Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exadata workload policies needs update (wrong policy or policy with too much permissions) #173

Open
hslange opened this issue Mar 4, 2024 · 0 comments
Open

Exadata workload policies needs update (wrong policy or policy with too much permissions) #173

hslange opened this issue Mar 4, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@hslange
Copy link

hslange commented Mar 4, 2024

In the file elz-exadata-workload/iam.tf, policies are defined to create both Exadata VM clusters as well as Autonomous VM clusters (for autonomous DB dedicated).
I think there are a few issues:

  • The group "exadata_infra_admin_group_name" does not get the permission to manage an autonomous vm cluster and the "database_admin_group_name" does not get the permission to use the autonomous vm cluster. The following policies should be added:
    "Allow group ${local.identity_domain_name}/${local.group_names["exadata_infra_admin_group_name"]} to manage cloud-autonomous-vmclusters in compartment ${module.workload_compartment.compartment_name}"
    "Allow group ${local.identity_domain_name}/${local.group_names["database_admin_group_name"]} to use cloud-autonomous-vmclusters in compartment ${module.workload_compartment.compartment_name}",

  • The group "exadata_infra_admin_group_name" gets the permission to "inspect autonomous-vmclusters", however this policy is valid for Oracle Exadata Cloud@Customer deployments only. The policy mentioned above already provides the permission for Oracle Public Cloud deployments, therefor this statement is no longer required.

It's not very clear why some of the policies related to exadata and databases depend on the enable_datasafe variable. Even if enable_datasafe is set to false, DBA's should be able to create and manage (autonomous) databases.

The following policy is giving DBA's too many permissions:

  • "Allow group ${local.identity_domain_name}/${local.group_names["database_admin_group_name"]} to manage database-family in compartment ${module.workload_compartment.compartment_name}"
    This policy gives permissions to manage all of the following resouce types: cloud-exadata-infrastructures, cloud-vmclusters, db-nodes, db-homes, databases, pluggable-databases, db-backups, application-vips
    This is conflicting with the statement made earlier where DBA's are not allowed to manage exadata-infrastrcuture and exadata-vmclusters. This would mean that DBA's need to get permissions on top of the permissions already provided (manage: db-nodes, db-homes, databases, db-backups) which are: manage: database-software-images, pluggable-databases, data-guard-association, key-stores, application-vips, oneoffPatch

  • DBA's should be able to create data guard associations for autonomous DB's as well. Policies need to be added to allow DBA's to manage the following resources : autonomousContainerDatabaseDataguardAssociations and AutonomousDatabaseDataguardAssociation

Hope this will help to improve the policies for exadata workload
@VinayKumar611 VinayKumar611 added the enhancement New feature or request label Mar 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@VinayKumar611 @hslange