Manually Configuring a Data Science Tenancy

In this tutorial, you set up your tenancy for Data Science and test it by creating a notebook session.

This tutorial is directed at administrator users because they are granted the required access permissions.

In this tutorial, you are:

1. Creating a Data Scientists User Group.

2. Creating a Compartment for Your Work.

3. Creating a VCN and Subnet.

4. Creating Policies.

5. Creating a Dynamic Group and Writing Policies for it.

6. Creating a Notebook Session.

Before You Begin

To perform this tutorial, you must have the following:

A paid Oracle Cloud Infrastructure (OCI) account, or a new account with Oracle Cloud promotions. See Request and Manage Free Oracle Cloud Promotions.
Administrator privilege for the OCI account.
At least one user in your tenancy who wants to access the Data Science service. This user must be created in IAM.

1. Creating a Data Scientists User Group

Create a user group for the data scientists to work in.

Open a supported browser and enter the Console URL:
```
https://cloud.oracle.com
```
Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
Sign in with your user name and password.
Open the navigation menu and click Identity & Security. Under Identity, click Groups.

A list of the groups in your tenancy displays.
Click Create Group.
Name the new group data-scientists, and enter a description.
Click Create.
You are advanced to the data-scientists group detail page that you created.
Click Add User to Group.
Select a user to add, and then click Add.

The selected user is added and appears in the group member list.
Repeat adding data scientist users until all of your users are added to the data-scientists group you created.

A list of the users in the data-scientists group displays.

2. Creating a Compartment for Your Work

Create a compartment for your data science resources.

Open the navigation menu and click Identity & Security. Under Identity, click Compartments.
Click Create Compartment.
Name the new compartment data-science-work, and enter a description.
Click Create Compartment.

The data-science-work compartment is created, and added to the compartments list when it successfully creates.

3. Creating a VCN and Subnet

Create a virtual cloud network (VCN) for use by the Data Science service.

Note

For a private subnet to have egress access to the internet, it must have a route to a NAT Gateway. For egress access to the public internet, we recommend that you use a private subnet with a route to a NAT Gateway. A NAT gateway gives instances in a private subnet access to the internet.

Open the navigation menu and click Networking and then click Virtual Cloud Networks.
Select the compartment that you want to create the VCN in.
Click Start VCN Wizard.
Ensure that Create VCN with Internet Connectivity is selected, and then click Start VCN Wizard.
Enter datascience-vcn for the VCN Name.
Select the data-science-work compartment. This compartment hosts the VCN you are creating. It takes time for this new compartment to be populated in the drop-down list, so refresh the page until it appears.
Click Next.
Use the defaults for the Configure VCN and Subnets section.
Ensure that Use DNS Hostnames in this VCN is selected.
Click Next.

A review of the VCN configuration is displayed.
Click Create to create the VCN and the related resources (a public and a private subnet, an internet gateway, a NAT gateway, and a service gateway).

Use this VCN and its private subnet when you create your notebook session.
Click View Virtual Cloud Network to review your VCN and subnets.

4. Creating Policies

Before users start their notebook sessions, you have to configure the Data Science policies.

Open the navigation menu and click Identity & Security. Under Identity, click Policies.
Click Create Policy.
Enter data-science-policy for the Name.
Enter Policy for data science users and service as the Description.
Select the data-science-work compartment.
Click Show manual editor.
Enter these five policy statements into the Policy Builder field:
To allow the Data Science service to attach your VCN to your notebook session and route egress traffic from the notebook environment:
```
allow service datascience to use virtual-network-family in compartment data-science-work
```
To allow the data-scientists group to perform operations on all Data Science resources (projects, notebook sessions, models, model deployments, work requests, jobs, and job runs) that are found in the data-science-work compartment:
```
allow group data-scientists to manage data-science-family in compartment data-science-work
```
To allow those data scientists to use the VCN, you created and attach it to their notebook session:
```
allow group data-scientists to use virtual-network-family in compartment data-science-work 
```
To allow those data scientists to create and manage buckets, such as adding artifacts and conda environments to buckets:
```
allow group data-scientists to manage buckets in compartment data-science-work 
```
```
allow group data-scientists to manage objects in compartment data-science-work 
```
Note

Instead of specifying access to individual services, to allow data-scientists to manage all OCI resources in the data-science-work compartment, replace the preceding five policies with the following two policies:
```
allow group data-scientists to manage all-resources in compartment data-science-work 
```
```
allow service datascience to use virtual-network-family in compartment data-science-work
```
Click Create to create your policy.

5. Creating a Dynamic Group and Writing Policies for it

Create a dynamic group for Data Science resources and allow this dynamic group to access other OCI resources, such as Object Storage and Logging.

To give permission to OCI resources to access other OCI resources, first, you add the resources to a dynamic group, instead of a user group. Then you write policies to allow the dynamic group to access specified resources. Here, your dynamic group has three Data Science resources: notebook sessions, model deployments, and job runs.

Open the navigation menu and click Identity & Security. Under Identity, click Compartments.
Click the data-science-work compartment.
The compartment details page is displayed.
Click Copy to save the entire OCID to your notepad.
Click Compartments to return to the list of compartments.
Click Dynamic Groups.
Click Create Dynamic Group.
Enter the following:
- Name: data-science-dynamic-group
- Description: Data Science dynamic group
Enter the following three matching rules. Replace <compartment-ocid> with the compartment OCID you copied.
```
ALL {resource.type='datasciencenotebooksession', resource.compartment.id='<compartment-ocid>'}
```
The preceding matching rule means that all notebook sessions created in your compartment are added to data-science-dynamic-group.
```
ALL {resource.type='datasciencemodeldeployment', resource.compartment.id='<compartment-ocid>'}
```
The preceding matching rule means that all model deployments created in your compartment are added to data-science-dynamic-group.
```
ALL {resource.type='datasciencejobrun', resource.compartment.id='<compartment-ocid>'}
```
The preceding matching rule means that all job runs created in your compartment are added to data-science-dynamic-group.
Click Create.

Next, write policies to allow resources of this dynamic group to access other OCI services.
Click Policies.
Click Create Policy.
Enter the following:
- Name: data-science-dynamic-group-policy
- Description: Policy for the Data Science dynamic group
Instead of the data-science-work compartment, select the top-most compartment, which is your tenancy.
Click Show manual editor.
Enter the following policy statements into the Policy Builder field:
To allow the notebook sessions to perform CRUD operations on entries in the model catalog, projects, and notebook session resources:
```
allow dynamic-group data-science-dynamic-group to manage data-science-family in compartment data-science-work
```
To allow notebook sessions to perform CRUD operations on Data Flow applications and runs:
```
allow dynamic-group data-science-dynamic-group to manage dataflow-family in compartment data-science-work
```
To allow notebook sessions to list and read compartments and user names that are in the tenancy:
```
allow dynamic-group data-science-dynamic-group to read compartments in tenancy
```
```
allow dynamic-group data-science-dynamic-group to read users in tenancy
```
To allow model deployments to emit logs to the Logging service:
```
allow dynamic-group data-science-dynamic-group to use log-content in compartment data-science-work
```
To allow job runs to create logs and record job run details in the Logging service:
```
allow dynamic-group data-science-dynamic-group to use log-groups in compartment data-science-work
```
To allow notebook sessions and model deployments to read and write files to object storage buckets, in the data-science-work compartment:
```
allow dynamic-group data-science-dynamic-group to manage object-family in compartment data-science-work
```
Note
- The preceding policy allows model deployments to access any bucket in the data-science-work compartment.
- To give model deployments read access to specific buckets outside the data-science-work compartment, specify the bucket names and their compartments in your policy.
- Example: To allow model deployments to access published conda environments from bucket published-conda-env, and model artifacts from bucket model-artifacts:
  allow dynamic-group data-science-dynamic-group to read objects in compartment <another-compartment> where ANY {target.bucket.name='published-conda-envs', target.bucket.name='model-artifacts'}
- In the Create Policy page, if your policies mention tenancy or include compartments outside the data-science-work compartment, then for Compartment, select the <your-tenancy> (root).
Click Create to create the policy.
You can use this dynamic group to give notebook sessions and model deployments that are in the data-science-work compartment, access to other OCI resources in the tenancy.

6. Creating a Notebook Session

Lastly, create a notebook session and test its access to the public internet.

Open the navigation menu and click Analytics & AI. Under Machine Learning, click Data Science.
Click Create Project.
Select the data-science-work compartment.
(Optional) Enter Initial Project for the Name.
(Optional) Enter my first project for the Description.
Click Create.

The project details page appears.
Click Create notebook session.
Ensure that the data-science-work compartment is selected.
(Optional) Enter my-first-notebook-session for the Name.
Click Select , select Intel, and then VM.Standard2.8 for the Compute shape.
Enter 100 for the Block storage size to attach to your virtual machine.
Click Custom networking, and select the datascience-vcn VCN and Private Subnet-datascience-vcn subnet to route egress traffic from your notebook session.
Click View detail page on clicking create.
Click Create to create your first notebook session.

You are advanced to the notebook sessions page. Creating the notebook session takes a few minutes. When it completes, the status turns to Active, and you can open the notebook session.
Click Open.
Enter your Oracle Cloud Infrastructure credentials to access the JupyterLab UI.
Click Terminal to perform a simple test to check that you can access the public internet from your notebook session.
Run this command:
```
wget --spider https://www.oracle.com
```
You should see a response similar to:

The HTTP request sent, awaiting response... 200 OK indicates a successful test and you have public internet access in your notebook session.

What's Next

You have successfully set up a Data Science tenancy and created a Data Science project that includes a notebook session. You can now proceed to the following tasks:

Oracle Cloud Infrastructure Documentation