Setting Policies

Describes how to set your policies in Roving Edge Infrastructure in Oracle Cloud Infrastructure.

Before ordering your nodes and clusters (both standalone and station), you must set up your policies in Oracle Cloud Infrastructure to allow the required user access to various features and functionality associated with Roving Edge Infrastructure.

Note

The policy requirements are the same for both standalone clusters and station clusters. Any reference to a cluster applies to both types.

Allowing Access to Roving Edge Infrastructure Resources

Create these policies to allow users the access to the compartment and level of read/write access using the following syntax:

allow group group to manage|use|read|inspect rover-family in compartment oci_compartment

The following access options apply:

  • manage: create, list, get, update, delete

  • use: list, get, update

  • read: list, get

  • inspect: list

For example, if you wanted to allow a group of users to manage all Roving Edge Infrastructure resources in the compartment "finance" in Oracle Cloud Infrastructure, use the following:

allow group rover-admins to manage rover-family in compartment finance

Narrow the policy to Roving Edge Infrastructure nodes or clusters with either of the following:

allow group rover-admins to manage rover-nodes in compartment finance
allow group rover-admins to manage rover-clusters in compartment finance

Allowing Object Storage Access

This topic describes the steps required to allow Roving Edge Infrastructure to read buckets and objects in your compartments. The topic also describes how to allow to Roving Edge Infrastructureto read object storage namespaces in your tenancy.

Setting this policy is required to grant the Roving Edge Infrastructure service read access to the buckets being attached as workloads in your node or cluster request. This read access policy allows the generation of a manifest file containing the information about the objects you want synced to your Roving Edge Infrastructure devices. Using our "finance" compartment example, the policy you set would be:

allow service rover to read object-family in compartment finance
allow service rover to read objectstorage-namespaces in tenancy
Note

You give read access to all the compartments associated with all your workload buckets. For example, if you had two bucket workloads, one in compartment "finance" and the other in compartment "accounts," you would set this policy for both the compartments.

Enabling Data Loading for Object Storage

This section describes how to enable data loading to read buckets and objects in your compartment.

Each Roving Edge Infrastructure node functions as a resource in Oracle Cloud Infrastructure, requiring permission to read/write buckets in your compartments within your tenancy for data sync tasks. After a node or cluster is submitted for provisioning, create a dynamic group containing the single node or the all the nodes in the cluster. See Managing Dynamic Groups for more information on how to create dynamic groups.

Set the simplest matching rule for a dynamic group as:

All {resource.type='rovernode'}

Grant this dynamic-group a policy to be able to read/write to buckets, for example:

allow dynamic-group roving-edge-nodes to manage object-family in compartment finance
Note

Include manage in your policy to use the data sync feature on your cluster or node to create a bucket or upload objects to your bucket in Oracle Cloud Infrastructure.

What's Next?

After you have set up your policies, continue on to Requesting Devices.