Pipeline Policies
Follow these steps to set up policies to use pipelines.
Bring Your Own Model
If bringing your own model, you need the following policies:
Resource Principal
Resource Principal-based authorization mechanism is used to pull the image from OCIR. You can
use the ML Pipeline Run resource principal (datasciencepipelinerun)
in the
policies. You can choose whether to create the policies using dynamic groups or without
dynamic groups. See the following steps:
User Principal
Allow group <GROUP_NAME> to read repos in tenancy where all {target.repo.name=<REPO_NAME>}
Defining Policies Using Dynamic Groups
ALL { resource.type = 'datasciencepipelinerun' }
Allow dynamic-group <DYNAMIC GROUP> to read repos in compartment <COMPARTMENT NAME> where ANY {
request.operation='ReadDockerRepositoryMetadata',
request.operation='ReadDockerRepositoryManifest',
request.operation='PullDockerLayer'
}
Allow dynamic-group <DYNAMIC GROUP> to read repos in tenancy where ANY {
request.operation='ReadDockerRepositoryMetadata',
request.operation='ReadDockerRepositoryManifest',
request.operation='PullDockerLayer'
}
Specific operation permissions are added to the policy to limit the OCIR operations to only pull images.
Defining Policies without Dynamic Groups
allow any-user to read repos in compartment <YOUR COMPARTMENT NAME> where ALL { request.principal.type = 'datasciencepipelinerun'}
Allow any-user to read repos in tenancy where ALL { request.principal.type = 'datasciencepipelinerun' }
Custom Networking Policy
For custom networking, add a policy to provide Data Science access to the subnet
Add the following policy:
Allow service datascience to use virtual-network-family in compartment <subnet_compartment>
This policy is already being used by Data Science services such as Jobs, Model Deployments, and Notebooks. The same policy is used for ML Pipelines, too. If you're already using the custom networking feature in Notebooks or Jobs, this policy is already in place and need not be applied again.
If this policy definition isn't in place, pipeline creation fails. Details can be found in the Troubleshooting section.
Logging Policy
When you use logs in the pipelines, you need to define a policy that lets pipeline runs use them.
Allow group <GROUP_NAME> to read repos in tenancy where all {target.repo.name=<REPO_NAME>}