Understanding Big Data Service resources and permissions in IAM policies
Oracle Identity and Access Management (IAM) provides a flexible framework for writing policy statements that control how resources can interact with one another. IAM defines a number of standard resources, along with the permissions needed to interact with them. Big Data Service adds its own service-specific resources and permissions.
This topic describes the resources and permissions an administrator can use to create IAM policy statements for Big Data Service.
Resource kinds and permissions
| Resource Family | Resource Kind | Permissions |
|---|---|---|
| bds-family | bds-instances |
|
| bds-family | bds-limits |
|
Operations to permissions map
The following table lists the IAM operations that are specific to Big Data Service. You can write an IAM policy that includes these operations, or you can write a policy that uses a defined verb that encapsulates these operations.
| Operation | API Operation | Permission Required to Use the Operation |
|---|---|---|
| List all clusters in the specified compartment | ListBdsInstances | BDS_INSPECT |
| Create a cluster | CreateBdsInstance | BDS_CREATE |
| Show details about the specified cluster | GetBdsInstance | BDS_READ |
| Change the size of a cluster | ChangeShape | BDS_UPDATE |
| Update details for a cluster | UpdateBdsInstance | BDS_UPDATE |
| Delete the specified instance | DeleteBdsInstance | BDS_DELETE |
| Add block storage to the specified cluster | AddBlockStorage | BDS_UPDATE |
| Add worker nodes to the specified cluster | AddWorkerNodes | BDS_UPDATE |
| Restart a specified node of a cluster | RestartNode | BDS_UPDATE |
| Add Cloud SQL to the specified cluster | AddCloudSql | BDS_UPDATE |
| Remove Cloud SQL from the specified cluster | RemoveCloudSql | BDS_UPDATE |
| Move the cluster from one compartment to another | ChangeBdsInstanceCompartment | BDS_MOVE |
| List all autoscale configurations for the specified cluster | ListAutoScalingConfigurations | BDS_INSPECT |
| Add an autoscale configuration to the specified cluster | AddAutoScalingConfiguration | BDS_UPDATE |
| Show details about the specified autoscale configuration | GetAutoScalingConfiguration | BDS_READ |
| Update fields of an autoscale configuration | UpdateAutoScalingConfiguration | BDS_UPDATE |
| Delete an autoscale configuration | RemoveAutoScalingConfiguration | BDS_UPDATE |
| List all Big Data work requests in the specified compartment | ListWorkRequests | BDS_INSPECT |
| Show details about the specified work requests | GetWorkRequest | BDS_READ |
| Show logs for the specified work request | ListWorkRequestLogs | BDS_INSPECT |
| Show errors for the specified work request | ListWorkRequestErrors | BDS_INSPECT |
| Show resources used | ListConsumptions | BDS_CONSUMPTION_INSPECT |
| List API keys on the specified cluster | ListBdsApiKeys | BDS_READ |
| Create an API key on the specified cluster | CreateBdsApiKey | BDS_UPDATE |
| Get an API key on the specified cluster | GetBdsApiKey | BDS_READ |
| Delete an API key on the specified cluster | DeleteBdsApiKey | BDS_UPDATE |
| Test access to Object Store bucket using the specified API key | TestBdsObjectStorageConnection | BDS_READ |
Operation-specific attributes
For a given resource kind, you should have the same set of attributes across all operations (get, list, delete, and so on). The one exception is for a "create" operation, where you won't have the ID for that object yet, so you can't have a target.RESOURCE-KIND.id attribute for "create."
| Resource Kind | Name | Type | Source |
|---|---|---|---|
| bds-instances | target.bds-instances.source-compartment.id | Entity | Request |
| bds-instances | target.bds-instances.destination-compartment.id | Entity | Request |
IAM verbs for use with Big Data Service
| Resource Kind | inspect | read | use | manage |
|---|---|---|---|---|
| bds-instances | BDS_INSPECT | inspect + BDS_READ |
read + BDS_UPDATE |
use + BDS_CREATE BDS_DELETE BDS_MOVE |
| bds-limits | BDS_CONSUMPTION_INSPECT | . | . | . |
Example 1 - Administrators with all permission on clusters
The following policy statement says that members of a group named bds-admins can inspect, read, update, create, delete, and move all clusters in a compartment named bds-learn.
allow bds-admins to manage bds-instances in compartment bds-devIn the above statement:
-
bds-adminsis a group created by an administrator. -
managespecifies the operations that members of thebds-adminsgroup can use.Manageis one of the verbs described in the "IAM Verbs for Use with Big Data Service". It gives a user/group permission to use all of the operations provided by theinspect,read, anduseverbs, plus a few operations specific to themanageverb:- The
inspectverb includes theBDS_INSPECToperation. - The
readverb includes theBDS_INSPECTandBDS_READoperations. - The
useverb includes theBDS_INSPECT,BDS_READ, andBDS_UPDATEoperations. - The
manageverb includes theBDS_INSPECT,BDS_READ,BDS_UPDATE,BDS_CREATE,BDS_DELETE, andBDS_MOVEoperations.
- The
-
bds-devis a compartment created by an administrator.
The following policy statement says that members of the bds-admins group can manage the Virtual Cloud Network (VCN) resources in the entire tenancy.
allow group bds-admins to manage virtual-network-family in tenancyExample 2 - Users
The following policy statement says that members of a group named bds-users can inspect and read all clusters in the bds-learn compartment. (The verb read includes both inspect and read permissions.)
allow bds-users to read bds-instances in compartment bds-learnMore Information
For more information about IAM policies, see Overview of Oracle Cloud Infrastructure Identity and Access Management in the Oracle Cloud Infrastructure documentation. For details about writing policies, see Policy Syntax and Policy Reference.