Identity Domain Integration
Identity Domain integration enables OCI Identity Domain users to access Big Data Service 3.0.29 or later cluster resources. Identity Domain integration also enables Big Data Service 3.0.29 or later cluster users to access OCI services.
This is enabled by supporting user/group synchronization between Identity Domain and a Big Data Service cluster, including support for exchange of User Principal Session Tokens with Kerberos tokens.
Prerequisites
Before you proceed with Identity Domain configuration, ensure following prerequisites are met.
- Minimum version requirement:
- Big Data Service 3.0.29 and later
- ODH 2.0.10 and later
- Cluster configuration must be Highly Available.
- Requirements to exchange UPST tokens for Kerberos tokens:
- The Big Data Service user that enables this feature must have the admin privilege in the identity domain to integrate with the Big Data Service cluster.
- User must have OCI vault and master encryption key in vault of key shape AES to store secret used by this feature.
- The user that creates the UPST configuration must have permission to create secret inside the vault.
- The identity domain being configured must have permission for reading secrets in the configured vault.
For example,
allow resource domain <identity-domain> to read.secret-familyin tenancy where all {target.vault.id = '<vault-id>'} - Policy for users to read object storage bucket.
For example,
allow group <domain_name>/<group_name> to manage objects in compartment ABC.
- Requirements specific to Oracle Identity Cloud Service (IDCS) user sync:
- Cluster version must be IDCS 3.0.30 or later.
- IDCS application being integrated for user sync feature requires application to have Identity Domain Administrator role
- IDCS application being integrated for user sync feature requires application to have authorization grant type Client Credentials enabled.
- Big Data Service cluster can't be integrated with Active Directory.