Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

OCI技術資料 : IDおよびアクセス管理 (IAM) 概要

OCI技術資料 : IDおよびアクセス管理 (IAM) 概要

Oracle Cloud Infrastructure (OCI) の技術説明資料、IDおよびアクセス管理 (IAM) の概要編 (Level 100) です。

OCIの認証、認可、ID管理などを司るコア・コンポーネントである OCI IAM (Identity and Access Management) についての解説資料です。認証とID管理、認可およびポリシー、コンパートメントとその管理、IDフェデレーション(IDCSとの連携)、タグ付け(Tagging) のトピックをカバーしています。

More Decks by Oracle Cloud Infrastructure ソリューション・エンジニア

Other Decks in Technology

Transcript

  1. OCI – Oracle Cloud Infrastructure OCI IAM IAM – Identity

    and Access Management IDCS – Identity Cloud Service IDM ID – (ID) Authentication AuthN – Authorization Auth0 – ACL – Access Control List Copyright © 2022 Oracle and/or its affiliates. 2
  2. IAM + IDCS (Identity Cloud Service) IAM – OCI ID

    / (2021/11/9~) OCI IAM Default Policy ID Policy ID OCI OCI IAM Policy ID OCI IDCS SaaS SaaS ID ID ID Federation 2022 3 : Copyright © 2022 Oracle and/or its affiliates. 3
  3. IAM + IDCS IAM IAM or IDCS IAM (Federated User)

    2 IAM ( ) IAM or IDCS IAM ( ) 2 IAM ( ) IAM IDCS IAM (IDCS IAM ) ID ( ) ID ( ) IDCS ( ) IAM (IDCS IAM ) IDCS IAM IAM ( ) OCI ID ? Copyright © 2022 Oracle and/or its affiliates. 4
  4. OCI OCI IAM • IDCS • Oracle Identity Cloud Service

    https://speakerdeck.com/oracle4engineer/oracle-identity-cloud-service-ji-neng-gai-yao • OCI IAM IDCS IDCS https://speakerdeck.com/oracle4engineer/oci-iamtoidcsfalsewei-itoidcswoli-yong-surumerituto • OCI https://speakerdeck.com/oracle4engineer/overview-oci-iam-identity-domains • 2021/11 OCI IAM Identity Domains • Default • • OCI IAM Copyright © 2022 Oracle and/or its affiliates. 5
  5. (Level 100) • • • • • (Level 200) •

    • IAM • • • • • IAM OCI IAM Copyright © 2022 Oracle and/or its affiliates. 6
  6. OCI ? • OCI CRUD • IAM 3 (A) (Users)

    • API • (B) ( ) (Resource Principals)* • OCI ( API ) • ( ) (C) (Service Principals) • OCI • * ( ) L200 (Principals) Copyright © 2022 Oracle and/or its affiliates. 8 OCI &
  7. (Credentials) Copyright © 2022 Oracle and/or its affiliates. 9 API認証キー

    認証トークン • Web API (API Signing Key) • OCI API SDK CLI • PEM RSA ( 2048 ) (Auth Token) • Swift API (Customer Secret Keys) • S3 API • : Amazon S3 API
  8. * ( ) (Authorization) Copyright © 2022 Oracle and/or its

    affiliates. 11 Group_X Group_Y User_1 User_2 1 2 3 Policy_A Policy_B 1 2 3 ×
  9. • • • (Allow) (Deny) (Policies) Copyright © 2022 Oracle

    and/or its affiliates. 12 allow group <group_name> to <verb> <resource-type> in tenancy allow group <group_name> to <verb> <resource-type> in compartment <compartment_name> [where <conditions>]
  10. Copyright © 2022 Oracle and/or its affiliates. 13 Verb (

    ) Manage ( ) Use ( ) Read ( ) ( ) Read ( ) Inspect ( ) Inspect ( ) all-resources ( ) database-family db-systems, db-nodes, db-homes, databases instance-family instances, instance-images, volume- attachments, console-histories object-family buckets, objects virtual-network- family vcn, subnet, route-tables, security- lists, dhcp-options volume-family volumes, volume-attachments, volume-backups - load-balancer, audit-events allow <principal> to <verb> <resource-type> in <location> [where <conditions>]
  11. (Verbs) (Permissions) Copyright © 2022 Oracle and/or its affiliates. 14

    (Verb) (Permissions) API (Operations) volumes Inspect VOLUME_INSPECT Read Use Manage VOLUME_UPDATE VOLUME_WRITE VOLUME_CREATE VOLUME_DELETE ListVolumes GetVolumes CreateVolume DeleteVolume (Verb) (Permissions) • Inspect < Read < Use < Manage • API (Operations) • : ListVolumes VOLUME_INSPECT • • allow XXX to {Volume-Inspect, Volume-Update} in compartment X DeleteBootVolume CreateVolumeBackup CreateBootVolumeBackup CreateVolumeGroup CreateVolumeGroupBackup UpdateVolume UpdateBootVolume
  12. (conditions) 2 (variables) : • request – ( ) -

    ( ) request.operation API (ListUsers ) • target – - ( ) target.group.name : • allow group Phoenix-Admins to manage all-resources in tenancy where request.region='phx' https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm#General (conditions) Copyright © 2022 Oracle and/or its affiliates. 15 allow <principal> to <verb> <resource-type> in <location> [where <conditions>]
  13. (Conditions) • : : Contractors 2022 1 1 12:00 AM

    UTC : SummerIntern 6,7,8 : CompianceAuditors : WorkWeek : NightShift 5:00 9:00 (Conditions) : Copyright © 2022 Oracle and/or its affiliates. 16 Allow group Contractors to manage instance-family in tenancy where request.utc-timestamp before '2022-01-01T00 : 00Z' Allow group SummerInterns to manage instance-family in tenancy where ANY {request.utc-timestamp.month-of-year in ('6', '7', '8')} Allow group ComplianceAuditors to read all-resources in tenancy where request.utc-timestamp.day-of-month = '1' Allow group WorkWeek to manage instance-family where ANY {request.utc-timestamp.day-of-week in ('monday', 'tuesday', 'wednesday', 'thursday', 'friday')} Allow group DayShift to manage instance-family where request.utc-timestamp.time-of-day between '17 : 00 : 00Z' and '01 : 00 : 00Z'
  14. IAM IAM : (Conditions) : Copyright © 2022 Oracle and/or

    its affiliates. 17 Allow group ImageUsers to inspect instance-images in compartment ABC Allow group ImageUsers to {INSTANCE_IMAGE_READ} in compartment ABC where target.image.id='<image_OCID>' Allow group ImageUsers to manage instances in compartment ABC Allow group ImageUsers to read app-catalog-listing in tenancy Allow group ImageUsers to use volume-family in compartment ABC Allow group ImageUsers to use virtual-network-family in compartment XYZ
  15. • (NetworkAdmins) ⁻ allow group NetworkAdmins to manage virtual-network-family in

    tenancy • ObjectWriters ⁻ allow group ObjectWriters to manage objects in compartment ABC where any {request.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT'} ⁻ allow group ObjectWriters to manage objects in compartment ABC where any {request.operation=‘CreateObject', request.operation=‘ListObjects’} • ⁻ allow service blockstorage, objectstorage-<region_name> to use keys in compartment ABC • https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/commonpolicies.htm Copyright © 2022 Oracle and/or its affiliates. 18
  16. • OCI • • ⁻ Allow group <group_name> to <verb>

    <resource-type> in compartment <compartment_name> (Compartments) Copyright © 2022 Oracle and/or its affiliates. 20 A B
  17. Copyright © 2022 Oracle and/or its affiliates. 21 • •

    • (Quota) -A -B -A -B or A B -A -B
  18. ( ) A • : VCN1 • : 1 D

    B • : VCN2 • : 2 C • : 3 • : 1 ← A B C ← (= ) ← 6 ← B C Copyright © 2022 Oracle and/or its affiliates. 22
  19. A OCI • • • ( ) ( ) B

    A • (manage) B • (read) • (use) Copyright © 2022 Oracle and/or its affiliates. 23
  20. OCI (CRUD ) API 1 • • • API •

    compartment-id (CLI ) ( * ) • X A B C D /API Copyright © 2022 Oracle and/or its affiliates. 24 [opc@admin ~]$ oci compute instance list Error: Missing option(s) --compartment-id. X ( ) Y ( ) A B C D *
  21. (Quota) • (Service Limit) • : Oracle , • :

    , • • (Compartment Quota) Copyright © 2022 Oracle and/or its affiliates. 26
  22. • • • • • • or % • (Budget)

    (Budget Alert) Copyright © 2022 Oracle and/or its affiliates. 27
  23. • ( 翻 ) • SHOW RESOURCES IN SUBCOMPARTMENTS •

    • OCI (OCI Search) 翻 OCI • https://docs.cloud.oracle.com/iaas/Content/Gener al/Concepts/compartmentexplorer.htm#support Copyright © 2022 Oracle and/or its affiliates. 28
  24. OCI Copyright © 2022 Oracle and/or its affiliates. 29 •

    OCI ‐ Administrators ‐ 1 ‐ • Allow group Administrators to manage all-resources in tenancy ‐ ‐ = Administrators [email protected] Allow group Administrators to manage all- resources in tenancy
  25. • / • • • ( ) • ( )

    • ( ) → Copyright © 2022 Oracle and/or its affiliates. 30 A B IAM
  26. Copyright © 2022 Oracle and/or its affiliates. 31 • OCI

    • ( VCN 2 ) • ( ) • 1 ( ) • • 翻 • ‐ → ‐ → (2019/6) ‐ →
  27. (Federation) Copyright © 2022 Oracle and/or its affiliates. 33 OCI

    (IdP) (ID) • ‐ - OCI IdP / = (SSO) ‐ (ID) - IdP SCIM(System for Cross-domain Identity Management) • ‐ Oracle Identity Cloud Service (IDCS) – SCIM ‐ Okta – SCIM ‐ Microsoft Azure Active Directory ‐ Microsoft Active Directory Federation Service ‐ Security Assertion Markup Language (SAML) 2.0 IDP
  28. IDCS – OCI ( ) Copyright © 2022 Oracle and/or

    its affiliates. 34 IDCS - OCI(IAM) • IDCS OCI • SCIM • Administrators • Sato(IDCS ) OCI • Sato IDCS/OCI • Tanaka(OCI ) OCI • Sato, Tanaka OCI IDCS ( ) (IdP) OCI IAM (SP) IDCS Sato IDCS OCI_Administrator OCI Administrators idcs/Sato (SCIM) Tanaka
  29. OCI Copyright © 2022 Oracle and/or its affiliates. 35 OCI

    IAM / IDCS / https://console.us-tokyo-1.oraclecloud.com IDCSによる認証 OCI IAM による認証 OCIコンソール画⾯ OCI IAMで管理している ユーザー/パスワード IDCS OCI IAM IDCSで管理している ユーザー/パスワード
  30. OCI IAM IDCS 1/2 Copyright © 2022 Oracle and/or its

    affiliates. 36 OCI IAM IDCS OCI よ よ OCI API / CLI / SDK よ よ Oracle PaaS SaaS × よ × よ × よ Microsoft Active Directory Federation Service よ よ SAML 2.0 IdP よ よ OpenID Connect 1.0 × よ Microsoft Azure Active Directory は( ) よ (SCIM) Microsoft Active Directory は( ) よ (AD Bridge)
  31. OCI IAM IDCS 2/2 Copyright © 2022 Oracle and/or its

    affiliates. 37 OCI IAM IDCS Okta よ (SCIM) よ (SCIM) よ TOTP TOTP(SMS ) IP よ × よ よ SMS × よ よ API
  32. (Tagging) Copyright © 2022 Oracle and/or its affiliates. 39 OCI

    • 翻 • • https://docs.oracle.com/ja-jp/iaas/Content/Tagging/Concepts/taggingoverview.htm
  33. Copyright © 2022 Oracle and/or its affiliates. 40 (Free-form Tags)

    (Defined Tags) • • • • • IAM Environment=Production Department=Ops = Operations =Environment = String = Project = String =Environment = String =CostCenter = String = HumanResources Environment=Development Department=Ops
  34. Copyright © 2022 Oracle and/or its affiliates. 41 (Tag Namespace)

    1 (Tag Key Definition) • ( ) • ( ) Operations.CostCenter = ${iam.principal.name} at ${oci.datetime} : Operations : Environment Operations.Environment = “Production”
  35. 翻 (Usage) (Cost) • • 10 • (Tag Default) •

    翻 (Cost-tracking Tags) Copyright © 2022 Oracle and/or its affiliates. 42
  36. • • • ( ) • ‐ ( ) ‐

    • ‐ (Tag Default) Copyright © 2022 Oracle and/or its affiliates. 43 A comp’t B comp’t C comp’t D comp’t X X Y Y
  37. Copyright © 2022 Oracle and/or its affiliates. 44 2019 12

    17 2 • CreatedBy (Cost-tracking tag) : • CreatedOn :
  38. • IAM • API • ( ) • OCI •

    Oracle Identity Cloud Service (IDCS) IDCS OCI ID • API Copyright © 2022 Oracle and/or its affiliates. 45
  39. – IAM • https://docs.oracle.com/ja-jp/iaas/Content/Identity/Concepts/overview.htm IAM • https://docs.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm Best Practices for

    Identity and Access Management (IAM) in Oracle Cloud Infrastructure • https://cloud.oracle.com/iaas/whitepapers/best-practices-for-iam-on-oci.pdf IAM Copyright © 2022 Oracle and/or its affiliates. 46
  40. Oracle Cloud Infrastructure ( / ) • https://docs.cloud.oracle.com/iaas/api/ - API

    • https://docs.cloud.oracle.com/ja-jp/iaas/Content/General/Reference/aqswhitepapers.htm - • https://docs.cloud.oracle.com/iaas/releasenotes/ - • https://docs.cloud.oracle.com/ja-jp/iaas/Content/knownissues.htm - (Known Issues) • https://docs.cloud.oracle.com/ja-jp/iaas/Content/General/Reference/graphicsfordiagrams.htm - OCI (PPT SVG Visio ) ※ Oracle Cloud Infrastructure Copyright © 2022 Oracle and/or its affiliates. 47
  41. Oracle Cloud Infrastructure • https://oracle-japan.github.io/ocidocs/ - Oracle Cloud Infrastructure •

    https://oracle-japan.github.io/ocitutorials/ Oracle Cloud • https://www.oracle.com/goto/ocws-jp Oracle • https://www.oracle.com/search/events/_/N-2bu/ Oracle Cloud Infrastructure – General Forum ( ) • https://cloudcustomerconnect.oracle.com/resources/9c8fa8f96f/summary Oracle Cloud Infrastructure Copyright © 2022 Oracle and/or its affiliates. 48