Oracle Cloud Infrastructure Documentation

JMS Fleets Policy Statements

A policy specifies who can access which Oracle Cloud Infrastructure resources that your company has, and how. A policy allows a group to work in certain ways with specific types of resources in a particular compartment.

This section describes the different policy statements that are created as part of Setting Up Oracle Cloud Infrastructure for Fleets and Enabling Advanced Features.

Manage OCI resources required for JMS Fleets

The following policy statements allow the users in the user group to access and manage JMS Fleets, management agents, JMS plug-ins, and metrics: 

ALLOW GROUP FLEET_MANAGERS TO MANAGE fleet IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE management-agents IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE jms-plugins IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO READ METRICS IN COMPARTMENT Fleet_Compartment WHERE target.metrics.namespace='java_management_service'

Monitor workloads on OCI

The following policy statements are used to monitor workloads on OCI:

ALLOW GROUP FLEET_MANAGERS TO MANAGE instance-family IN COMPARTMENT <instance_compartment>
ALLOW GROUP FLEET_MANAGERS TO READ instance-agent-plugins IN COMPARTMENT <instance_compartment>
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply these policy statements for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.

Management agent install keys

The following policy statements allow JMS Fleets and the user group to manage management agent install keys: 

ALLOW RESOURCE jms SERVER-COMPONENTS TO READ management-agent-install-keys IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE management-agent-install-keys IN COMPARTMENT Fleet_Compartment

Management agent communication

The following policy statements enable the management agents to interact with JMS Plug-ins and JMS Fleets and allow JMS Fleets to store monitoring data in your tenancy: 

ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE jms-plugins IN COMPARTMENT Fleet_Compartment
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE jms-plugins IN COMPARTMENT <instance_compartment>
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE management-agents IN COMPARTMENT Fleet_Compartment
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO USE METRICS IN COMPARTMENT Fleet_Compartment
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE metrics IN COMPARTMENT Fleet_Compartment WHERE target.metrics.namespace='java_management_service'
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO USE METRICS IN COMPARTMENT <instance_compartment>
ALLOW resource jms SERVER-COMPONENTS TO MANAGE metrics IN COMPARTMENT Fleet_Compartment WHERE target.metrics.namespace='java_management_service'
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply this policy statement for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.

Log configuration

The following policy statements allow JMS Fleets to interact with OCI Logging service for setting up log configuration for fleets in the compartment: 

ALLOW resource jms SERVER-COMPONENTS TO READ log-groups IN COMPARTMENT Fleet_Compartment
ALLOW resource jms SERVER-COMPONENTS TO MANAGE log-content IN COMPARTMENT Fleet_Compartment
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE log-content IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE log-groups IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO READ log-content IN COMPARTMENT Fleet_Compartment

Set up OCI Linux instances for JMS Fleets

Note

This policy statement will grant the dynamic group JMS_DYNAMIC_GROUP privileges to manage all OCI instances in the compartment. To ensure proper configuration of the management agent on OCI Linux instances, the installation script requires the presence of this policy. This policy must be present for each execution of the installation script. When installation is complete, you may change the policy statement permissions from MANAGE to USE.
The following policy statement is used to set up OCI Linux instances using the installation script. 
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE instances IN COMPARTMENT <instance_compartment> WHERE ALL {request.principal.type='instance', target.compartment.id=request.principal.compartment.id}
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply these policy statements for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.

JMS requires the following policy statements to work with OCI Linux instances:

ALLOW RESOURCE jms SERVER-COMPONENTS TO READ instances IN COMPARTMENT <instance_compartment>
ALLOW RESOURCE jms SERVER-COMPONENTS TO INSPECT instance-agent-plugins IN COMPARTMENT <instance_compartment>
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply these policy statements for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.

Perform Advanced Features

JMS requires certain policy statements to enable and carry out advanced features in your fleet.

The following policy statements allow JMS to read/write to the object storage: 

ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP to READ buckets in COMPARTMENT Fleet_Compartment WHERE target.bucket.name=/jms_ocid1*/
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP to MANAGE objects in COMPARTMENT Fleet_Compartment WHERE target.bucket.name=/jms_ocid1*/ 
ALLOW GROUP FLEET_MANAGERS to MANAGE object-family IN COMPARTMENT Fleet_Compartment
ALLOW resource jms SERVER-COMPONENTS TO READ buckets IN COMPARTMENT Fleet_Compartment WHERE target.bucket.name=/jms_ocid1*/ 
ALLOW resource jms SERVER-COMPONENTS TO MANAGE objects in COMPARTMENT Fleet_Compartment WHERE target.bucket.name=/jms_ocid1*/
JMS requires the following policy statements to work with OCI Linux instances:
ALLOW resource jms SERVER-COMPONENTS TO READ instances IN COMPARTMENT <instance_compartment>
ALLOW resource jms SERVER-COMPONENTS TO INSPECT instance-agent-plugins IN COMPARTMENT <instance_compartment>
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply these policy statements for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.

Enable subscription acknowledgment

The following policy statement allow fleet managers to enable subscription acknowledgment:

ALLOW GROUP FLEET_MANAGERS to MANAGE subscription-ack-configs in tenancy
Note

Ensure that this policy is created in the root compartment.

Setup policies for IAM with Identity Domains

The policy statements differ if your tenancy uses identity domains. Here is the syntax:
Allow group '<identity_domain_name>'/'<group_name>' to <verb> <resource-type> in tenancy
Ensure that you enclose the domain and group names in single quotes (').

See IAM Policies Overview for more details.

Note

The policy statements provided in this chapter are for tenancies without identity domains.