Skip to content

Commit 1976a94

Browse files
parkerjohnsparkerjohns
authored
Add files via upload
1 parent f5aa150 commit 1976a94

File tree

2 files changed

+112
-0
lines changed

2 files changed

+112
-0
lines changed

README.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
# Overview
2+
This repository related to the [prerequisites](https://docs.oracle.com/en-us/iaas/Content/cloud-migration/cloud-migration-get-started.htm#cloud-migration-prerequisites-ocm) needed to use Oracle Cloud Migrations.
3+
4+
# Included Resources
5+
6+
- Compartments - The recommended Migration and MigrationSecrets [compartments](https://docs.oracle.com/en-us/iaas/Content/cloud-migration/cloud-migration-get-started.htm#cloud-migration-recommendations-compartments).
7+
- OCI Vault and Key - The vault used to store [vCenter credentials](https://docs.oracle.com/en-us/iaas/Content/cloud-migration/cloud-migration-remote-agent-appliance.htm#cloud-migration-vsphere-privileges).
8+
- Object Storage Bucket - The Object Storage [bucket](https://docs.oracle.com/en-us/iaas/Content/cloud-migration/cloud-migration-understand-vm-replication.htm#cloud-migration-replication-bucket) used for transferring vSphere snapshot data into OCI.
9+
- Mandatory Serivce Policies - The mandatory [service policies](https://docs.oracle.com/en-us/iaas/Content/cloud-migration/cloud-migration-servicepolicies.htm) and assoicated dynamic groups needed for OCM serivce components to function.
10+

ocb-ocm-consolidated-policies.txt

Lines changed: 102 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,102 @@
1+
# Migration
2+
3+
## MigrationDynamicGroup
4+
All { resource.type = 'ocmmigration', resource.compartment.id = '<migration_compartment_ocid>' }
5+
6+
## MigrationServicePolicy
7+
Allow dynamic-group MigrationDynamicGroup to manage instance-family in compartment <migration_compartment_name>
8+
Allow dynamic-group MigrationDynamicGroup to manage compute-image-capability-schema in compartment <migration_compartment_name>
9+
Allow dynamic-group MigrationDynamicGroup to manage virtual-network-family in compartment <migration_compartment_name>
10+
Allow dynamic-group MigrationDynamicGroup to manage volume-family in compartment <migration_compartment_name>
11+
Allow dynamic-group MigrationDynamicGroup to manage object-family in compartment <migration_compartment_name>
12+
Allow dynamic-group MigrationDynamicGroup to read ocb-inventory in tenancy
13+
Allow dynamic-group MigrationDynamicGroup to read ocb-inventory-asset in compartment <migration_compartment_name>
14+
Allow dynamic-group MigrationDynamicGroup to { OCB_CONNECTOR_READ, OCB_CONNECTOR_DATA_READ, OCB_ASSET_SOURCE_READ, OCB_ASSET_SOURCE_CONNECTOR_DATA_UPDATE } in compartment <migration_compartment_name>
15+
Allow dynamic-group MigrationDynamicGroup to { INSTANCE_IMAGE_INSPECT, INSTANCE_IMAGE_READ } in tenancy
16+
Allow dynamic-group MigrationDynamicGroup { INSTANCE_INSPECT } in tenancy where any { request.operation='ListShapes' }
17+
Allow dynamic-group MigrationDynamicGroup { DEDICATED_VM_HOST_READ } in tenancy where any { request.operation='GetDedicatedVmHost' }
18+
Allow dynamic-group MigrationDynamicGroup { CAPACITY_RESERVATION_READ } in tenancy where any { request.operation='GetComputeCapacityReservation' }
19+
Allow dynamic-group MigrationDynamicGroup { ORGANIZATIONS_SUBSCRIPTION_INSPECT } in tenancy where any {request.operation='ListSubscriptions' }
20+
Allow dynamic-group MigrationDynamicGroup to read rate-cards in tenancy
21+
Allow dynamic-group MigrationDynamicGroup to read metrics in tenancy where target.metrics.namespace='ocb_asset'
22+
23+
# Discovery Service
24+
25+
## DiscoverySerivcePolicy
26+
Allow service ocb-discovery to inspect compartments in tenancy
27+
Allow service ocb-discovery to read ocb-environments in compartment <migration_compartment_name>
28+
Allow service ocb-discovery to read ocb-agents in compartment <migration_compartment_name>
29+
Allow service ocb-discovery to read ocb-inventory in tenancy
30+
Allow service ocb-discovery to manage ocb-inventory-asset in compartment <migration_compartment_name>
31+
Allow service ocb-discovery to { TENANCY_INSPECT } in tenancy
32+
33+
# Remote Agent
34+
35+
## RemoteAgentDynamicGroup
36+
ALL {resource.type = 'ocbagent'}
37+
38+
## RemoteAgentPolicy
39+
Allow dynamic-group RemoteAgentDynamicGroup to manage buckets in compartment <migration_compartment_name>
40+
Allow dynamic-group RemoteAgentDynamicGroup to manage object-family in compartment <migration_compartment_name>
41+
Allow dynamic-group RemoteAgentDynamicGroup to { OCM_REPLICATION_TASK_READ, OCM_REPLICATION_TASK_UPDATE } in compartment <migration_compartment_name>
42+
Allow dynamic-group RemoteAgentDynamicGroup to use ocb-asset-source-connectors in compartment <migration_compartment_name>
43+
Allow dynamic-group RemoteAgentDynamicGroup to use ocb-connectors in compartment <migration_compartment_name>
44+
Allow dynamic-group RemoteAgentDynamicGroup to manage ocb-inventory in tenancy
45+
Allow dynamic-group RemoteAgentDynamicGroup to manage ocb-inventory-asset in compartment <migration_compartment_name>
46+
Allow dynamic-group RemoteAgentDynamicGroup to read secret-family in compartment <migrationsecrets_compartment_name>
47+
Allow dynamic-group RemoteAgentDynamicGroup to use metrics in compartment <migration_compartment_name> where target.metrics.namespace='ocb_asset'
48+
Allow dynamic-group RemoteAgentDynamicGroup to { OCM_CONNECTOR_INSPECT, OCM_ASSET_SOURCE_READ, OCM_ASSET_SOURCE_CONNECTION_PUSH } in compartment <migration_compartment_name>
49+
Allow dynamic-group RemoteAgentDynamicGroup to { OCB_AGENT_INSPECT, OCB_AGENT_SYNC, OCB_AGENT_READ, OCB_AGENT_DEPENDENCY_INSPECT, OCB_AGENT_DEPENDENCY_READ, OCB_AGENT_KEY_UPDATE, OCB_AGENT_TASK_READ, OCB_AGENT_ASSET_SOURCES_INSPECT, OCB_AGENT_TASK_UPDATE } in compartment <migration_compartment_name>
50+
Allow dynamic-group RemoteAgentDynamicGroup to { OCB_ASSET_SOURCE_INSPECT, OCB_ASSET_SOURCE_READ, OCB_ASSET_SOURCE_ASSET_HANDLES_PUSH, OCB_ASSET_SOURCE_CONNECTION_PUSH } in compartment <migration_compartment_name>
51+
52+
# Discovery Plugin
53+
54+
## DiscoveryPluginDynamicGroup
55+
ALL {resource.type = 'ocbagent'}
56+
57+
## DiscoveryPluginPolicy
58+
Allow dynamic-group DiscoveryPluginDynamicGroup to use ocb-connectors in compartment <migration_compartment_name>
59+
Allow dynamic-group DiscoveryPluginDynamicGroup to use ocb-asset-source-connectors in compartment <migration_compartment_name>
60+
Allow dynamic-group DiscoveryPluginDynamicGroup to read ocb-inventory in tenancy
61+
Allow dynamic-group DiscoveryPluginDynamicGroup to manage ocb-inventory-asset in compartment <migration_compartment_name>
62+
Allow dynamic-group DiscoveryPluginDynamicGroup to read secret-family in compartment <migrationsecrets_compartment_name>
63+
Allow dynamic-group DiscoveryPluginDynamicGroup to use metrics in compartment <migration_compartment_name> where target.metrics.namespace='ocb_asset'
64+
65+
# Replication Plugin
66+
67+
## ReplicationPluginDynamicGroup
68+
ALL {resource.type = 'ocbagent'}
69+
70+
## ReplicationPluginPolicy
71+
Allow dynamic-group ReplicationPluginDynamicGroup to { OCM_REPLICATION_TASK_INSPECT, OCM_REPLICATION_TASK_READ, OCM_REPLICATION_TASK_UPDATE, OCM_CONNECTOR_INSPECT, OCM_ASSET_SOURCE_READ, OCM_ASSET_SOURCE_CONNECTION_PUSH } in compartment <migration_compartment_name>
72+
Allow dynamic-group ReplicationPluginDynamicGroup to { BUCKET_INSPECT, BUCKET_READ, OBJECTSTORAGE_NAMESPACE_READ, OBJECT_CREATE, OBJECT_DELETE, OBJECT_INSPECT, OBJECT_OVERWRITE, OBJECT_READ } in compartment <migration_compartment_name> where all {target.bucket.name='ocm_replication'}
73+
Allow dynamic-group ReplicationPluginDynamicGroup to read secret-family in compartment <migrationsecrets_compartment_name>
74+
Allow dynamic-group ReplicationPluginDynamicGroup to use metrics in compartment <migration_compartment_name> where target.metrics.namespace='ocb_asset'
75+
Allow dynamic-group ReplicationPluginDynamicGroup to { OCB_AGENT_INSPECT, OCB_AGENT_SYNC, OCB_AGENT_READ, OCB_AGENT_DEPENDENCY_INSPECT, OCB_AGENT_DEPENDENCY_READ, OCB_AGENT_KEY_UPDATE, OCB_AGENT_TASK_READ, OCB_AGENT_ASSET_SOURCES_INSPECT, OCB_AGENT_TASK_UPDATE } in tenancy
76+
Allow dynamic-group ReplicationPluginDynamicGroup to use ocb-connectors in compartment <migration_compartment_name>
77+
Allow dynamic-group ReplicationPluginDynamicGroup to use ocb-asset-source-connectors in compartment <migration_compartment_name>
78+
Allow dynamic-group ReplicationPluginDynamicGroup to read ocb-inventory in tenancy
79+
Allow dynamic-group ReplicationPluginDynamicGroup to read ocb-inventory-asset in compartment <migration_compartment_name>
80+
81+
# Hydration Agent
82+
83+
## HydrationAgentDynamicGroup
84+
ALL {instance.compartment.id = '<MIGRATION-OCID>'}
85+
86+
## HydrationAgentPolicy
87+
Allow dynamic-group HydrationAgentDynamicGroup to { OCM_HYDRATION_AGENT_TASK_INSPECT, OCM_HYDRATION_AGENT_TASK_UPDATE, OCM_HYDRATION_AGENT_REPORT_STATUS } in compartment <migration_compartment_name>
88+
Allow dynamic-group HydrationAgentDynamicGroup to read objects in compartment <migration_compartment_name>
89+
90+
# Agent Logging
91+
92+
## RemoteAgentLoggingPolicy
93+
94+
### Commercial Realm - OC1
95+
Define tenancy OCB-SERVICE as ocid1.tenancy.oc1..aaaaaaaahr2xcduf4knzkzhkzt442t66bpqt3aazss6cy2ll6x4xj3ci7tiq,
96+
Endorse dynamic-group RemoteAgentDynamicGroup to { OBJECT_CREATE } in tenancy OCB-SERVICE"
97+
98+
## HydrationAgentLoggingPolicy
99+
100+
###Commercial Realm - OC1
101+
Define tenancy OCM-SERVICE AS ocid1.tenancy.oc1..aaaaaaaartv6j5muce2s4djz7rvfn2vwceq3cnue33d72isntnlfmi7huv7q,
102+
Endorse dynamic-group HydrationAgentDynamicGroup to { OBJECT_CREATE } in tenancy OCM-SERVICE where all { target.bucket.name = '<user_tenancy_ocid>' }

0 commit comments

Comments
 (0)