Oracle Cloud Infrastructure Documentation

Managing Resource Principals

You can manage Big Data Service cluster resource principals from the Cluster details page.

Note

Only one active resource principal configuration is allowed per cluster.

Big Data Service 3.0.28 and ODH version 1.1.13/2.0.9 supports resource principals. Older clusters that follow the upgrade path with minimum Big Data Service 3.0.27 (Direct cluster creation or upgraded) are eligible for upgrade to support resource principals. To use resource principals, both Big Data Service and ODH must be upgraded to versions listed previously. With the introduction of resource principal support, Big Data Service can connect to different OCI services using resource principal authentication and policies can be defined for multiple levels (resource level, compartment level, and so on).

To manage Big Data Service cluster resource principals, see:

Note

A new resource principal session token is issued and distributed to all the nodes in the cluster in the following situations:
  1. Replacing a node
  2. Adding a node

Prerequisites

  • Big Data Service 3.0.28 or later
  • ODH 1.1.13 or later for ODH 1
  • ODH 2.0.9 or later for ODH 2
  • The update bds permission

    For more information on Big Data Service policies, see Big Data Service Policies

Example Policies

The following policies can also be created for a specific group.

Allow read-only access to Big Data Service the objects and buckets in the tenancy for a cluster

allow any-user to read buckets in tenancy where ALL{request.principal.id='<BDS Cluster OCID>'}
allow any-user to read objects in tenancy where ALL{request.principal.id='<BDS Cluster OCID>'}

Allow read-only access to specific buckets in the tenancy for Big Data Service cluster

allow any-user to read buckets in tenancy where ALL{request.principal.id='<BDS Cluster OCID>',target.bucket.name='<bucket-name>'}
allow any-user to read objects in tenancy where ALL{request.principal.id='<BDS Cluster OCID>',target.bucket.name='<bucket-name>'}

Allow read-only access to the objects and buckets in the tenancy for all the Big Data Service clusters originating from specific compartment

allow any-user to read buckets in tenancy where ALL{request.resource.compartment.id='<Compartment OCID of BDS Clusters>', request.principal.type='bigdataservice'}
allow any-user to read objects in tenancy where ALL{request.resource.compartment.id='<Compartment OCID of BDS Clusters>', request.principal.type='bigdataservice'}

Allow read-only access to the objects and buckets in different tenant for the Big Data Service cluster (Cross tenancy access for example)

Policies required in source tenancy where actual Big Data Service cluster created.

Define tenancy <Target-Tenancy-Name> as <Target-Tenancy-OCID>
Endorse any-user to read object-family in tenancy <Target-Tenancy-Name>
Endorse any-user to read buckets in tenancy <Target-Tenancy-Name>
Endorse any-user to read objects in tenancy <Target-Tenancy-Name>

Policies required in target tenancy where resources are accessed.

Define tenancy <Source-BDS-Cluster-Tenancy-Name> as <Source-BDS-Cluster-Tenancy-OCID>
Admit any-user of tenancy <Source-BDS-Cluster-Tenancy-Name> to read object-family in tenancy where request.principal.id='<BDS Cluster OCID>'
Admit any-user of tenancy <Source-BDS-Cluster-Tenancy-Name> to read buckets in tenancy where request.principal.id='<BDS Cluster OCID>'
Admit any-user of tenancy <Source-BDS-Cluster-Tenancy-Name> to read objects in tenancy where request.principal.id='<BDS Cluster OCID>'

Resource Principal Required IAM Policy

To monitor Resource Principal (RPST) related metrics, you must have the required type of access granted through a policy written by an administrator. The policy must allow access to the Monitoring service and to the specific Big Data Service compartments being monitored.

If you receive a permission denied or unauthorized error, verify:

  • The access policy includes oci_monitoring permissions.
  • You’re working in the correct compartment.
Reference: See Monitoring IAM Policy for details on required permissions and compartment access.

Resource Principal Metrics

For more information on resource principal metrics, see Available Metrics: oci_big_data_service.

RPST metrics use cases and combined monitoring scenarios:

Metric: ResourcePrincipalTokenExpiryTimeExceeding80PercentThreshold

Purpose:

Used to proactively monitor RPST tokens that are nearing expiration (beyond 80% of their lifespan) on a per-node basis.

Use this metric when:

  • You want to identify tokens that expire soon.
  • You need to trigger alerts before actual token expiry to avoid disruptions.
  • You want to allow buffer time for automated or manual token regeneration.

Sample Query:

ResourcePrincipalTokenExpiryTimeExceeding80PercentThreshold[2h]{clusterOcid = "ocid1.preprod-bigdataservice.oc1.iad.amaaaaaamn67ujqa7h57hcu6f5pvxpwl6j5u2ipl3qqdcavjlqyixtgjjiva"}.count()

Metric: ResourcePrincipalSessionTokenStatus

Purpose:

Used to detect critical token issues, such as the RPST token is expired or missing on a per-node level.

Use this metric when:

  • You want to perform real-time health checks on token availability.
  • You want to take immediate action if a node has a broken or expired token.
  • You want to classify failure type: 1 for expired, 2 for missing.

Sample Query:

ResourcePrincipalSessionTokenStatus[30m]{resourceId = "ocid1.instance.oc1.iad.anuwcljtanx7lvqc7uvyibak2qlvjwvzz4mtb6qiusn6x4zsvpx4kpfydczq"}.count()

Metric: ResourcePrincipalTokenRefreshedInLast30Mins

Purpose:

Used to track if RPST tokens have been refreshed recently, evaluated at the cluster level. This should be true in case ResourcePrincipalSessionTokenStatus is giving expired or missing for any node.

Use this metric when:

  • You want to ensure periodic token renewal jobs are running successfully.

  • You want a cluster-level heartbeat indicating token management is functioning correctly.

  • You want to detect stale tokens across all nodes if this metric is false.

Sample Query:

ResourcePrincipalTokenRefreshedInLast30Mins[30m]{clusterOcid = "ocid1.preprod-bigdataservice.oc1.iad.amaaaaaamn67ujqac7xojchf2vjmbeudlixrqmjvjct7oioj34otatnibfka"}.max()

Proactive Monitoring + Immediate Remediation

Objective: Detect tokens nearing expiry and ensure none are missing or expired.

Use the following metrics together:

  • ResourcePrincipalTokenExpiryTimeExceeding80PercentThreshold
  • ResourcePrincipalSessionTokenStatus

Sample Query (aggregate below queries):

Query 1:

 ResourcePrincipalTokenExpiryTimeExceeding80PercentThreshold[12h]{clusterOcid = "ocid1.preprod-bigdataservice.oc1.iad.amaaaaaamn67ujqalm2xprcarkhihwcnih3lkinktmmjmqqrutqzkukpswiq"}.grouping().count()

Query 2:

ResourcePrincipalSessionTokenStatus[12h]{clusterOcid = "ocid1.preprod-bigdataservice.oc1.iad.amaaaaaamn67ujqalm2xprcarkhihwcnih3lkinktmmjmqqrutqzkukpswiq"}.count()

Health Check with Refresh Validation

Objective: Confirm that all tokens are refreshed periodically and that there are no expired/missing tokens.

Use the following metrics together:

  • ResourcePrincipalTokenRefreshedInLast30Mins
  • ResourcePrincipalSessionTokenStatus

Sample Query (aggregate below queries):

Query 1:

ResourcePrincipalTokenRefreshedInLast30Mins[30m]{clusterOcid = "ocid1.preprod-bigdataservice.oc1.iad.amaaaaaamn67ujqac7xojchf2vjmbeudlixrqmjvjct7oioj34otatnibfka"}.max()

Query 2:

ResourcePrincipalSessionTokenStatus[12h]{clusterOcid = "ocid1.preprod-bigdataservice.oc1.iad.amaaaaaamn67ujqalm2xprcarkhihwcnih3lkinktmmjmqqrutqzkukpswiq"}.count()

Cluster Readiness Verification

Objective: Ensure all nodes are ready (tokens active, recently refreshed, no upcoming expiry).

Use all three metrics together:

  • ResourcePrincipalTokenExpiryTimeExceeding80PercentThreshold
  • ResourcePrincipalSessionTokenStatus
  • ResourcePrincipalTokenRefreshedInLast30Mins

Sample Query (aggregate below queries):

Query 1:

ResourcePrincipalTokenExpiryTimeExceeding80PercentThreshold[12h]{clusterOcid = "ocid1.preprod-bigdataservice.oc1.iad.amaaaaaamn67ujqalm2xprcarkhihwcnih3lkinktmmjmqqrutqzkukpswiq"}.grouping().count()

Query 2:

ResourcePrincipalSessionTokenStatus[12h]{clusterOcid = "ocid1.preprod-bigdataservice.oc1.iad.amaaaaaamn67ujqalm2xprcarkhihwcnih3lkinktmmjmqqrutqzkukpswiq"}.count()

Query 3:

ResourcePrincipalTokenRefreshedInLast30Mins[30m]{clusterOcid = "ocid1.preprod-bigdataservice.oc1.iad.amaaaaaamn67ujqalm2xprcarkhihwcnih3lkinktmmjmqqrutqzkukpswiq"}.max()

Supported Attributes

The following attributes are supported by Big Data Service resource principals. This can used in both policy level and dynamic group level. When consuming resource principal attributes in dynamic group level, be sure to regenerate resource principal access token to be effective.

  • request.principal.id: The resource principal ID. The value is same as the Big Data Service ID, and is used for specific resource level isolation.
  • request.resource.compartment.id: The Big Data Service resource compartment ID, and is used for compartment level isolation.
  • request.resource.tenancy.id: The Big Data Service resource tenancy ID, and is used for tenancy level isolation.
  • request.principal.type: The Big Data Service resource principal type. All the Big Data Service specific resource principals values are 'bigdataservice'.