Policy Issues
To use OS Management Hub, you need to create the necessary groups and policy statements. If any of these are incorrectly configured, you might encounter issues using the service.
See also: OS Management Hub Policies.
You can use the policy advisor to quickly configure the necessary user groups, dynamic group, and policy statements required to use OS Management Hub and Resource Discovery and Monitoring.
Missing dynamic group rule
The most common policy error occurs when the dynamic group doesn't include the instances that you want managed by OS Management Hub. Dynamic group rules don't support compartment inheritance. Therefore, you must specify a separate rule within the dynamic group for every compartment and subcompartment that contains instances that you want managed by the service.
If using the policy advisor, run it in each compartment and subcompartment that you want to use with the service.
If creating the policies manually, verify your dynamic group includes rules for all subcompartments that contain instances that you want managed by the service. If you have both OCI and non-OCI instances, ensure you've included the required rules for both instance types.
Missing identity domain specification
Policy statements use the Default
identity domain unless you explicitly define the identity domain before the group or dynamic group name within the statement (for example, <identity_domain_name>/<dynamic_group_name>
). For more information, see Policy Syntax.
If you're not using the default domain, ensure you've specified the identity domain in each of your policy statements. For example:
allow group <identity-domain-name>/<osmh-admins> to manage osmh-family in tenancy
Policy advisor error messages
The policy advisor quickly enables OS Management Hub for a specific compartment by defining the necessary user groups, dynamic group, and policies the service requires. You might see errors from the policy advisor if your user account doesn't have sufficient permissions or if you define your groups and policies differently than what the advisor uses.
Error Message | Possible cause and resolution |
---|---|
A policy error was detected |
Cause: The policies and group names don't exactly match what the advisor expects. The advisor checks for a specific set of policies, policy statements, and groups. See What does the policy advisor create? Resolution: If OS Management Hub is functioning as expected, you can ignore the policy error notice. You might have already set up policies, named your groups, and defined your policy statements differently than what the advisor uses. Otherwise, run the policy advisor. |
Failed to retrieve policy information |
Cause: Your user account can't use OS Management Hub and you don't have sufficient permissions to read policies, groups, or dynamic groups. Resolution: Contact your tenancy administrator for assistance to enable OS Management Hub. See Required permissions for the policy advisor. |
The service might be setup, but cannot confirm policy information |
Cause: Your user account doesn't have sufficient permissions to read policies, groups, or dynamic groups. The policy advisor can't confirm the required groups, dynamic group, and policies. See What does the policy advisor create? Resolution: If OS Management Hub is functioning as expected, you can ignore the policy error notice. Otherwise, contact your tenancy administrator for assistance to enable OS Management Hub. See Required permissions for the policy advisor. |
Failed to update <resource>: NotAuthorizedOrNotFound |
Cause: After reviewing the policy advisor changes and clicking Setup, this message displays if your user account doesn't have sufficient permissions to create or update a policy, group, or dynamic group. For example, " Resolution: Contact your tenancy administrator to enable OS Management Hub. See Required permissions for the policy advisor. |
Registration Errors
If you encounter the following errors when registering an instance, it might indicate that the policy statements or dynamic group rules aren't set correctly.
The osmh-agent.log
contains:
ERROR: failed to update managed instance: Error returned by Service. Http Status Code: 404.
Error Code: NotAuthorizedOrNotFound. Opc request id: <requestID>. Message: Authorization failed or requested resource not found.
...
Request Endpoint: PUT https://osmh.<region>.oci.oraclecloud.com/20220901/agent/managedInstances/ocid1.managementagent.oc1.iad.<ocid>
Or, the Oracle Cloud Agent tab on the Compute instance details page shows one of the following messages:
Plugin OS Management Hub Agent not present for instance ocid1.instance.oc1.iad.<ocid>
failed to start osmh-agent with [lookup image failed. The instance could not register with OS Management Hub.
To resolve the issue, verify you've correctly configured the policy statements and dynamic group rules. Most commonly the dynamic group doesn't include the instance.
Verify the following:
- Ensure that you've included a dynamic group rule for each compartment and subcompartment containing instances that you want manged by the service. Dynamic groups don't support compartment inheritance.
- If not using the
default
identity domain, ensure each policy statement has the identity domain before the group or dynamic group name (for example,<identity_domain_name>/<dynamic_group_name>
).