Oracle Cloud Infrastructure Documentation

JMS Fleets Policy Statements

A policy specifies who can access which Oracle Cloud Infrastructure resources that your company has, and how. A policy allows a group to work in certain ways with specific types of resources in a particular compartment.

This section describes the different policy statements that are created as part of Setting Up Oracle Cloud Infrastructure for Fleets and Enabling Advanced Features.

Manage OCI resources required for JMS Fleets

The following policies allow the users in the user group to access and manage JMS Fleets, management agents, metrics, and tag namespaces: 

ALLOW GROUP FLEET_MANAGERS TO MANAGE fleet IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE management-agents IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO READ METRICS IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE tag-namespaces IN TENANCY

Monitor workloads on OCI

The following policies are used to monitor workloads on OCI:

ALLOW GROUP FLEET_MANAGERS TO MANAGE instance-family IN COMPARTMENT <instance_compartment>
ALLOW GROUP FLEET_MANAGERS TO READ instance-agent-plugins IN COMPARTMENT <instance_compartment>
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply these policies for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.

Management agent install keys

The following policies allow JMS Fleets and the user group to manage management agent install keys: 

ALLOW resource jms server-components TO USE management-agent-install-keys IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE management-agent-install-keys IN COMPARTMENT Fleet_Compartment

Management agent communication

The following policies enable the management agents to interact with JMS Fleets, allow JMS Fleets to store monitoring data in your tenancy, and use tag namespaces: 

ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO USE METRICS IN COMPARTMENT Fleet_Compartment
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE management-agents IN COMPARTMENT Fleet_Compartment 
ALLOW resource jms server-components TO MANAGE metrics IN COMPARTMENT Fleet_Compartment WHERE target.metrics.namespace='java_management_service' 
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO USE tag-namespaces IN TENANCY

Log configuration

The following policies allows JMS Fleets to interact with OCI Logging service for setting up log configuration for fleets in the compartment: 

ALLOW resource jms server-components TO MANAGE log-groups IN COMPARTMENT Fleet_Compartment
ALLOW resource jms server-components TO MANAGE log-content IN COMPARTMENT Fleet_Compartment
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE log-content IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE log-groups IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE log-content IN COMPARTMENT Fleet_Compartment

Set up OCI Linux instance for JMS Fleets

Note

This policy will grant the dynamic group, JMS_DYNAMIC_GROUP privileges to manage all OCI instances in the compartment. To ensure proper configuration of the management agent on OCI Linux instances, the installation script requires the presence of this policy. This policy must be present for each execution of the installation script. When installation is complete, you may change the policy permissions from MANAGE to USE.
The following policy is used to set up OCI Linux instances using the installation script. 
ALLOW dynamic-group JMS_DYNAMIC_GROUP TO MANAGE instances IN
    COMPARTMENT <instance_compartment>
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply these policies for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.

Perform Advanced Features

JMS requires certain policies to enable and carry out advanced features in your fleet.

The following policies allow JMS to read/write to the object storage: 

ALLOW dynamic-group JMS_DYNAMIC_GROUP to MANAGE object-family in compartment Fleet_Compartment
ALLOW group FLEET_MANAGERS to MANAGE object-family in compartment Fleet_Compartment
ALLOW resource jms SERVER-COMPONENTS to MANAGE object-family in compartment Fleet_Compartment
JMS requires the following policies to work with OCI Linux instances:

ALLOW resource jms SERVER-COMPONENTS TO READ instances in compartment <instance_compartment>
ALLOW resource jms SERVER-COMPONENTS TO INSPECT instance-agent-plugins in compartment <instance_compartment>
Note

  1. Replace <instance_compartment> with the name of the compartment that contains the OCI Linux instances that you want to monitor with JMS Fleets.
  2. You need to apply these policies for each compartment that has OCI Linux instances that you want to monitor with JMS Fleets separately.