Configure Settings
This topic will cover how to configure the tenancy with IAM permissions, Dynamic Groups, OCI Object Storage Service, and VM instances.
Set Up an Object Bucket
The bucket used for this solution is a simple Object bucket, created in Standard mode, as this supports all tiers - Standard, Infrequent, and Archive. This allows objects to change tier as they age, flowing into the lowest cost archive tier to be retained until the specified time frame has passed.
To this bucket, we add a Retention Rule, which effectively prevents the change or deletion of objects once created. The rule is not locked until testing is completed.
Additionally, we add Object Lifecycle Rules to automatically change each object's storage tier based on requirements. Once the object has been moved to the archive tier, it will no longer be available immediately, but rather must be "recalled" prior to being accessed. This can be done though an OCI Function, a script, or some external process, which needs to be designed.
Finally, once the OCID and name of the bucket are known, we can set narrow
permissions on the dynamic groups that will be accessing the bucket. These policy
statements can take advantage of OCI's advanced policy predicates, such as
target.bucket.name.
Set Up Dynamic Groups
It is possible that a Dynamic Group already exists at a compartment level, if the tenancy was set up using the CIS Landing Zone. This section assumes that there is no existing Dynamic Group.
Dynamic Groups
Consider that differing sets of OCI virtual machines will be installing RCLONE or OCIFS and accessing object storage. Thus we can define dynamic groups based on specific instance OCIDs or compartment OCIDS, depending on where the VMs are created. The following 2 dynamic groups were created for this solution:
Name: oci-rclone-full-dg
Matching Rule:
ANY {instance.id = 'ocid1.xxx.yyy.zzz1', instance.id = 'ocid.xxx.yyy.zzzz2' }
or
instance.compartment.id = 'ocid1.compartment.yyy.zzz'Name: oci-ocifs-readonly-dg
Matching Rule:
ANY {instance.id = 'ocid1.xxx.yyy.zzz3', instance.id = 'ocid.xxx.yyy.zzz4' }
or
instance.compartment.id = 'ocid1.compartment.yyy.zzzWe can use placeholders for an instance OCID if that hasn't been created or may change. The second option above allows you to create unlimited instances in the referenced compartment, without worrying about updating the dynamic group. Note that if all instances used for the solution exist in the same compartment, it is required to define Dynamic Groups using instance OCIDs so that read-only instances are not given full access as well.
Setup Permissions
Assume that to start you have either no specific object storage permissions on a compartment or a bucket. To start we could either create a specific policy or attach our statements to an existing policy.
cislz-appdev-cmp-policy, updated to add dynamic
group statements, as shown below. In case we are starting from scratch, the
following example uses a policy template to define the dynamic group and
user group permissions access to object storage. The policy statements can
be augmented with conditions, if required now or
later.allow dynamic-group oci-rclone-full-dg to read buckets in compartment cis-landing-top:app-cmp where ANY {target.bucket.name = 'archive-bucket-1', target.bucket.name = 'archive-bucket-2' }allow dynamic-group oci-rclone-full-dg to manage objects in compartment cis-landing-top:app-cmp where ANY {target.bucket.name = 'archive-bucket-1', target.bucket.name = 'archive-bucket-2' }allow dynamic-group oci-ocifs-readonly-dg to read objects in compartment cis-landing-top:app-cmp where ANY {target.bucket.name = 'archive-bucket-1', target.bucket.name = 'archive-bucket-2' }More permissions can be added or removed later, and as part of testing. It is recommended to fully test both RCLONE and OCIFS to ensure that any granted permissions are correct.
Set Up a VM Instance with RCLONE
The creation of OCI Virtual Machines is out of scope for this solution, but any shape Linux VM will work. Basic connectivity via Service Gateway or NAT Gateway is required, as is VCN Egress for port 443. If Object Storage Private Endpoints are in use, the gateways and egress rules are not required.
Essentially, the VM must be able to access OCI Object Storage. The other important requirement is that the VM is created inside the compartment referenced in the dynamic group. As stated, the dynamic group definition can be adjusted later to only include the VM OCID, or it can match the dynamic group's compartment-based definition. Once the VM is set up and accessible, RCLONE can be installed. Follow the general RCLONE documentation, specifically the OCI Object Storage section.
In order to utilize the dynamic group setup, the authentication type here is
instance_principal_auth. Follow the steps in the document above,
and construct a set of tests. Depending on the permissions granted via dynamic group,
you can easily delete a bucket with the wrong rclone command. As
described above, the permission that this solution starts with limits the dynamic group
to "read buckets" and "manage objects". So you cannot create or delete a bucket but you
can remove its contents. The RCLONE docs provide some safe examples for testing, such as
listing contents, putting objects, and removing a single object.
Set Up a VM Instance with OCIFS
Similar to the prior section, virtual machine creation is not in scope. OCIFS will similarly be installed on a set of VMs.
For more information about using instance principals, which will take advantage of the dynamic group and policy added earlier, see OCIFS Utility documentation.
- direct ocifs mount commands
/etc/fstabentries- automount configuration
archive-bucket /mnt/archive-bucket fuse.ocifs auth=instance_principal 0 0
archive-bucket -fstype=fuse,allow_other,auth=instance_principal :ocifs\#archive-bucket