extra policy as below is required (where CommonGroup contains **all** | ||
| HSP users on the C3): | ||
| ``` | ||
| allow group CommonGroup to read all-resources in tenancy where | ||
| target.compartment.name='root-compartment-name' | ||
| ``` | ||
|
|
File renamed without changes.
File renamed without changes.
File renamed without changes
Binary file added
BIN
+770 KB
...ute-cloud-at-customer/hsp/restrict-access-to-oci-console/files/media/image2.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file was deleted.
Oops, something went wrong.
Binary file removed
BIN
-1 MB
...rivate-cloud-and-edge/hsp/restrict-access-to-oci-console/files/media/image2.png
Binary file not shown.