JMS Fleets Policy Statements

A policy specifies who can access which Oracle Cloud Infrastructure resources that your company has, and how. A policy allows a group to work in certain ways with specific types of resources in a particular compartment.

This section describes the different policy statements that are created as part of Setting Up Oracle Cloud Infrastructure for Fleets and Enabling Advanced Features.

Manage OCI resources required for JMS Fleets

The following policy statements allow the users in the user group to access and manage JMS Fleets, management agents, JMS Plugins, and metrics:

ALLOW GROUP FLEET_MANAGERS TO MANAGE fleet IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE management-agents IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE jms-plugins IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO READ METRICS IN COMPARTMENT Fleet_Compartment

Monitor workloads on OCI

The following policy statements are used to monitor workloads on OCI:

ALLOW GROUP FLEET_MANAGERS TO MANAGE instance-family IN COMPARTMENT <instance_compartment>
ALLOW GROUP FLEET_MANAGERS TO READ instance-agent-plugins IN COMPARTMENT <instance_compartment> 
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply these policy statements for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.

Management agent install keys

The following policy statements allow JMS Fleets and the user group to manage management agent install keys:

ALLOW resource jms server-components TO USE management-agent-install-keys IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE management-agent-install-keys IN COMPARTMENT Fleet_Compartment

Management agent communication

The following policy statements enable the management agents to interact with JMS Plugins and JMS Fleets and allow JMS Fleets to store monitoring data in your tenancy:

ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE jms-plugins IN COMPARTMENT Fleet_Compartment
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE management-agents IN COMPARTMENT Fleet_Compartment
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO USE METRICS IN COMPARTMENT Fleet_Compartment
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE metrics IN COMPARTMENT Fleet_Compartment WHERE target.metrics.namespace='java_management_service'
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO USE METRICS IN COMPARTMENT <instance_compartment>
ALLOW resource jms server-components TO MANAGE metrics IN COMPARTMENT Fleet_Compartment WHERE target.metrics.namespace='java_management_service'
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply this policy statement for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.

Log configuration

The following policy statements allow JMS Fleets to interact with OCI Logging service for setting up log configuration for fleets in the compartment:

ALLOW resource jms server-components TO MANAGE log-groups IN COMPARTMENT Fleet_Compartment
ALLOW resource jms server-components TO MANAGE log-content IN COMPARTMENT Fleet_Compartment
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE log-content IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE log-groups IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE log-content IN COMPARTMENT Fleet_Compartment

Set up OCI Linux instances for JMS Fleets

Note

This policy statement will grant the dynamic group JMS_DYNAMIC_GROUP privileges to manage all OCI instances in the compartment. To ensure proper configuration of the management agent on OCI Linux instances, the installation script requires the presence of this policy. This policy must be present for each execution of the installation script. When installation is complete, you may change the policy statement permissions from MANAGE to USE.
The following policy statement is used to set up OCI Linux instances using the installation script.
ALLOW dynamic-group JMS_DYNAMIC_GROUP TO MANAGE instances IN COMPARTMENT <instance_compartment>
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply these policy statements for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.

JMS requires the following policy statements to work with OCI Linux instances:

ALLOW resource jms SERVER-COMPONENTS TO READ instances IN COMPARTMENT <instance_compartment>
ALLOW resource jms SERVER-COMPONENTS TO INSPECT instance-agent-plugins IN COMPARTMENT <instance_compartment>
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply these policy statements for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.

Perform Advanced Features

JMS requires certain policy statements to enable and carry out advanced features in your fleet.

The following policy statements allow JMS to read/write to the object storage:

ALLOW dynamic-group JMS_DYNAMIC_GROUP to MANAGE object-family IN COMPARTMENT Fleet_Compartment
ALLOW group FLEET_MANAGERS to MANAGE object-family IN COMPARTMENT Fleet_Compartment
ALLOW resource jms SERVER-COMPONENTS to MANAGE object-family IN COMPARTMENT Fleet_Compartment
JMS requires the following policy statements to work with OCI Linux instances:
ALLOW resource jms SERVER-COMPONENTS TO READ instances IN COMPARTMENT <instance_compartment>
ALLOW resource jms SERVER-COMPONENTS TO INSPECT instance-agent-plugins IN COMPARTMENT <instance_compartment>
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply these policy statements for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.