Policies for Managing Roving Edge Infrastructure

Describes how to set up policies to create Roving Edge Infrastructure device orders in Oracle Cloud Infrastructure and also for enabling the provisioning and operation of your Roving Edge Infrastructure devices.

Note

Before ordering your nodes, you must set up your policies in Oracle Cloud Infrastructure to allow the required user access to various features and functionality associated with Roving Edge Infrastructure.

Allowing Access to Roving Edge Infrastructure Resources in OCI

Use the following syntax to allow your user groups access to Roving Edge Infrastructure resources in your tenancy:

allow group <admin_user_group> to manage rover-family in tenancy
allow group <admin_user_group> to manage rover-nodes in tenancy

where <admin_user_group> is a group created to manage Roving Edge Infrastructure administrators.

You can also narrow this access to compartments. For example, if you wanted to allow a group of users to manage all Roving Edge Infrastructure resources in the compartment "finance" in Oracle Cloud Infrastructure, use the following:

allow group rover-admins to manage rover-family in compartment finance
allow group rover-admins to manage rover-nodes in compartment finance

Allowing the Roving Edge Infrastructure Service to Attach Workloads

Setting this policy is required to grant the Roving Edge Infrastructure service read access to the buckets being attached as workloads in your node request. This read access policy allows the generation of a manifest file containing the information about the objects you want synced to your Roving Edge Infrastructure devices.

allow service rover to read object-family in tenancy
allow service rover to manage objectstorage-namespaces in tenancy
Note

You can narrow your access to a compartment. Ensure you give read access to all the compartments associated with all your workload buckets. For example, if you had two bucket workloads, one in compartment "finance" and the other in compartment "accounts," you would set this policy for both the compartments.

Ordering Roving Edge Infrastructure Devices Using the Console

You can create policy to allow you to order and manage your Roving Edge Infrastructure device using the Create Policy template in the OCI Console.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.

  2. Click Create Policy. The Create Policy dialog box appears.

  3. Complete the required fields as described in Creating a Policy.

  4. Use the Policy Builder and select Let Users Create and Manage Roving Edge Devices under Common Policy templates.

  5. Follow the instructions displayed in the Policy Builder to configure your policy groups.

  6. Click Create. Your changes go into effect typically within 10 seconds.

Allowing Your Roving Edge Infrastructure Devices Object Storage Access

This section describes the steps required to allow your Roving Edge Infrastructure device to be provisioned with yourObject Storage workloads and to perform data synchronization while the device is in your possession.

Each Roving Edge Infrastructure device node functions as a resource in Oracle Cloud Infrastructure, requiring permission to read/write buckets in your compartments within your tenancy for data sync tasks. After a node is submitted for provisioning, create a dynamic group containing the single node. See Managing Dynamic Groups for more information on how to create dynamic groups.

Create a dynamic-group called "roving-edge-devices" with the matching rules below:

All {resource.type='rovernode'}

Grant this dynamic-group a policy to read and write to buckets, for example:

allow dynamic-group roving-edge-devices to manage object-family in tenancy

Grant dynamic group access to the Object Storage namespace

allow dynamic-group roving-edge-devices to manage objectstorage-namespaces in tenancy

Enabling Disconnected Upgrade Bundle Delivery

To enable disconnected upgrade bundles to be delivered to your tenancy, follow these instructions:

Grant the requester object create and overwrite permissions to the destination bucket:

allow group <group_name> to manage object-family in compartment <compartment_name>

Grant the object storage service in the region to manage the buckets in your tenancy:

allow service objectstorage-<region_identifier> to manage object-family in tenancy

You could also create narrower permissions using:

allow service objectstorage-<region_identifier> to manage object-family in compartment <compartment-name>
where any {request.permission='OBJECT_READ', request.permission='OBJECT_INSPECT', request.permission='OBJECT_CREATE',
request.permission='OBJECT_OVERWRITE', request.permission='OBJECT_DELETE'}

See Regions and Availability Domains for a list of region identifiers.

Enabling Certificate Management

This section describes the steps required to allow your administrators to create certificate authorities and allow your Roving Edge Infrastructure device to access certificate management resources in the Oracle Cloud Infrastructure Cloud.

Create a policy for the security administrators to create vault and master key:

Allow group <security-admin-group> to manage vaults in tenancy
Allow group <security-admin-group> to manage keys in tenancy

Create a policy for the security administrators to use the certificate authority:

Allow group <security-admin-group> to use certificate-authority-family in tenancy
Allow group <security-admin-group> to use key-delegate in tenancy

Create a dynamic group which could be called certificate-authority-dynamic-group with the matching rules:

all {resource.type='certificateauthority'}

Create a policy for the certificate authority to use keys:

Allow dynamic-group certificate-authority-dynamic-group to use keys in compartment <compartment_name>

Create a policy for Roving Edge Infrastructure nodes to fetch and update its certificate configurations:

Allow dynamic-group roving-edge-devices to use rover-family in tenancy

Create a policy for Roving Edge Infrastructure devices to use the certificate authority and manage certificates:

Allow dynamic-group roving-edge-devices to manage leaf-certificate-family in tenancy
Allow dynamic-group roving-edge-devices to use certificate-authority-family in tenancy

Policy Examples

The group rover-admins is defined to be the administrator for Roving Edge Infrastructure resources:

allow group rover-admins to manage rover-family in tenancy
allow group rover-admins to manage rover-nodes in tenancy

Allow Roving Edge Infrastructure to attach workloads:

allow group rover-admins to read object-family in tenancy
allow group rover-admins to read instance-images in tenancy

Allow Roving Edge Infrastructure access to Object Storage:

allow dynamic-group roving-edge-devices to manage object-family in tenancy
allow dynamic-group roving-edge-devices to manage objectstorage-namespaces in tenancy

Enable disconnected upgrade bundle delivery:

allow group rover-admins to read object-family in tenancy
allow dynamic-group roving-edge-devices to manage object-family in tenancy

Enable certificate management:

allow group CertificateAdmins to manage vaults in tenancy
allow group CertificateAdmins to manage keys in tenancy
allow group CertificateAdmins to manage certificate-authority-family in tenancy
allow group CertificateAdmins to use key-delegate in tenancy
allow group rover-admins to read certificate-authority-family in tenancy
allow dynamic-group certificate-authority-dynamic-group to use keys in tenancy
allow dynamic-group roving-edge-devices to use rover-family in tenancy
allow dynamic-group roving-edge-devices to manage leaf-certificate-family in tenancy
allow dynamic-group roving-edge-devices to use certificate-authority-family in tenancy