Migrate Object Collection Workflow from Service Principal to Resource Principal
Topics:
- Prerequisites for Migration of Object Collection
- Migration Steps for Same Tenancy Object Collection
- Migration Steps for Cross Tenancy Object Collection
- Validate the Migration of Object Collection
- Post Migration Cleanup for Object Collection
Prerequisites for Migration of Object Collection
Retrieve the list of all LIVE and HISTORIC_LIVE object collection rules in your tenancy or compartment, including the following details:
- Object Collection Rule OCID
- Compartment OCID
- Object Storage Namespace
For migration steps:
-
If the object storage namespace is the same as the tenancy's namespace where the object collection rule exists, see Migration Steps for Same Tenancy Object Collection.
-
If the object storage namespace differs from the tenancy's namespace, see Migration Steps for Cross Tenancy Object Collection.
Migration Steps for Same Tenancy Object Collection
- Create a dynamic group named <Dynamic_Group> with the following matching rule. See Create a Dynamic Group.
ALL {resource.type='loganalyticsobjectcollectionrule'} - Add the following policy statements:
allow DYNAMIC-GROUP <Dynamic_Group> to read buckets in compartment/tenancy allow DYNAMIC-GROUP <Dynamic_Group> to read objects in compartment/tenancy allow DYNAMIC-GROUP <Dynamic_Group> to manage cloudevents-rules in compartment/tenancy allow DYNAMIC-GROUP <Dynamic_Group> to inspect compartments in tenancy allow DYNAMIC-GROUP <Dynamic_Group> to use tag-namespaces in tenancy where all {target.tag-namespace.name = /oracle-tags/} allow resource loganalyticsvrp LogAnalyticsVirtualResource to {BUCKET_READ} in tenancy - After the successful creation of dynamic group and modification of policies, follow Validate the Migration of Object Collection. Removing existing service principal based policies without a successful validation may cause data loss.
The above steps help only to modify the policies associated with the service principal to migrate them to the resource principal. The policies created for user groups to manage the object collection rules remain unchanged.
Migration Steps for Cross Tenancy Object Collection
Let Guest_Tenant refer to the tenant from which logs need to be collected, and Bucket_Compartment be the compartment of Guest_Tenant containing the object storage bucket. Let Host_Tenant refer to the tenant subscribed to Oracle Logging Analytics, where the object collection exists.
- Create a dynamic group named <Dynamic_Group> in Host_Tenant with the following matching rule. Note its OCID. See Create a Dynamic Group.
ALL {resource.type='loganalyticsobjectcollectionrule'} - Add the following policy statements in Host_Tenant:
endorse group <Host_User_Group> to {OBJECT_INSPECT, OBJECT_READ} in compartment <Bucket_Compartment> endorse DYNAMIC-GROUP <Dynamic_Group> to read buckets in compartment <Bucket_Compartment> endorse DYNAMIC-GROUP <Dynamic_Group> to read objects in compartment <Bucket_Compartment> endorse DYNAMIC-GROUP <Dynamic_Group> to manage cloudevents-rules in compartment <Bucket_Compartment> endorse DYNAMIC-GROUP <Dynamic_Group> to inspect compartments in tenancy <Guest_Tenant> endorse DYNAMIC-GROUP <Dynamic_Group> to use tag-namespaces in tenancy <Guest_Tenant> where all {target.tag-namespace.name = /oracle-tags /} - Add the following policy statements in Guest_Tenant:
define DYNAMIC-GROUP <Dynamic_Group> as <Dynamic_Group_OCID> admit group <Host_User_Group> of tenancy <Host_Tenant> to {OBJECT_INSPECT, OBJECT_READ} in compartment <Bucket_Compartment> admit DYNAMIC-GROUP <Dynamic_Group> of tenancy <Host_Tenant> to read buckets in compartment <Bucket_Compartment> admit DYNAMIC-GROUP <Dynamic_Group> of tenancy <Host_Tenant> to read objects in compartment <Bucket_Compartment> admit DYNAMIC-GROUP <Dynamic_Group> of tenancy <Host_Tenant> to manage cloudevents-rules in compartment <Bucket_Compartment> admit DYNAMIC-GROUP <Dynamic_Group> of tenancy <Host_Tenant> to inspect compartments in compartment <Bucket_Compartment> admit DYNAMIC-GROUP <Dynamic_Group> of tenancy <Host_Tenant> to use tag-namespaces in tenancy where all {target.tag-namespace.name = /oracle-tags /} - After the successful creation of dynamic group and modification of policies, follow the Validate the Migration of Object Collection. Removing existing service principal based policies without a successful validation may cause data loss.
The above steps help only to modify the policies associated with the service principal to migrate them to the resource principal. The policies created for user groups to manage the object collection rules remain unchanged.
Validate the Migration of Object Collection
Allow approximately 1 hour for the policy changes to take effect before performing this validation.
The Processing Errors feature of Oracle Logging Analytics can be used to validate the migration of the object collection flow from service principal based policies to resource principal based policies.
- Navigate to Metrics Explorer: Go to OCI console. Click the Navigation Menu icon, click Observability & Management, and click on Metrics Explorer under Monitoring.
- View Metrics:
- Select the time range
Last 24 hours. - Select the compartment where the object collection rule exists.
- Select the metric namespace
oci_logging_analytics. - Select the metric name
ProcessingErrors.By default, the interval is
1 minute. - Select the statistic
Sum. - Select the dimension name
collectionTypeand dimension valueObjectCollection. - Click the Additional dimension button.
- Select the dimension name
errorTypeand dimension valueNotAuthorizedOrNotFound_RP_ObjectStorage_Read. - Click Update Chart.
- Select the time range
-
Validate metrics:
- Initially, some data points are present for this metric (section A in below image), indicating that objects are processed using service principal based policies.
-
Once the policy changes are reflected, there should be no data points in the metric beyond that particular point of time (section B in below image), and the graph should drop to 0, indicating that the resource principal based policies are functioning correctly and that the validation is successful.
-
If any data points are available after 1 hour of changing policies, there might be some missing policies and validation has failed.
-
For example:
At 08:39 UTC, the policy changes are reflected, and no data points are available after that time. This pattern must be observed for successful validation.
- If the validation fails, wait for another 1 hour and try re-running the validation steps. If the validation continues to fail, cross-check the policies and dynamic group. For more help, contact Oracle Support.
- After the validation is successful, follow Post Migration Cleanup for Object Collection.
Post Migration Cleanup for Object Collection
Removing the existing service principal based policies without a successful validation will cause data loss.
You may remove policies similar to the following service principal based policies from the tenancy where the object storage bucket exists:
allow service loganalytics to read buckets in compartment/tenancy
allow service loganalytics to read objects in compartment/tenancy
allow service loganalytics to manage cloudevents-rules in compartment/tenancy
allow service loganalytics to inspect compartments in tenancy
allow service loganalytics to use tag-namespaces in tenancy where all {target.tag-namespace.name = /oracle-tags/}