Managing Resource Principals
You can manage Big Data Service cluster resource principals from the Cluster details page.
Only one active resource principal configuration is allowed per cluster.
Big Data Service 3.0.28 and ODH version 1.1.13/2.0.9 supports resource principals. Older clusters that follow the upgrade path with minimum Big Data Service 3.0.27 (Direct cluster creation or upgraded) are eligible for upgrade to support resource principals. To use resource principals, both Big Data Service and ODH must be upgraded to versions listed previously. With the introduction of resource principal support, Big Data Service can connect to different OCI services using resource principal authentication and policies can be defined for multiple levels (resource level, compartment level, and so on).
To manage Big Data Service cluster resource principals, see:
- Creating a Resource Principal
- Editing a Resource Principal
- Deleting a Resource Principal
- Regenerating a Resource Principal Token
- Getting Resource Principal Details
- Listing Resource Principals
A new resource principal session token is issued and distributed to all the nodes in the cluster in the following situations:
- Replacing a node
- Adding a node
Prerequisites
- Big Data Service 3.0.28 or later
- ODH 1.1.13 or later for ODH 1
- ODH 2.0.9 or later for ODH 2
- The
update bds
permissionFor more information on Big Data Service policies, see Big Data Service Policies
Example Policies
The following policies can also be created for a specific group.
Allow read-only access to Big Data Service the objects and buckets in the tenancy for a cluster
allow any-user to read buckets in tenancy where ALL{request.principal.id='<BDS Cluster OCID>'}
allow any-user to read objects in tenancy where ALL{request.principal.id='<BDS Cluster OCID>'}
Allow read-only access to specific buckets in the tenancy for Big Data Service cluster
allow any-user to read buckets in tenancy where ALL{request.principal.id='<BDS Cluster OCID>',target.bucket.name='<bucket-name>'}
allow any-user to read objects in tenancy where ALL{request.principal.id='<BDS Cluster OCID>',target.bucket.name='<bucket-name>'}
Allow read-only access to the objects and buckets in the tenancy for all the Big Data Service clusters originating from specific compartment
allow any-user to read buckets in tenancy where ALL{request.resource.compartment.id='<Compartment OCID of BDS Clusters>', request.principal.type='bigdataservice'}
allow any-user to read objects in tenancy where ALL{request.resource.compartment.id='<Compartment OCID of BDS Clusters>', request.principal.type='bigdataservice'}
Allow read-only access to the objects and buckets in different tenant for the Big Data Service cluster (Cross tenancy access for example)
Policies required in source tenancy where actual Big Data Service cluster created.
Define tenancy <Target-Tenancy-Name> as <Target-Tenancy-OCID>
Endorse any-user to read object-family in tenancy <Target-Tenancy-Name>
Endorse any-user to read buckets in tenancy <Target-Tenancy-Name>
Endorse any-user to read objects in tenancy <Target-Tenancy-Name>
Policies required in target tenancy where resources are accessed.
Define tenancy <Source-BDS-Cluster-Tenancy-Name> as <Source-BDS-Cluster-Tenancy-OCID>
Admit any-user of tenancy <Source-BDS-Cluster-Tenancy-Name> to read object-family in tenancy where request.principal.id='<BDS Cluster OCID>'
Admit any-user of tenancy <Source-BDS-Cluster-Tenancy-Name> to read buckets in tenancy where request.principal.id='<BDS Cluster OCID>'
Admit any-user of tenancy <Source-BDS-Cluster-Tenancy-Name> to read objects in tenancy where request.principal.id='<BDS Cluster OCID>'
Supported Attributes
The following attributes are supported by Big Data Service resource principals. This can used in both policy level and dynamic group level. When consuming resource principal attributes in dynamic group level, be sure to regenerate resource principal access token to be effective.
request.principal.id
: The resource principal ID. The value is same as the Big Data Service ID, and is used for specific resource level isolation.request.resource.compartment.id
: The Big Data Service resource compartment ID, and is used for compartment level isolation.request.resource.tenancy.id
: The Big Data Service resource tenancy ID, and is used for tenancy level isolation.request.principal.type
: The Big Data Service resource principal type. All the Big Data Service specific resource principals values are'bigdataservice'
.