Skip to main content

OCI Architect and IAM Details

OCI Architecture:

------------------------------

 

Region:  it is a physical location of the oracle where the data centers are present, Localized geographic Areas consist of one or more availability zone.

 

Availability Domains(AD) :  AD are one or more fault-tolerant domains(data centers) inside a Region that connect with each other by low latency  and high bandwidth

ADs are isolated from each other, fault-tolerant, unlikely to fail simultaneously, and physical infrastructure is not shared between the Ads.

 

 

Fault Domains (FD):  grouping of hardware and infrastructure within an AD to provide anti-affinity, these are the logical data centers.

Each AD has three Fault Domains(FD),  logical Datacenter within an AD

Resources placed in different FDs will not share a single point of hardware failure

 

In any region, resources in at most ONE fault domain are being actively changed at any point in time, this means that availability problems caused by change procedures are isolated at the fault domain level.

 

You can control the placement of your computer or database instances to fault domains at instance " Launch "  

Choosing a Region

Based on 3 criteria you can choose a region.

  1. Location: Choose a region closest to your users for the lowest latency and highest performance
  2. Data Residency & Compliance: Many countries have a strict data residency requirement
  3. Service Availability: New cloud services are made available based on the regional demand, regulatory compliance, resource availability, and other factors

High Availability  Design




Introduction to Identity and Access Management


there are 2 aspects of fine-grained access control in OCI IAM

 

  1. AuthN- who are you? (Authentication )
  •  IAM authentication,
  •  API signing key(Using OCI API + SDK/CLI) or RSA KEY pair PEM,  
  •  Oracle generated token string  or authenticate 3rd party APIS

        2AuthZ- what permission do you have? (Authorization)

        Authorization deals with permissions. In OCI it's handled by IAM policies.

        Policies: Human readable statement to define granular permission

Exp : Allow group <group_name> to <verb><resource_type> in tenancy

 

                  Allow group <group_name> to <verb><resource_type> in compartment



 

Principals

A principal is an IAM entity that is allowed to interact with OCI resources

There are 3 types of Principals that are used to authenticate and interact with OCI resources:

  • Root users
  • IAM Users & Groups
  • Instance Principals

 

Groups and Policies in OCI

A Group in OCI is the collection of users on which you apply IAM Policy, whereas Policy is a set of rules that dictates who can access what resource (Compute, Storage, Network, Database, etc) in OCI.

 

 

Identity Domains:

 An identity domain represents a user population in the OCI  and associated configuration security settings



Identity concept


      

user and groups -   user name password

policies-  are role-based access control.


For every OCI resource, there is are unique identifier assigned that’s called OCID


The is the syntax for the any OCI resource.  Ocid1.<RESROURCE TYPE>.<REALM>.[REGION][.FUTURE USE].<UNIQUE ID>




OCI  Compartments

-----------------------------

A compartment is a collection of related resources (such as cloud networks, compute instances, or block volumes) that can be accessed only by those groups that have been given permission by an administrator in your organization.

 

  • Compartments help you organize and control access to your resources.
  • you can set quotas and budget for the respected compartments.
  • The resource can interact with other resources in a different compartment.
  • Resources can be moved from one compartment to a different compartment.
  • Most important Resources from different regions can be part of the same compartment, but you need to have access to different regions to access those.
  • Compartments also can have nested. It provides 6 levels of nesting.


Access control feature, in the below fig,  only the users belonging to compute and storage group can access compartment A.



NOTE: Compartments are logical containers for the resources in OCI where as  Domains are the logical container for users and groups and security configurations.



Best Practices for Setting Up Your Tenancy



  • Best Practice: Don’t use the Tenancy Administrator Account or day-to-day activity
  • Best Practice: Create dedicated compartments to isolate resources
  • Best Practice: Enforce the use of Multi-factor Authentication (MFA)

OCI Admin policies





 









Labels:

Comments

Post a Comment

Popular posts from this blog

HP SMART ARRAY CLI COMMANDS

Show configuration : /opt/hp/hpssacli/bin/hpssacli ctrl all show config Controller status /opt/hp/hpssacli/bin/hpssacli ctrl all show status Show detailed controller information for all controllers /opt/hp/hpssacli/bin/hpssacli ctrl all show detail Show detailed controller information for controller in slot 0 /opt/hp/hpssacli/bin/hpssacli ctrl slot=0 show detail Rescan for New Devices /opt/hp/hpssacli/bin/hpssacli rescan Physical disk status /opt/hp/hpssacli/bin/hpssacli ctrl slot=0 pd all show status Show detailed physical disk information /opt/hp/hpssacli/bin/hpssacli ctrl slot=0 pd all show detail Logical disk status /opt/hp/hpssacli/bin/hpssacli ctrl slot=0 ld all show status View Detailed Logical Drive Status /opt/hp/hpssacli/bin/hpssacli ctrl slot=0 ld 2 show Create New RAID 0 Logical Drive /opt/hp/hpssacli/bin/hpssacli ctrl slot=0 create type=ld drives=1I:1:2 raid=0 Create New RAID 1 Logical Drive /opt/hp/hpssacli/bin/hpssacli ctrl slot=0 create type=ld dri...
Post a Comment
Read more

Monthly Mksys OS backup AIX

Step-1 Estimate Backup: ================================================================= df -tk `lsvgfs rootvg` | awk ‘{total+=$3}\ END {printf “Estimated mksysb size: %d bytes, %.2f GB\n”, total*1024, total/1024/1024}’ It will give you the estimated time of backup, Step-2 Backup Command: backupios -file /home/padmin/28August2013_TESTVIOI_mksysb ===============> VIO Backup Command mksysb -e -i -X /mksysb/10Nov2013_server-1_mksysb============================>AIX server Backup command Step-3 ================= Pre -checks: => check NFS FS size(Backup file) and root vg FS sizes . Note : if any FS Full Zip old logs => To check performance of the server => To check root VG FS => To check /etc/exclude ========================== Step-4 ================================ server-1 mksysb -e -i -X /mksysb/02March2014_server-1_mksysb server-2 mksysb -e -i -X /mksysb/02March2014_sever-2_mksysb Post checkups: ==> check the process running o...
Post a Comment
Read more

HP proliant SERVER hardware commands

to check the failed disk, adapter, any physical component on hp prolient server use the below important command. # hpacucli controller all show config———-to See the failed disk in HP proliant server  Smart Array P410i in Slot 0 (Embedded) (sn: 500143802590F6C0) logicaldrive 1 (558.9 GB, RAID 1, Interim Recovery Mode) array A (SAS, Unused Space: 0 MB) physicaldrive 1I:1:1 (port 1I:box 1:bay 1, SAS, 600 GB, OK) physicaldrive 1I:1:2 (port 1I:box 1:bay 2, SAS, 600 GB, Failed)====>indicating the faild drive SEP (Vendor ID PMCSIERA, Model SRC 8x6G) 250 (WWID: 500143802590F6CF) [root@TEST:/root]# hpacucli ctrl slot=0 show Smart Array P410i in Slot 0 (Embedded) Bus Interface: PCI Slot: 0 Serial Number: 500143802590F6C0 Cache Serial Number: PBCDH0CRH1Z6R3 RAID 6 (ADG) Status: Disabled Controller Status: OK Hardware Revision: C Firmware Version: 6.60 Rebuild Priority: Medium Expand Priority: Medium Surface Scan Delay: 3 secs Surface Scan Mode: Idle Queue Depth: Autom...
Post a Comment
Read more