Oracle AI Data Platform Workbench 的 IAM 策略

Oracle AI Data Platform Workbench 在 OCI 中进行管理,需要提供的 IAM 策略。

“教程”图标 LiveLabs Sprint

要创建新的 AI 数据平台工作台实例,用户至少需要在 IAM 策略中启用 MANAGE:

allow group <aidpAdminIdentityDomain>/<aidpAdminGroup> to manage ai-data-platforms in compartment id <aidpCompartmentId>

注意:

创建 AI 数据平台工作台后,您可以向要访问实例的任何用户授予 use 权限。创建实例的用户需要 manage

Oracle AI Data Platform Workbench 允许用户选择两种不同的策略组合来设置实例。

选项 1:租户级别策略(范围广泛)

使用此选项,可以在租户(根)级别定义策略,从而使 Oracle AI Data Platform Workbench 能够跨区间进行广泛访问。

  • 每次添加新工作负载、数据源或区间时,都可以最大限度地减少编写新 IAM 策略的需求。
  • 最简单的入职体验;初始设置后要求更改最少。
  • 用户具有更广泛的权限范围。
  • 可能无法满足受监管环境中的严格最小特权要求。
  1. 允许 Oracle AI Data Platform Workbench 服务查看 OCI IAM 资源,以配置 AI Data Platform 托管资源的基于角色的访问控制:
    allow any-user TO {AUTHENTICATION_INSPECT, DOMAIN_INSPECT, DOMAIN_READ, DYNAMIC_GROUP_INSPECT, GROUP_INSPECT, GROUP_MEMBERSHIP_INSPECT, USER_INSPECT, USER_READ} IN TENANCY where all {request.principal.type='aidataplatform'}
  2. 允许 Oracle AI Data Platform Workbench 服务创建 OCI 日志记录日志组并向用户提供日志:
    allow any-user to manage log-groups in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' }
    allow any-user to read log-content in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' }
  3. 允许 Oracle AI Data Platform Workbench 服务向用户提供度量:
    allow any-user to use metrics in compartment id <aidpCompartmentId> where ALL {request.principal.type='aidataplatform', target.metrics.namespace='oracle_aidataplatform'}
  4. 允许 Oracle AI Data Platform Workbench 服务为主目录中的工作区和托管数据创建和管理 OCI 对象存储存储桶:
    allow any-user to manage buckets in tenancy where all { request.principal.type='aidataplatform', any {request.permission = 'BUCKET_CREATE', request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ', request.permission = 'BUCKET_UPDATE'}}
  5. 允许 Oracle AI Data Platform Workbench 服务监管/管理工作区和主目录中的数据,并限制对每个 AI Data Platform Workbench 实例级别的访问权限:
    allow any-user to {TAG_NAMESPACE_USE} in tenancy where all {request.principal.type = 'aidataplatform'}
    allow any-user to manage buckets in tenancy where all { request.principal.id=target.resource.tag.orcl-aidp.governingAidpId, any {request.permission = 'BUCKET_DELETE', request.permission = 'PAR_MANAGE', request.permission = 'RETENTION_RULE_LOCK', request.permission = 'RETENTION_RULE_MANAGE'} }
    allow any-user to read objectstorage-namespaces in tenancy where all { request.principal.type='aidataplatform', any {request.permission = 'OBJECTSTORAGE_NAMESPACE_READ'}}
    allow any-user to manage objects in tenancy where all { request.principal.id=target.bucket.system-tag.orcl-aidp.governingAidpId  }
  6. 允许 Oracle AI Data Platform Workbench 服务调用 OCI GenAI 服务中托管的 LLM:

    注意:

    如果您要升级实例以访问 AI 功能,则可以同时包括列出的策略,也可以选择与实例相关的策略。通过检查实例的 OCID,您可以确定与实例相关的主体类型(datalakeaidataplatform)。

    为 data_lake 实例打开了“Actions(操作)”菜单的 AI Data Platform Workbenches 页面。此时将突出显示“查看详细信息”操作。


    data_lake AI Data Platform Workbench 实例的详细信息页面已打开。将突出显示 OCID 的主体类型部分。

    allow any-user to use generative-ai-family in tenancy where all { request.principal.type='aidataplatform'}
    allow any-user to use generative-ai-family in tenancy where all { request.principal.type='datalake'}
  7. 允许不同身份域中的联合用户访问生成式 AI 系列资源:
    Allow group <your-domain>/<your-group> to use generative-ai-family in tenancy
  8. 允许 Oracle AI Data Platform Workbench 管理员组在给定区间中创建、更新和删除 Oracle Autonomous AI Lakehouse 资源:
    allow group <aidpAdminGroup> to manage autonomous-databases in <aidp compartment>

    注意:

    Oracle Autonomous AI Lakehouse 实例必须为 26ai 或更高版本,才能在 AI Data Platform Workbench 中启用 AI 功能。
  9. 允许 Oracle AI Data Platform Workbench 服务访问和使用给定区间中的现有 Oracle Autonomous AI Lakehouse 实例:
    allow group <aidpAdminGroup> to use autonomous-databases in <aidp compartment>

    注意:

    Oracle Autonomous AI Lakehouse 实例必须为 26ai 或更高版本,才能在 AI Data Platform Workbench 中启用 AI 功能。
  10. 允许 Oracle AI Data Platform Workbench 服务配置计算集群以访问专用网络中的数据(可选):
    allow any-user to manage vnics in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
    allow any-user to use subnets in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
    allow any-user to use network-security-groups in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
  11. 允许对象存储服务自动将生命周期操作(例如永久删除或归档)应用于 Oracle AI Data Platform Workbench 工作区数据,从而减少手动维护工作量,并支持遵守数据保留优秀实践(可选):
    allow service objectstorage-<<region_identifier>> to manage object-family in compartment id <<aidp-compartment-ocid>>

选项 2:区间级别策略(细粒度范围)

使用此选项时,您的策略在区间级别定义,即创建 AI 数据平台实例的区间。

  • 为您提供更严格的安全边界;默认情况下,AI 数据平台工作台的访问限制为单个区间。
  • 当工作流需要跨其他区间时,您可以逐步添加新区间策略。
  • 需要在需要 AI 数据平台工作台访问其他区间时手动执行 IAM 更新。
  • 在扩展过程中需要更多的操作开销。
  1. 允许 Oracle AI Data Platform Workbench 服务查看 OCI IAM 资源,以配置 AI Data Platform 托管资源的基于角色的访问控制:
    allow any-user TO {AUTHENTICATION_INSPECT, DOMAIN_INSPECT, DOMAIN_READ, DYNAMIC_GROUP_INSPECT, GROUP_INSPECT, GROUP_MEMBERSHIP_INSPECT, USER_INSPECT, USER_READ} IN TENANCY where all {request.principal.type='aidataplatform'}
  2. 允许 Oracle AI Data Platform Workbench 服务创建 OCI 日志记录日志组并向用户提供日志:
    allow any-user to manage log-groups in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' }
    allow any-user to read log-content in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' }
  3. 允许 Oracle AI Data Platform Workbench 服务向用户提供度量:
    allow any-user to use metrics in compartment id <aidpCompartmentId> where ALL {request.principal.type='aidataplatform', target.metrics.namespace='oracle_aidataplatform'}
  4. 允许 Oracle AI Data Platform Workbench 服务为主目录中的工作区和托管数据创建和管理 OCI 对象存储存储桶:
    allow any-user to manage buckets in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform', any {request.permission = 'BUCKET_CREATE', request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ', request.permission = 'BUCKET_UPDATE'}}
  5. 允许 Oracle AI Data Platform Workbench 服务通过限制对每个 AI Data Platform Workbench 实例级别的访问权限来监管/管理工作区和主目录中的数据:
    allow any-user to {TAG_NAMESPACE_USE} in tenancy where all {request.principal.type = 'aidataplatform'}
    allow any-user to manage buckets in compartment id <aidpCompartmentId> where all { request.principal.id=target.resource.tag.orcl-aidp.governingAidpId, any {request.permission = 'BUCKET_DELETE', request.permission = 'PAR_MANAGE', request.permission = 'RETENTION_RULE_LOCK', request.permission = 'RETENTION_RULE_MANAGE'} }
    allow any-user to read objectstorage-namespaces in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform', any {request.permission = 'OBJECTSTORAGE_NAMESPACE_READ'}}
    allow any-user to manage objects in compartment id <aidpCompartmentId> where all { request.principal.id=target.bucket.system-tag.orcl-aidp.governingAidpId  }
  6. 允许 Oracle AI Data Platform Workbench 服务配置计算集群以访问专用网络中的数据(可选):
    allow any-user to manage vnics in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
    allow any-user to use subnets in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
    allow any-user to use network-security-groups in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
  7. 允许对象存储服务自动将生命周期操作(例如永久删除或归档)应用于 Oracle AI Data Platform Workbench 工作区数据,从而减少手动维护工作量,并支持遵守数据保留优秀实践(可选):
    allow service objectstorage-<<region_identifier>> to manage object-family in compartment id <<aidp-compartment-ocid>>

外部表的附加策略

如果 AI 数据平台工作台实例需要访问存储在其他区间中的数据,则必须为该外部区间授予其他策略。利用这些策略,AI Data Platform Workbench 可以检查、读取和管理外部区间中的存储桶和对象,以便在 AI Data Platform Workbench 工作区中使用它们。

allow any-user to manage buckets in compartment id <external-data-CompartmentId> where all { request.principal.type='aidataplatform', any {request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ', request.permission = 'BUCKET_UPDATE'}} 
allow any-user to manage buckets in compartment id <external-data-CompartmentId> where all { request.principal.id=target.resource.tag.orcl-aidp.governingAidpId, any {request.permission = 'PAR_MANAGE', request.permission = 'RETENTION_RULE_LOCK', request.permission = 'RETENTION_RULE_MANAGE'} } 
allow any-user to manage objects in compartment id <external-data-CompartmentId> where all { request.principal.id=target.bucket.system-tag.orcl-aidp.governingAidpId } 
allow service objectstorage-<<region_identifier>> to manage object-family in compartment id <external-data-CompartmentId>

注意:

如果您使用的是定制身份域(非默认),则必须在组名称前面加上 IAM 策略中的域名。例如:
allow group <aidpAdminIdentityDomain>/<aidpAdminGroup> to manage ai-data-platforms in compartment id <aidpCompartmentId>

有关 IAM 策略的更多信息,请参见IAM Policies Overview

要查看和登录 AI 数据平台工作台,需要由该 AI 数据平台工作台的管理员授予您访问权限。