Oracle Cloud Infrastructure Documentation

Cross Tenancy Object Storage Access

Data Flow SQL Endpoints can access object storage across tenancies. They can do something in a different tenancy to the one they exist in.

You have a Data Flow SQL Endpoint in one tenancy while reading objects stored in a second tenancy. You must apply policies in each tenancy accordingly. For example:
  • Your SQL Endpoint is dataflow-sample-endpoint in a tenancy, Tenancy-A.
  • The objects to be read are in a tenancy called Tenancy-B, and the index of the objects is created in the same bucket.
Allow tenancy-a-group to read buckets and objects in Tenancy-B:
  1. Apply the following policies in the root compartment of Tenancy-A:
    define tenancy Tenancy-B as tenancy-b-ocid
endorse any-user to read buckets in tenancy Tenancy-B where ALL {request.principal.type='dataflowsqlendpoint',request.principal.id = '<dataflow-sample-endpoint-ocid>'}
endorse any-user to manage objects in tenancy Tenancy-B where ALL {request.principal.type='dataflowsqlendpoint',request.principal.id = '<dataflow-sample-endpoint-ocid>'}
endorse any-user to read object-family in tenancy Tenancy-B where ALL {request.principal.type='datacatalogmetastore'}

    The first statement is a define statement that assigns a friendly label to the OCID of Tenancy-B. The second and third statements let dataflow-sample-endpoint read buckets and manage objects in Tenancy-B. The last statement lets the metastore read objects in Tenancy-B.

  2. Apply these policies in the root compartment of Tenancy-B:
    define tenancy Tenancy_A as tenancy-a-ocid
admit any-user of tenancy Tenancy-A to read buckets in compartment <compartment> where ALL {request.principal.type='dataflowsqlendpoint',request.principal.id = '<dataflow-sample-endpoint-ocid>'}
admit any-user of tenancy Tenancy-A to manage objects in compartment <compartment> Tenancy-B where ALL {request.principal.type='dataflowsqlendpoint',request.principal.id = '<dataflow-sample-endpoint-ocid>'}
admit any-user of tenancy Tenancy-A to read object-family in compartment <compartment> where ALL {request.principal.type='datacatalogmetastore'}

    The first statement is a define statement that assigns a friendly label to the OCID of Tenancy-A. The second and third statements let dataflow-sample-endpoint read the buckets and manage objects in Tenancy-B. The last statement lets metastore read objects in Tenancy-B. The word 'admit' indicates that the access applies to a dataflow-sample-endpoint outside the tenancy the buckets and objects reside in.

    You can limit further, by limiting the managed objects policy to a bucket. For example, limit to a bucket called your-bucket in your-compartment:

    admit any-user of tenancy Tenancy-A to manage objects in compartment your-compartment Tenancy-B where ALL {target.bucket.name = 'your-bucket', request.principal.type='dataflowsqlendpoint',request.principal.id = '<dataflow-sample-endpoint-ocid>'}