OCI技術資料 : IDおよびアクセス管理 (IAM) 概要

IDおよびアクセス管理概要 Identity and Access Management Level 100 Oracle Cloud
Infrastructure 2022 3

OCI – Oracle Cloud Infrastructure OCI IAM IAM – Identity
and Access Management IDCS – Identity Cloud Service IDM ID – (ID) Authentication AuthN – Authorization Auth0 – ACL – Access Control List Copyright © 2022 Oracle and/or its affiliates. 2

IAM + IDCS (Identity Cloud Service) IAM – OCI ID
/ (2021/11/9~) OCI IAM Default Policy ID Policy ID OCI OCI IAM Policy ID OCI IDCS SaaS SaaS ID ID ID Federation 2022 3 : Copyright © 2022 Oracle and/or its affiliates. 3

IAM + IDCS IAM IAM or IDCS IAM (Federated User)
2 IAM ( ) IAM or IDCS IAM ( ) 2 IAM ( ) IAM IDCS IAM (IDCS IAM ) ID ( ) ID ( ) IDCS ( ) IAM (IDCS IAM ) IDCS IAM IAM ( ) OCI ID ? Copyright © 2022 Oracle and/or its affiliates. 4

OCI OCI IAM • IDCS • Oracle Identity Cloud Service
https://speakerdeck.com/oracle4engineer/oracle-identity-cloud-service-ji-neng-gai-yao • OCI IAM IDCS IDCS https://speakerdeck.com/oracle4engineer/oci-iamtoidcsfalsewei-itoidcswoli-yong-surumerituto • OCI https://speakerdeck.com/oracle4engineer/overview-oci-iam-identity-domains • 2021/11 OCI IAM Identity Domains • Default • • OCI IAM Copyright © 2022 Oracle and/or its affiliates. 5

(Level 100) • • • • • (Level 200) •
• IAM • • • • • IAM OCI IAM Copyright © 2022 Oracle and/or its affiliates. 6

Copyright © 2022 Oracle and/or its affiliates. 7 プリンシパルと認証 Principals
and Authentication

OCI ? • OCI CRUD • IAM 3 (A) (Users)
• API • (B) ( ) (Resource Principals)* • OCI ( API ) • ( ) (C) (Service Principals) • OCI • * ( ) L200 (Principals) Copyright © 2022 Oracle and/or its affiliates. 8 OCI &

(Credentials) Copyright © 2022 Oracle and/or its affiliates. 9 API認証キー
認証トークン • Web API (API Signing Key) • OCI API SDK CLI • PEM RSA ( 2048 ) (Auth Token) • Swift API (Customer Secret Keys) • S3 API • : Amazon S3 API

Copyright © 2022 Oracle and/or its affiliates. 10 認可とポリシー Authorization
and Policies

* ( ) (Authorization) Copyright © 2022 Oracle and/or its
affiliates. 11 Group_X Group_Y User_1 User_2 1 2 3 Policy_A Policy_B 1 2 3 ×

• • • (Allow) (Deny) (Policies) Copyright © 2022 Oracle
and/or its affiliates. 12 allow group <group_name> to <verb> <resource-type> in tenancy allow group <group_name> to <verb> <resource-type> in compartment <compartment_name> [where <conditions>]

Copyright © 2022 Oracle and/or its affiliates. 13 Verb (
) Manage ( ) Use ( ) Read ( ) ( ) Read ( ) Inspect ( ) Inspect ( ) all-resources ( ) database-family db-systems, db-nodes, db-homes, databases instance-family instances, instance-images, volume- attachments, console-histories object-family buckets, objects virtual-network- family vcn, subnet, route-tables, security- lists, dhcp-options volume-family volumes, volume-attachments, volume-backups - load-balancer, audit-events allow <principal> to <verb> <resource-type> in <location> [where <conditions>]

(Verbs) (Permissions) Copyright © 2022 Oracle and/or its affiliates. 14
(Verb) (Permissions) API (Operations) volumes Inspect VOLUME_INSPECT Read Use Manage VOLUME_UPDATE VOLUME_WRITE VOLUME_CREATE VOLUME_DELETE ListVolumes GetVolumes CreateVolume DeleteVolume (Verb) (Permissions) • Inspect < Read < Use < Manage • API (Operations) • : ListVolumes VOLUME_INSPECT • • allow XXX to {Volume-Inspect, Volume-Update} in compartment X DeleteBootVolume CreateVolumeBackup CreateBootVolumeBackup CreateVolumeGroup CreateVolumeGroupBackup UpdateVolume UpdateBootVolume

(conditions) 2 (variables) : • request – ( ) -
( ) request.operation API (ListUsers ) • target – - ( ) target.group.name : • allow group Phoenix-Admins to manage all-resources in tenancy where request.region='phx' https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm#General (conditions) Copyright © 2022 Oracle and/or its affiliates. 15 allow <principal> to <verb> <resource-type> in <location> [where <conditions>]

(Conditions) • : : Contractors 2022 1 1 12:00 AM
UTC : SummerIntern 6,7,8 : CompianceAuditors : WorkWeek : NightShift 5:00 9:00 (Conditions) : Copyright © 2022 Oracle and/or its affiliates. 16 Allow group Contractors to manage instance-family in tenancy where request.utc-timestamp before '2022-01-01T00 : 00Z' Allow group SummerInterns to manage instance-family in tenancy where ANY {request.utc-timestamp.month-of-year in ('6', '7', '8')} Allow group ComplianceAuditors to read all-resources in tenancy where request.utc-timestamp.day-of-month = '1' Allow group WorkWeek to manage instance-family where ANY {request.utc-timestamp.day-of-week in ('monday', 'tuesday', 'wednesday', 'thursday', 'friday')} Allow group DayShift to manage instance-family where request.utc-timestamp.time-of-day between '17 : 00 : 00Z' and '01 : 00 : 00Z'

IAM IAM : (Conditions) : Copyright © 2022 Oracle and/or
its affiliates. 17 Allow group ImageUsers to inspect instance-images in compartment ABC Allow group ImageUsers to {INSTANCE_IMAGE_READ} in compartment ABC where target.image.id='<image_OCID>' Allow group ImageUsers to manage instances in compartment ABC Allow group ImageUsers to read app-catalog-listing in tenancy Allow group ImageUsers to use volume-family in compartment ABC Allow group ImageUsers to use virtual-network-family in compartment XYZ

• (NetworkAdmins) ⁻ allow group NetworkAdmins to manage virtual-network-family in
tenancy • ObjectWriters ⁻ allow group ObjectWriters to manage objects in compartment ABC where any {request.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT'} ⁻ allow group ObjectWriters to manage objects in compartment ABC where any {request.operation=‘CreateObject', request.operation=‘ListObjects’} • ⁻ allow service blockstorage, objectstorage-<region_name> to use keys in compartment ABC • https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/commonpolicies.htm Copyright © 2022 Oracle and/or its affiliates. 18

• OCI • • ⁻ Allow group <group_name> to <verb>
<resource-type> in compartment <compartment_name> (Compartments) Copyright © 2022 Oracle and/or its affiliates. 20 A B

Copyright © 2022 Oracle and/or its affiliates. 21 • •
• (Quota) -A -B -A -B or A B -A -B

( ) A • : VCN1 • : 1 D
B • : VCN2 • : 2 C • : 3 • : 1 ← A B C ← (= ) ← 6 ← B C Copyright © 2022 Oracle and/or its affiliates. 22

A OCI • • • ( ) ( ) B
A • (manage) B • (read) • (use) Copyright © 2022 Oracle and/or its affiliates. 23

OCI (CRUD ) API 1 • • • API •
compartment-id (CLI ) ( * ) • X A B C D /API Copyright © 2022 Oracle and/or its affiliates. 24 [opc@admin ~]$ oci compute instance list Error: Missing option(s) --compartment-id. X ( ) Y ( ) A B C D *

(Quota) • (Service Limit) • : Oracle , • :
, • • (Compartment Quota) Copyright © 2022 Oracle and/or its affiliates. 26

• • • • • • or % • (Budget)
(Budget Alert) Copyright © 2022 Oracle and/or its affiliates. 27

• ( 翻 ) • SHOW RESOURCES IN SUBCOMPARTMENTS •
• OCI (OCI Search) 翻 OCI • https://docs.cloud.oracle.com/iaas/Content/Gener al/Concepts/compartmentexplorer.htm#support Copyright © 2022 Oracle and/or its affiliates. 28

OCI Copyright © 2022 Oracle and/or its affiliates. 29 •
OCI ‐ Administrators ‐ 1 ‐ • Allow group Administrators to manage all-resources in tenancy ‐ ‐ = Administrators [email protected] Allow group Administrators to manage all- resources in tenancy

• / • • • ( ) • ( )
• ( ) → Copyright © 2022 Oracle and/or its affiliates. 30 A B IAM

Copyright © 2022 Oracle and/or its affiliates. 31 • OCI
• ( VCN 2 ) • ( ) • 1 ( ) • • 翻 • ‐ → ‐ → (2019/6) ‐ →

(Federation) Copyright © 2022 Oracle and/or its affiliates. 33 OCI
(IdP) (ID) • ‐ - OCI IdP / = (SSO) ‐ (ID) - IdP SCIM(System for Cross-domain Identity Management) • ‐ Oracle Identity Cloud Service (IDCS) – SCIM ‐ Okta – SCIM ‐ Microsoft Azure Active Directory ‐ Microsoft Active Directory Federation Service ‐ Security Assertion Markup Language (SAML) 2.0 IDP

IDCS – OCI ( ) Copyright © 2022 Oracle and/or
its affiliates. 34 IDCS - OCI(IAM) • IDCS OCI • SCIM • Administrators • Sato(IDCS ) OCI • Sato IDCS/OCI • Tanaka(OCI ) OCI • Sato, Tanaka OCI IDCS ( ) (IdP) OCI IAM (SP) IDCS Sato IDCS OCI_Administrator OCI Administrators idcs/Sato (SCIM) Tanaka

OCI Copyright © 2022 Oracle and/or its affiliates. 35 OCI
IAM / IDCS / https://console.us-tokyo-1.oraclecloud.com IDCSによる認証 OCI IAM による認証 OCIコンソール画⾯ OCI IAMで管理しているユーザー/パスワード IDCS OCI IAM IDCSで管理しているユーザー/パスワード

OCI IAM IDCS 1/2 Copyright © 2022 Oracle and/or its
affiliates. 36 OCI IAM IDCS OCI よよ OCI API / CLI / SDK よよ Oracle PaaS SaaS × よ × よ × よ Microsoft Active Directory Federation Service よよ SAML 2.0 IdP よよ OpenID Connect 1.0 × よ Microsoft Azure Active Directory は( ) よ (SCIM) Microsoft Active Directory は( ) よ (AD Bridge)

Copyright © 2022 Oracle and/or its affiliates. 40 (Free-form Tags)
(Defined Tags) • • • • • IAM Environment=Production Department=Ops = Operations =Environment = String = Project = String =Environment = String =CostCenter = String = HumanResources Environment=Development Department=Ops

Copyright © 2022 Oracle and/or its affiliates. 41 (Tag Namespace)
1 (Tag Key Definition) • ( ) • ( ) Operations.CostCenter = ${iam.principal.name} at ${oci.datetime} : Operations : Environment Operations.Environment = “Production”

– IAM • https://docs.oracle.com/ja-jp/iaas/Content/Identity/Concepts/overview.htm IAM • https://docs.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm Best Practices for
Identity and Access Management (IAM) in Oracle Cloud Infrastructure • https://cloud.oracle.com/iaas/whitepapers/best-practices-for-iam-on-oci.pdf IAM Copyright © 2022 Oracle and/or its affiliates. 46

Oracle Cloud Infrastructure ( / ) • https://docs.cloud.oracle.com/iaas/api/ - API
• https://docs.cloud.oracle.com/ja-jp/iaas/Content/General/Reference/aqswhitepapers.htm - • https://docs.cloud.oracle.com/iaas/releasenotes/ - • https://docs.cloud.oracle.com/ja-jp/iaas/Content/knownissues.htm - (Known Issues) • https://docs.cloud.oracle.com/ja-jp/iaas/Content/General/Reference/graphicsfordiagrams.htm - OCI (PPT SVG Visio ) ※ Oracle Cloud Infrastructure Copyright © 2022 Oracle and/or its affiliates. 47

Oracle Cloud Infrastructure • https://oracle-japan.github.io/ocidocs/ - Oracle Cloud Infrastructure •
https://oracle-japan.github.io/ocitutorials/ Oracle Cloud • https://www.oracle.com/goto/ocws-jp Oracle • https://www.oracle.com/search/events/_/N-2bu/ Oracle Cloud Infrastructure – General Forum ( ) • https://cloudcustomerconnect.oracle.com/resources/9c8fa8f96f/summary Oracle Cloud Infrastructure Copyright © 2022 Oracle and/or its affiliates. 48

OCI技術資料 : IDおよびアクセス管理 (IAM) 概要

OCI技術資料 : IDおよびアクセス管理 (IAM) 概要

More Decks by Oracle Cloud Infrastructure ソリューション・エンジニア

Other Decks in Technology

Featured

Transcript