OCI技術資料 : IDおよびアクセス管理 (IAM) 詳細

Transcript

1. IDおよびアクセス管理 詳細 Identity and Access Management Level 200 Oracle Cloud

   Infrastructure 2022 3

2. OCI – Oracle Cloud Infrastructure OCI IAM IAM – Identity

   and Access Management IDCS – Identity Cloud Service IDM ID – (ID) Authentication AuthN – Authorization Auth0 – ACL – Access Control List Copyright © 2022 Oracle and/or its affiliates. 2

3. Oracle Cloud Infrastructure ( OCI) Identity and Access Management (

   IAM) • OCI • https : //cloud.oracle.com/iaas/training • OCI • https : //docs.cloud.oracle.com/iaas/Content/home.htm Copyright © 2022 Oracle and/or its affiliates. 3

4. IAM + IDCS (Identity Cloud Service) IAM – OCI ID

   / (2021/11/9~) OCI IAM Default Policy ID Policy ID OCI OCI IAM Policy ID OCI IDCS SaaS SaaS ID ID ID Federation 2022 3 : Copyright © 2022 Oracle and/or its affiliates. 4

5. IAM + IDCS IAM IAM or IDCS IAM (Federated User)

   2 IAM ( ) IAM or IDCS IAM ( ) 2 IAM ( ) IAM IDCS IAM (IDCS IAM ) ID ( ) ID ( ) IDCS ( ) IAM (IDCS IAM ) IDCS IAM IAM ( ) OCI ID ? Copyright © 2022 Oracle and/or its affiliates. 5

6. OCI 翻 OCI IAM • IDCS • Oracle Identity Cloud

   Service https://speakerdeck.com/oracle4engineer/oracle-identity-cloud-service-ji-neng-gai-yao • OCI IAM IDCS IDCS https://speakerdeck.com/oracle4engineer/oci-iamtoidcsfalsewei-itoidcswoli-yong-surumerituto • OCI https://speakerdeck.com/oracle4engineer/overview-oci-iam-identity-domains • 2021/11 OCI IAM Identity Domains • Default • • OCI IAM Copyright © 2022 Oracle and/or its affiliates. 6

7. (Level 100) • • • • • (Level 200) •

   • IAM • • • • • IAM OCI IAM Copyright © 2022 Oracle and/or its affiliates. 7

8. Copyright © 2022 Oracle and/or its affiliates. 8 インスタンス・プリンシパルと 動的グループ

   Instance Principals and Dynamic Groups

9. OCI ? • OCI CRUD • IAM 3 (A) (Users)

   • API • (B) ( ) (Resource Principals)* • OCI ( API ) • ( ) (C) (Service Principals) • OCI • * ( ) L200 (Principals) Copyright © 2022 Oracle and/or its affiliates. 9 OCI &

10. (Instance Principals) 翻 (API ) API … • API •

    API • ( API ) … • ( ) API • ( ) • API ID Copyright © 2022 Oracle and/or its affiliates. 10

11. • 翻 • 翻 • • Allow dynamic-group <group-name> to

    manage XXX in tenancy OCI IAM & Copyright © 2022 Oracle and/or its affiliates. 11

12. 1 - (Dynamic Group) 12 • 翻 : • OCID

    • OCID • • • Copyright © 2022 Oracle and/or its affiliates.

13. 2 - 13 この例では先ほど作成した FrontEnd という動的グ ループ(に所属するインスタンス)に対し、バケットと オブジェクトの管理権限を付与している Copyright ©

    2022 Oracle and/or its affiliates.

14. 3 – Copyright © 2022 Oracle and/or its affiliates. 14

    [opc@webserver1 .oci]$ oci os ns get ERROR: The config file at ~/.oci/config is invalid: +Config Errors-------+--------------------------------------------------------+ | Key | Error | Hint | +----------+---------+--------------------------------------------------------+ | key_file | missing | the full path and filename of the private PEM key file | +----------+---------+--------------------------------------------------------+ [opc@webserver1 .oci]$ cat config [DEFAULT] user=ocid1.user.oc1..aaaaaaaag3635pdkcopjvcvljf7kmo7besxqzeqiry2wzawa4zqk2xkx4z7q fingerprint=93:4f:c0:c3:26:3b:06:9f:c8:17:60:78:23:e1:1c:90 # key_file=/home/opc/.oci/oci_api_key.pem ßAPI tenancy=ocid1.tenancy.oc1..aaaaaaaaxy6bh46cdnlfpaibasc6dotowv32hc2sbj4ph3ocxtfxhhva2hna region=us-ashburn-1 [opc@webserver1 .oci]$ oci os ns get --auth instance_principal { "data": "intoraclerohit" } OCI CLI SDK(Java, Python, Go ) API ß ß API

15. (1/2) OCI X.509 PKI • OCI (CA) • ( ID

    ID ) OCI SDK/CLI 1. SDK/CLI (http://169.254.169.254/opc/v1/identity/cert.pem) X.509 2. SDK/CLI OCI 3. OCI 4. SDK/CLI OCI API 5. Copyright © 2022 Oracle and/or its affiliates. 15

16. (2/2) OCI PKI PKI SDK/CLI X.509 curl http://169.254.169.254/opc/v1/identity/cert.pem Copyright ©

    2022 Oracle and/or its affiliates. 16 [opc@webserver1 .oci]$ curl http://169.254.169.254/opc/v1/identity/cert.pem -----BEGIN CERTIFICATE----- MIIIPjCCBiagAwIBAgIQesV+WyeYgLqUxb4vSgrL/jANBgkqhkiG9w0BAQsFADCB qTFzMHEGA1UECxNqb3BjLWRldmljZTo1NDo1Yjo4NTpiOTowMjo5Yjo4YTo4MDpl YTo1MjoxNzo1MjozYjo1ZjowZjpmMzo1MTpkNjo1YzoxZjpmYTozYTo1MTo4OTow ZDpjMTowNTo0MjphOTowYzplMTo4YjEyMDAGA1UEAxMpUEtJU1ZDIElkZW50aXR5 IEludGVybWVkaWF0ZSB1cy1hc2hidXJuLTEwHhcNMTgwNjE1MTc0MjU1WhcNMTgw NjE1MTg0MjU1WjCCAbQxggFSMBwGA1UECxMVb3BjLWNlcnR0eXBlOmluc3RhbmNl MGcGA1UECxNgb3BjLWluc3RhbmNlOm9jaWQxLmluc3RhbmNlLm9jMS5pYWQuYWJ1 d2NsanRrYWMyMjZzbDY1N3hsbHIzNWszaGozYWJra3I3dm9sd3BndWd6c3Nkdjd2

17. Copyright © 2022 Oracle and/or its affiliates. 18 認証の強化 Reinforced

    Authentication

18. IAM (Credentials) (Authentication) Copyright © 2022 Oracle and/or its affiliates.

    19 API署名鍵 認証トークン • Web 翻 API (API Signing Key) • OCI API SDK CLI 翻 翻 • PEM RSA ( 署2048 ) (Auth Token) • Swift API API 翻 (Customer Secret Keys) • S3 API API API 翻 • : Amazon S3 API

19. MFA ID 翻 (What You Know) (What You Have) (MFA)

    Copyright © 2022 Oracle and/or its affiliates. 20

20. Step 1 Step 2 Step 3 OCI IAM Copyright ©

    2022 Oracle and/or its affiliates. 21

21. IP Copyright © 2022 Oracle and/or its affiliates. 22 IP

    1. • • IP /CIDR • OCI OCI 2. • ( -> ) • ※ CLI

22. CLI Copyright © 2022 Oracle and/or its affiliates. 23 oci

    session authenticate (1) CLI (2) (3) CLI .config CLI/SDK API • API • Web • → CLI (.config) • (TTL) 1 CLI 24 • SCIM (Azure AD ) (API ) CLI SDK 翻 oci session refresh --profile <profile_name>

23. Copyright © 2022 Oracle and/or its affiliates. 24 OCI リージョン

    コンピュート インスタンス allow group groupA to manage object-family in tenancy where request.networkSource.name=ʻVCNCIDR' オブジェクト ストレージ コンソール VCN A 10.0.0.0/16 サービス ゲートウェイ VCN Aの 10.0.0.0/24 からのみ許可 192.0.2.0/24 からのみ許可 サブネット 10.0.0.0/24 192.0.2.2 2021/3/31 update • IPアドレスのセットを定義したリソースであるネットワーク・ソース。 • パブリックIPアドレス、もしくはテナンシ内のVCNからのIPアドレスを設定可能 • 作成したネットワーク・ソースをポリシーまたはテナンシの認証設定で参照し、元IPアドレスに基づいてアクセス制御が可能 • コンソールへのログインを特定のIPアドレス範囲からのみに制限（テナンシーレベルでの設定） • IAMポリシーで各リソースへのアクセスを特定のIPアドレス範囲からに制限（各IAMポリシーでの設定） • 例︓オブジェクト・ストレージへのアクセスを特定のIPアドレス範囲（VCN内IPの特定IPなど）からのみに制限 すべてのサービスでネットワーク・ソースによるIAMポリシー によるアクセス制御が可能に。（2021/3/31）

24. Copyright © 2022 Oracle and/or its affiliates. 25 ⾼度なポリシーの記述 Advanced

    Policies

25. Allow <subject> to <verb> <resource-type> in <location> [where <condition>] (Policies)

    1 Copyright © 2022 Oracle and/or its affiliates. 26 シンタックス 説明 例⽂ group <グループ名> グループを名称で指定 group A-Admin group id <グループの OCID> グループをOCIDで指定 group id ocid1.group.oc1..aaaaaaaaqjihfh vxmum...awuc7i5xwe6s7qmnsbc6a any-user すべてのユーザーを指定 any-user https://docs.oracle.com/ja-jp/iaas/Content/Identity/Concepts/policysyntax.htm

26. Allow <subject> to <verb> <resource-type> in <location> [where <condition>] (Policies)

    2 Copyright © 2022 Oracle and/or its affiliates. 27 Verb(動 詞) アクセスのタイプ 対象者 Inspect (検査) ユーザー指定のメタデータ以外の読 み取り専⽤アクセス 外部監査⼈ Read (参照) 読み取り専⽤アクセスとユーザー指 定のメタデータを取得する 内部監査⼈ Use (利⽤) 読み取りと既存のリソースを処理す る機能（アクションはリソースタイ プによって異るが通常作成や削除は 不可） ⽇常のユー ザー Manage (管理) リソースのすべてのアクセス許可が 含まれます 管理者 集合リソースタイプ 個別リソースタイプ all-resources database-family db-systems, db-nodes, db-homes, databases instance-family instances, instance-images, volume- attachments, console-histories object-family buckets, objects virtual-network-family vcn, subnet, route-table, more volume-family Volumes, volume-attachments, volume-backups https://docs.oracle.com/ja-jp/iaas/Content/Identity/Concepts/policysyntax.htm

27. Allow <subject> to <verb> <resource-type> in <location> [where <condition>] (Policies)

    3 Copyright © 2022 Oracle and/or its affiliates. 28 シンタックス 説明 例⽂ tenancy テナンシ全体を指定 in tenancy compartment <コンパートメント名> コンパートメントを名称で指定 in compartment Project-A Compartment id <コンパートメントの OCID> コンパートメントのOCIDを指 定 in compartment id ocid1.compartment.oc1..aaaaaaaayzfq...4 fmameqh7lcdlihrvur7xq https://docs.oracle.com/ja-jp/iaas/Content/Identity/Concepts/policysyntax.htm

28. Allow <subject> to <verb> <resource-type> in <location> [where <condition>] (Policies)

    4 Copyright © 2022 Oracle and/or its affiliates. 29 シンタックス 説明 例⽂ <変数> = <値> ⼀致条件 where target.group.name = /A-Users-*/ <変数> != <値> 不⼀致条件 Where target.group.name != ‘Administrators’ all {<condition>, <condition>, …} すべての条件を満たす(AND条件) where all {target.group.name=/A- */,target.group.name!='A-Admins'} any {<condition>, <condition>, …} ⼀部の条件を満たす(OR条件) where any {target.group.name=/A- Admins/,target.group.name=‘A-Users'} Verb resource-type https://docs.oracle.com/ja-jp/iaas/Content/Identity/Reference/policyreference.htm

29. Allow <subject> to <verb> <resource-type> in <location> [where <condition>] (Policies)

    4( ) Copyright © 2022 Oracle and/or its affiliates. 30 request.operation API request.permission request.user.id OCID request.groups.id ID target.compartment.id ID target.compartment.name target.compartment.id request.region phx iad request.ad 2 • request: • target: request request target Conditions 翻 • Allow group Phoenix-Admins to manage all-resources in tenancy where request.region='phx'

30. (Verb) 翻 (Permissions) • • Inspect < Read < Use

    < Manage • API ‐ : ListVolumes GetVolumes VOLUME_INSPECT (Verbs) (Permissions) Copyright © 2022 Oracle and/or its affiliates. 31 (Verb) (Permssions) API volume- family Inspect Volume- Inspect Volume- Inspect Read + Read Use Manage Volume- Update Volume- Write Use + Volume- Create Volume- Delete ListVolumes GetVolumes CreateVolume DeleteVolume

31. API API 翻 : VCN VCN • allow group TrainingGroup

    to manage virtual-network-family in compartment training where request.permission != 'VCN_DELETE' Copyright © 2022 Oracle and/or its affiliates. 32

32. Copyright © 2022 Oracle and/or its affiliates. 33 WHERE •

    1 : • allow any-user to manage instances in compartment HR where request.principal.group.tag.Operations.Project = 'Prod' → Operations Project Prod • 2 : • allow group GroupA to manage all-resources in compartment HR where target.resource.tag.Operations.Project = 'Prod' → Operations Project Prod → • List → (INSPECT )LIST • MANAGE → CREATE •

33. • Allow group NetworkAdmins to manage virtual-network-family in tenancy •

    Allow group InstanceLaunchers to manage instance-family in compartment ABC • Allow group InstanceLaunchers to use volume-family in compartment ABC • Allow group InstanceLaunchers to use virtual-network-family in compartment XYZ • Allow group VolumeBackupAdmins to use volumes in tenancy • Allow group VolumeBackupAdmins to manage volume-backups in tenancy • Allow group VolumeBackupAdmins to inspect volume-attachments in tenancy • Allow group VolumeBackupAdmins to inspect instances in tenancy • Allow group ObjectWriters to read buckets in compartment ABC • Allow group ObjectWriters to manage objects in compartment ABC where any {request.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT'} • Allow group A-Admins to manage all-resources in compartment Project-A • Allow group Phoenix-Admins to manage all-resources in tenancy where request.region='phx' • Allow group Auditors to inspect all-resources in tenancy • Allow group Auditors to read instances in tenancy • Allow group Auditors to read audit-events in tenancy 他にも多数の記述例はこちら : https://docs.oracle.com/ja-jp/iaas/Content/Identity/Concepts/policysyntax.htm Copyright © 2022 Oracle and/or its affiliates. 34

34. OCI <allow service XXX to …> • 1 : Oracle

    Container Engine for Kubernetes(OKE) allow SERVICE OKE to manage all- resources in compartment A • 2 : Object Storage allow SERVICE OBJECTSTORAGE-AP-TOKYO- 1 to manage object-family in compartment A <endorse … in tenancy XXX> • 1 : ENDORSE group <group> to manage local-peering-to IN TENANCY <tenancy> • 2 : &翻 OCI ENDORSE group <group> to read objects IN TENANCY USAGE-REPORT Copyright © 2022 Oracle and/or its affiliates. 35

35. Copyright © 2022 Oracle and/or its affiliates. 36 フェデレーションの詳細 Identity

    Federation

36. OCI 翻 翻 ID 2 A) Oracle Identity Cloud Service

    • Oracle Cloud ID B) OCI Identity and Access Management (IAM) • Oracle Cloud Infrastructure ID OCI ID Copyright © 2022 Oracle and/or its affiliates. 37 Oracle Identity Cloud Service OCI Identity and Access Management Oracle PaaS Oracle SaaS

37. IDCS IP Whitelisting Backlisting IDCS OCI – IP Copyright ©

    2022 Oracle and/or its affiliates. 38 (Network Perimeter) 10.11.12.18/24 1. ID 2. 3. Allow/Deny OCI_Administrator Sato Suzuki Alow/Deny IDCS IP IP • IDCS OCI • IDCS

38. IDCS OCI – IP Copyright © 2022 Oracle and/or its

    affiliates. 39 • IdP • • • IP / ID/PW IP

39. IDCS OCI – Copyright © 2022 Oracle and/or its affiliates.

    40 SMS ID ID IP OCI

40. • • QR IDCS OCI – Copyright © 2022 Oracle

    and/or its affiliates. 41 2

41. Copyright © 2022 Oracle and/or its affiliates. 44 コンパートメント階層とポリシーの継承 Policy

    Inheritance and Attachment for Compartments

42. Oracle Cloud Infrastructure リージョン - Phoenix リージョン - Ashburn テナンシ

    (Tenancy) = ルート・コンパートメント (Root Compartment) コンパートメントA • (root) = (tenancy) • ( 6 ) • Copyright © 2022 Oracle and/or its affiliates. 45 コンパートメントB インスタンスA インスタンスB インスタンスC インスタンスD コンパートメントC インスタンスI インスタンスJ インスタンスK インスタンスL インスタンスE インスタンスF インスタンスG インスタンスH

43. • 1 : • Allow group Administrators to manage all-resources

    in tenancy • 2 : A NetworkAdmin C VCN • Allow group NewtworkAdmins to manage virtual-network-family in compartment B Copyright © 2022 Oracle and/or its affiliates. 46 Tenancy (root compartment) A B C

44. ( ) ( ) / ( ) • B B

    ( A ) • B B A • Allow group B-admin to manage all-resources in compartment B Copyright © 2022 Oracle and/or its affiliates. 47 Tenancy (root compartment) A B C

45. Copyright © 2022 Oracle and/or its affiliates. 48 コンパートメントの移動 Moving

    Compartments

46. 1. • • ( ) 2. • • • •

    2 Copyright © 2022 Oracle and/or its affiliates. 49 (Root Compartment) A B C C

47. ( ) Copyright © 2022 Oracle and/or its affiliates. 50

    Tenancy (root compartment) Ops Test Dev A Tenancy (root compartment) Ops Test Dev A A Allow group G1 to manage instance-family in compartment Test:A Allow group G1 to manage instance-family in compartment Test:A Dev:A G1 A A Test Dev G1 G1 G1

48. ( ) Copyright © 2022 Oracle and/or its affiliates. 51

    Tenancy (root compartment) Ops Test Dev A Tenancy (root compartment) Ops Test Dev A A Allow group G1 to manage instance-family in compartment Test Allow group G1 to manage instance-family in compartment Test G1 A A Test Dev G1 G1

49. Copyright © 2022 Oracle and/or its affiliates. 52 IAMの設計リファレンス Reference

    IAM model for Enterprises

50. 2. 1. OCI API / ( API ) OCI 3

    API 1. 2. ( ) 3. OCI / API Copyright © 2022 Oracle and/or its affiliates. 53 API Endpoint OCI Console on Browser OCI-CLI SDK OCI Region VCN API Caller Compute OCI (DBCS ) OCI (ATP ) API Caller API Caller 3. OCI

51. = • • API • ( ) • ( ExadataCS

    bkup_api ) • • OCI API • -> • = • • : Allow group A to XXX • • • : Allow dynamic- group B to XXX • • VCN • • • ( )Oracle Content Experience IAM ? – Copyright © 2022 Oracle and/or its affiliates. 54

52. • ( ) VCN ( API) • allow group A

    to manage objects in compartment X where request.vcn.id = '<my_vcn_id>' • allow group A to manage objects in compartment X where request.networksource.name = '<my_onprem_network>' • ( ) • allow dynamic group < * > to manage objects in compartment X • ( ) ATP • allow dynamic group <ATP > to manage objects in compartment • allow service XXX to use Object Storage Copyright © 2022 Oracle and/or its affiliates. 55 * Match any rules defined below Rule 1: ALL {resource.compartment.id='< OCID>'} Rule 2: ALL {instance.compartment.id='< OCID>'}

53. • • allow group Project-A-admins to manage instances in compartment

    Project-A * • • allow group Project-A-admins to manage <New-Services> in compartment Project-B • allow group Project-A-admins to manage <New-Services> in tenancy • ( : ) • allow group Project-A-admins to manage internet-gateways in compartment Project-A * OCI ( ) • : Cloud Guard Data Safe Log Analytics ( ) Copyright © 2022 Oracle and/or its affiliates. 56

54. • • Allow service CEC to manage objects in compartment

    Project-A • ( ) • allow service <Dangerous-Service> to manage instances in compartment A • • allow service <New-service> to manage internet-gateways in compartment A • * • allow service <New-servce> to manage instances in compartment B * ( ) Copyright © 2022 Oracle and/or its affiliates. 57

55. • • allow dynamic group Project-A-Resources to manage instances in

    compartment A • ( ) • allow dynamic group Project-B-Resources to manage instances in compartment Project-A • • allow dynamic group Project-A-Resources to manage instances in compartment Project-B • allow dynamic group Project-A-Resources to manage instances in tenancy • ( : ) • allow dynamic group Project-A-Resources to manage internet-gateways in compartment Project-A ( ) Copyright © 2022 Oracle and/or its affiliates. 58

56. / IdP 59 IdP OCI IAM SAML2.0 CLI/SDK API OCI

    IAM PaaS/SaaS IdP OCI IAM SAML2.0 OCI OCI API OCI IAM * Bleak-glass ( OCI IAM ) Copyright © 2022 Oracle and/or its affiliates.

57. • VCN 6 • 1 60 Copyright © 2022 Oracle

    and/or its affiliates.

58. : NetworkInfra • • : VCN DRG : Dev Test

    Prod Networks • • : ( ) : Project • • : • DevOps 1 Copyright © 2022 Oracle and/or its affiliates. 61 1 2 3 1 2 3

59. Copyright © 2022 Oracle and/or its affiliates. 62 NetworkAdmins (Tanaka)

    ProjectA • Allow group NetworkAdmins to MANAGE virtual- netwoQrk-family in compartment NetworkInfra • Allow group NetworkAdmins to manage instance- family in compartment NetworkInfra • Allow group A-Admins to USE virtual-network- family in compartment NetworkInfra • Allow group A-Admins to manage all-resources in compartment ProjectA • NetworkAdmins Tanaka NetworkInfra • A-Admins Sato NetworkInfra VCN ProjectA A-Admins (Sato) NetworkInfra Sato VCN VCN NetworkInfra ProjectA

60. • • ( ) • • • • Allow group

    com-A-admins to use users in tenancy • Allow group comp-A-admins to manage groups in tenancy where target.group.name='comp-A-users' • Allow group comp-A-admins to manage policies where target.compartment.name = 'comp-A' • • • • Allow group comp-A-users to use all- resources in compartment comp-A Copyright © 2022 Oracle and/or its affiliates. 63

61. Copyright © 2022 Oracle and/or its affiliates. 64 参考情報 References

62. – IAM • https://docs.oracle.com/ja-jp/iaas/Content/Identity/Concepts/overview.htm IAM • https://docs.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm Best Practices for

    Identity and Access Management (IAM) in Oracle Cloud Infrastructure • https://cloud.oracle.com/iaas/whitepapers/best-practices-for-iam-on-oci.pdf IAM Copyright © 2022 Oracle and/or its affiliates. 65

63. Oracle Cloud Infrastructure ( / ) • https://docs.cloud.oracle.com/iaas/api/ - API

    • https://docs.cloud.oracle.com/ja-jp/iaas/Content/General/Reference/aqswhitepapers.htm - • https://docs.cloud.oracle.com/iaas/releasenotes/ - • https://docs.cloud.oracle.com/ja-jp/iaas/Content/knownissues.htm - (Known Issues) • https://docs.cloud.oracle.com/ja-jp/iaas/Content/General/Reference/graphicsfordiagrams.htm - OCI (PPT SVG Visio ) ※ Oracle Cloud Infrastructure Copyright © 2022 Oracle and/or its affiliates. 66

64. Oracle Cloud Infrastructure • https://oracle-japan.github.io/ocidocs - Oracle Cloud Infrastructure •

    https://oracle-japan.github.io/ocitutorials Oracle Cloud • https://www.oracle.com/goto/ocws-jp Oracle • https://www.oracle.com/search/events/_/N-2bu/ Oracle Cloud Infrastructure – General Forum ( ) • https://cloudcustomerconnect.oracle.com/resources/9c8fa8f96f/summary Oracle Cloud Infrastructure Copyright © 2022 Oracle and/or its affiliates. 67

65. Thank you 68 Copyright © 2022 Oracle and/or its affiliates.

66. None