Understanding Big Data Service resources and permissions in IAM policies
Oracle Identity and Access Management (IAM) provides a flexible framework for writing policy statements that control how resources can interact with one another. IAM defines a number of standard resources, along with the permissions needed to interact with them. Big Data Service adds its own service-specific resources and permissions.
This topic describes the resources and permissions an administrator can use to create IAM policy statements for Big Data Service.
Resource kinds and permissions
Resource Family | Resource Kind | Permissions |
---|---|---|
bds-family | bds-instances |
|
bds-family | bds-limits |
|
Operations to permissions map
The following table lists the IAM operations that are specific to Big Data Service. You can write an IAM policy that includes these operations, or you can write a policy that uses a defined verb that encapsulates these operations.
Operation | API Operation | Permission Required to Use the Operation |
---|---|---|
List all clusters in the specified compartment | ListBdsInstances | BDS_INSPECT |
Create a cluster | CreateBdsInstance | BDS_CREATE |
Show details about the specified cluster | GetBdsInstance | BDS_READ |
Change the size of a cluster | ChangeShape | BDS_UPDATE |
Update details for a cluster | UpdateBdsInstance | BDS_UPDATE |
Delete the specified instance | DeleteBdsInstance | BDS_DELETE |
Add block storage to the specified cluster | AddBlockStorage | BDS_UPDATE |
Add worker nodes to the specified cluster | AddWorkerNodes | BDS_UPDATE |
Restart a specified node of a cluster | RestartNode | BDS_UPDATE |
Add Cloud SQL to the specified cluster | AddCloudSql | BDS_UPDATE |
Remove Cloud SQL from the specified cluster | RemoveCloudSql | BDS_UPDATE |
Move the cluster from one compartment to another | ChangeBdsInstanceCompartment | BDS_MOVE |
List all autoscale configurations for the specified cluster | ListAutoScalingConfigurations | BDS_INSPECT |
Add an autoscale configuration to the specified cluster | AddAutoScalingConfiguration | BDS_UPDATE |
Show details about the specified autoscale configuration | GetAutoScalingConfiguration | BDS_READ |
Update fields of an autoscale configuration | UpdateAutoScalingConfiguration | BDS_UPDATE |
Delete an autoscale configuration | RemoveAutoScalingConfiguration | BDS_UPDATE |
List all Big Data work requests in the specified compartment | ListWorkRequests | BDS_INSPECT |
Show details about the specified work requests | GetWorkRequest | BDS_READ |
Show logs for the specified work request | ListWorkRequestLogs | BDS_INSPECT |
Show errors for the specified work request | ListWorkRequestErrors | BDS_INSPECT |
Show resources used | ListConsumptions | BDS_CONSUMPTION_INSPECT |
List API keys on the specified cluster | ListBdsApiKeys | BDS_READ |
Create an API key on the specified cluster | CreateBdsApiKey | BDS_UPDATE |
Get an API key on the specified cluster | GetBdsApiKey | BDS_READ |
Delete an API key on the specified cluster | DeleteBdsApiKey | BDS_UPDATE |
Test access to Object Store bucket using the specified API key | TestBdsObjectStorageConnection | BDS_READ |
Operation-specific attributes
For a given resource kind, you should have the same set of attributes across all operations (get, list, delete, and so on). The one exception is for a "create" operation, where you won't have the ID for that object yet, so you can't have a target.RESOURCE-KIND.id
attribute for "create."
Resource Kind | Name | Type | Source |
---|---|---|---|
bds-instances | target.bds-instances.source-compartment.id | Entity | Request |
bds-instances | target.bds-instances.destination-compartment.id | Entity | Request |
IAM verbs for use with Big Data Service
Resource Kind | inspect | read | use | manage |
---|---|---|---|---|
bds-instances | BDS_INSPECT | inspect + BDS_READ |
read + BDS_UPDATE |
use + BDS_CREATE BDS_DELETE BDS_MOVE |
bds-limits | BDS_CONSUMPTION_INSPECT | . | . | . |
Example 1 - Administrators with all permission on clusters
The following policy statement says that members of a group named bds-admins
can inspect, read, update, create, delete, and move all clusters in a compartment named bds-learn
.
allow bds-admins to manage bds-instances in compartment bds-dev
In the above statement:
-
bds-admins
is a group created by an administrator. -
manage
specifies the operations that members of thebds-admins
group can use.Manage
is one of the verbs described in the "IAM Verbs for Use with Big Data Service". It gives a user/group permission to use all of the operations provided by theinspect
,read
, anduse
verbs, plus a few operations specific to themanage
verb:- The
inspect
verb includes theBDS_INSPECT
operation. - The
read
verb includes theBDS_INSPECT
andBDS_READ
operations. - The
use
verb includes theBDS_INSPECT
,BDS_READ
, andBDS_UPDATE
operations. - The
manage
verb includes theBDS_INSPECT
,BDS_READ
,BDS_UPDATE
,BDS_CREATE
,BDS_DELETE
, andBDS_MOVE
operations.
- The
-
bds-dev
is a compartment created by an administrator.
The following policy statement says that members of the bds-admins
group can manage the Virtual Cloud Network (VCN) resources in the entire tenancy.
allow group bds-admins to manage virtual-network-family in tenancy
Example 2 - Users
The following policy statement says that members of a group named bds-users
can inspect and read all clusters in the bds-learn
compartment. (The verb read
includes both inspect
and read
permissions.)
allow bds-users to read bds-instances in compartment bds-learn
More Information
For more information about IAM policies, see Overview of Oracle Cloud Infrastructure Identity and Access Management in the Oracle Cloud Infrastructure documentation. For details about writing policies, see Policy Syntax and Policy Reference.