Skip to content

Commit 4ec99a8

Browse files
Merge branch 'main' into ppaolucc-SQL-Product-Restyling-I
2 parents 8016139 + 943dddd commit 4ec99a8

File tree

7 files changed

+135
-100
lines changed

7 files changed

+135
-100
lines changed
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
1-
streamlit==1.33.0
1+
streamlit==1.37.0
22
oci==3.50.1
33
Pillow

cloud-infrastructure/ai-infra-gpu/ai-infrastructure/rag-langchain-vllm-mistral/files/requirements.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
aiohttp==3.10.2
1+
aiohttp==3.10.11
22
aiosignal==1.3.1
33
annotated-types==0.6.0
44
anyio==4.3.0
Lines changed: 0 additions & 98 deletions
Original file line numberDiff line numberDiff line change
@@ -1,99 +1 @@
1-
# C3 Hosting Service Provider - IAM Policies for Isolation
2-
3-
Reviewed: 18.11.2024
4-
5-
The Hosting Service Provider (HSP) model on Compute Cloud@Customer (C3) allows
6-
hosting for multiple end customers, each isolated in a dedicated compartment
7-
with separate VCN(s) per customer. To ensure the end customer can only
8-
create resources in just their own compartment, a set of IAM policies are
9-
required.
10-
11-
The HSP documentation suggests the following policies per end customer
12-
based on an example with two hosting customers, A & B. They assume that
13-
each end customer will have two roles for their
14-
staff: Customer Administrator and Customer End User. 
15-
16-
## Example Policies for Customer Administrator
17-
```
18-
Allows the group specified to use all C3 services in the compartment
19-
listed:
20-
21-
Allow group CustA-Admin-grp to manage all-resources in compartment
22-
path:to:CustA
23-
24-
Allow group CustB-Admin-grp to manage all-resources in compartment
25-
path:to:CustB
26-
```
27-
Note that the above policy grants permissions in the CustA and CustB
28-
compartments of the C3 but **also in the same compartment in the OCI
29-
tenancy**! To prevent permissions being granted in the OCI tenancy
30-
append a condition such as:
31-
32-
```Allow group CustA-Admin-grp to manage all-resources in compartment
33-
path:to:CustA where all {request.region != 'LHR',request.region !=
34-
'FRA'}
35-
36-
Allow group CustB-Admin-grp to manage all-resources in compartment
37-
path:to:CustB where all {request.region != 'LHR',request.region !=
38-
'FRA'}
39-
```
40-
In the example above the condition prevents resource creation in London
41-
and Frankfurt regions. Adjust the list to include all regions the
42-
tenancy is subscribed to.
43-
44-
The path to the end user compartment must be explicitly stated, using
45-
the comma format, relative to the compartment where the policy is
46-
created. 
47-
48-
## Example Policies for Customer End User
49-
```
50-
Allow group CustA-Users-grp to manage instance-family in compartment
51-
path:to:CustA
52-
Allow group CustA-Users-grp to use volume-family in compartment
53-
path:to:CustA
54-
Allow group CustA-Users-grp to use virtual-network-family in compartment
55-
path:to:CustA
56-
Allow group CustB-Users-grp to manage instance-family in compartment
57-
path:to:CustB
58-
Allow group CustB-Users-grp to use volume-family in compartment
59-
path:to:CustB
60-
Allow group CustB-Users-grp to use virtual-network-family in compartment
61-
path:to:CustB
62-
```
63-
As above append a condition to limit permissions to the C3 and prevent
64-
resource creation in OCI regions:
65-
```
66-
Allow group CustA-Users-grp to manage instance-family in compartment
67-
path:to:CustA where all {request.region != 'LHR',request.region !=
68-
'FRA'}
69-
Allow group CustA-Users-grp to use volume-family in compartment
70-
path:to:CustA where all {request.region != 'LHR',request.region !=
71-
'FRA'}
72-
Allow group CustA-Users-grp to use virtual-network-family in compartment
73-
path:to:CustA where all {request.region != 'LHR',request.region !=
74-
'FRA'}
75-
Allow group CustB-Users-grp to manage instance-family in compartment
76-
path:to:CustB where all {request.region != 'LHR',request.region !=
77-
'FRA'}
78-
Allow group CustB-Users-grp to use volume-family in compartment
79-
path:to:CustB where all {request.region != 'LHR',request.region !=
80-
'FRA'}
81-
Allow group CustB-Users-grp to use virtual-network-family in compartment
82-
path:to:CustB where all {request.region != 'LHR',request.region !=
83-
'FRA'}
84-
```
85-
## Common Policy
86-
87-
Currently any user of a C3 needs access to certain resources located at
88-
the tenancy level to use IaaS resources in the web UI.
89-
Backup policies, tag namespaces, platform images, all reside at the
90-
tenancy level and need a further policy to allow normal use of C3 IaaS
91-
services. Note that this is a subtle difference to the behaviour on OCI. 
92-
93-
An extra policy as below is required (where CommonGroup contains **all**
94-
HSP users on the C3):
95-
```
96-
allow group CommonGroup to read all-resources in tenancy where
97-
target.compartment.name='root-compartment-name'
98-
```
991

Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
# C3 Hosting Service Provider - IAM Policies for Isolation
2+
3+
Reviewed: 18.11.2024
4+
5+
The Hosting Service Provider (HSP) model on Compute Cloud@Customer (C3) allows
6+
hosting for multiple end customers, each isolated in a dedicated compartment
7+
with separate VCN(s) per customer. To ensure the end customer can only
8+
create resources in just their own compartment, a set of IAM policies are
9+
required.
10+
11+
The HSP documentation suggests the following policies per end customer
12+
based on an example with two hosting customers, A & B. They assume that
13+
each end customer will have two roles for their
14+
staff: Customer Administrator and Customer End User. 
15+
16+
## Example Policies for Customer Administrator
17+
```
18+
Allows the group specified to use all C3 services in the compartment
19+
listed:
20+
21+
Allow group CustA-Admin-grp to manage all-resources in compartment
22+
path:to:CustA
23+
24+
Allow group CustB-Admin-grp to manage all-resources in compartment
25+
path:to:CustB
26+
```
27+
Note that the above policy grants permissions in the CustA and CustB
28+
compartments of the C3 but **also in the same compartment in the OCI
29+
tenancy**! To prevent permissions being granted in the OCI tenancy
30+
append a condition such as:
31+
32+
```Allow group CustA-Admin-grp to manage all-resources in compartment
33+
path:to:CustA where all {request.region != 'LHR',request.region !=
34+
'FRA'}
35+
36+
Allow group CustB-Admin-grp to manage all-resources in compartment
37+
path:to:CustB where all {request.region != 'LHR',request.region !=
38+
'FRA'}
39+
```
40+
In the example above the condition prevents resource creation in London
41+
and Frankfurt regions. Adjust the list to include all regions the
42+
tenancy is subscribed to.
43+
44+
The path to the end user compartment must be explicitly stated, using
45+
the colon delimited format, relative to the compartment where the policy is
46+
created. 
47+
48+
## Example Policies for Customer End User
49+
```
50+
Allow group CustA-Users-grp to manage instance-family in compartment
51+
path:to:CustA
52+
Allow group CustA-Users-grp to use volume-family in compartment
53+
path:to:CustA
54+
Allow group CustA-Users-grp to use virtual-network-family in compartment
55+
path:to:CustA
56+
Allow group CustB-Users-grp to manage instance-family in compartment
57+
path:to:CustB
58+
Allow group CustB-Users-grp to use volume-family in compartment
59+
path:to:CustB
60+
Allow group CustB-Users-grp to use virtual-network-family in compartment
61+
path:to:CustB
62+
```
63+
As above append a condition to limit permissions to the C3 and prevent
64+
resource creation in OCI regions:
65+
```
66+
Allow group CustA-Users-grp to manage instance-family in compartment
67+
path:to:CustA where all {request.region != 'LHR',request.region !=
68+
'FRA'}
69+
Allow group CustA-Users-grp to use volume-family in compartment
70+
path:to:CustA where all {request.region != 'LHR',request.region !=
71+
'FRA'}
72+
Allow group CustA-Users-grp to use virtual-network-family in compartment
73+
path:to:CustA where all {request.region != 'LHR',request.region !=
74+
'FRA'}
75+
Allow group CustB-Users-grp to manage instance-family in compartment
76+
path:to:CustB where all {request.region != 'LHR',request.region !=
77+
'FRA'}
78+
Allow group CustB-Users-grp to use volume-family in compartment
79+
path:to:CustB where all {request.region != 'LHR',request.region !=
80+
'FRA'}
81+
Allow group CustB-Users-grp to use virtual-network-family in compartment
82+
path:to:CustB where all {request.region != 'LHR',request.region !=
83+
'FRA'}
84+
```
85+
## Common Policy
86+
87+
Currently any user of a C3 needs access to certain resources located at
88+
the tenancy level to use IaaS resources in the web UI.
89+
Backup policies, tag namespaces, platform images, all reside at the
90+
tenancy level and need a further policy to allow normal use of C3 IaaS
91+
services. Note that this is a subtle difference to the behaviour on OCI. 
92+
93+
An extra policy as below is required (where CommonGroup contains **all**
94+
HSP users on the C3):
95+
```
96+
allow group CommonGroup to read all-resources in tenancy where
97+
target.compartment.name='root-compartment-name'
98+
```
99+
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
# C3 HSP - Restricting Access to the OCI Console
2+
3+
In the HSP scenario where end users are not employees of the rack
4+
operator it's probably not appropriate for them to be able to access the
5+
OCI console and to, possibly, create resources in the public cloud.
6+
7+
In an OCI tenancy using Identity Domains, i.e. all new tenancies, then
8+
there is an option to use [IAM Sign-On
9+
Policies](https://docs.oracle.com/en-us/iaas/Content/Identity/signonpolicies/managingsignonpolicies.htm#understand-sign-policies)
10+
to prevent access to the OCI Console. There is a [specific Sign-On
11+
Policy that controls access to the OCI
12+
Console](https://docs.oracle.com/en-us/iaas/Content/Identity/signonpolicies/managingsignonpolicies.htm#understand-sign-policies__securitypolicy-console-signonpolicy)
13+
and adding a new Sign-On Rule will disable access. Note that all users
14+
of a C3 must be created in the **default identity domain**. The Security
15+
Policy for OCI Console sign-on policy is activated by default and
16+
preconfigured with Oracle security best practices. Once located a new
17+
Sign-On rule as below will deny access to a specifed group:
18+
![](./files/media/image1.png)
19+
20+
Once the new Sign-On rule is created then it should be added to the
21+
Policy as shown, in this case before the MFA rule: 
22+
23+
![](./files/media/image2.png)
24+
25+
Note!
26+
27+
Even with OCI console access disabled there are still "live" OCI users
28+
who will have access to create/delete/modify resources via teh API in the OCI tenancy
29+
as well as the C3 as the policies and compartments are common across
30+
both. It would be wise to further restrict the capability of these users
31+
as per
32+
<https://docs.oracle.com/en-us/iaas/Content/Identity/users/edit-users-capabilities.htm>
33+
34+
Ideally a policy should be implemented that restricts permissions **only** to the C3, see [this](../iam-policies-for-isolation/README.md) note.

0 commit comments

Comments
 (0)