File Storage with Lustre Policies

Use the Oracle Cloud Infrastructure Identity and Access Management (IAM) service to create policies for File Storage with Lustre resources.

This topic covers details for writing policies to control access to the File Storage with Lustre service. For more information, see IAM Policies Overview.

Overview of Policy Syntax

The overall syntax of a policy statement is:

allow <subject> to <verb>
                    <resource-type> in <location> where <condition>

For example, you can specify:

A group or dynamic group by name or OCID as the <subject> . Or, you can use any-user to cover all users in the tenancy.
inspect, read, use, and manage as the <verb> to give a <subject> access to one or more permissions.
As you go from inspect > read > use > manage, the level of access generally increases, and the permissions granted are cumulative. For example, use includes read plus the ability to update.
A family of resources such as virtual-network-family for the resource-type . Or, you can specify an individual resource in a family such as vcns and subnets.
A compartment by name or OCID as the <location> . Or, you can use tenancy to cover the entire tenancy.

For more information about creating policies, see Getting Started with Policies and Policy Reference.

Resource-Types

To give users access to File Storage with Lustre resources, create IAM policies with File Storage with Lustre resource-types.

Aggregate Resource-Type

lustre-file-family

A policy that uses <verb> lustre-file-family is equal to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the tables in Details for Verbs + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type included in lustre-file-family.

Individual Resource-Types

For access to File Storage with Lustre resources, use each of the following resource types:

lustre-file-system
lfs-work-request

See Policy Examples for more information.

Supported Variables

The File Storage with Lustre service supports all the general variables, plus those listed here.

For more information about general variables supported by OCI services, see General Variables for All Requests.


Variable	Variable Type	Source
`target.lustre-file-system.id`	Entity (OCID)	Request

Details for Verbs + Resource-Type Combinations

Various Oracle Cloud Infrastructure verbs and resource-types can be used to create a policy.

The following tables show the permissions and API operations covered by each verb for File Storage with Lustre. The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly preceding it, whereas "no extra" indicates no incremental access.

lustre-file-system


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	LUSTRE_FILE_SYSTEM_INSPECT	`ListLustreFileSystems`	none
read	INSPECT + LUSTRE_FILE_SYSTEM_READ	INSPECT + `GetLustreFileSystem`	none
use	READ + LUSTRE_FILE_SYSTEM_UPDATE	READ + `UpdateLustreFileSystem`	none
manage	USE + LUSTRE_FILE_SYSTEM_CREATE LUSTRE_FILE_SYSTEM_DELETE LUSTRE_FILE_SYSTEM_MOVE	USE + `CreateLustreFileSystem` `DeleteLustreFileSystem` `ChangeLustreFileSystemCompartment`	none

lfs-work-request


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	LFS_WORK_REQUEST_INSPECT	`ListWorkRequests` `ListWorkRequestErrors` `ListWorkRequestLogs`	none
read	INSPECT + LFS_WORK_REQUEST_READ	INSPECT + `GetWorkRequest`	none
use	READ + none	READ + none	none
manage	USE + LFS_WORK_REQUEST_DELETE	USE + `CancelWorkRequest`	none

Permissions Required for Each API Operation

The following table lists the API operations for OCI Database with PostgreSQL in a logical order, grouped by resource-type.

The resource-types are lustre-file-system and lfs-work-request.

For information about permissions, see Permissions.

Required Permissions
API Operation	Permissions Required to Use the Operation
`ListLustreFileSystems`	LUSTRE_FILE_SYSTEM_INSPECT
`GetLustreFileSystem`	LUSTRE_FILE_SYSTEM_READ
`CreateLustreFileSystem`	LUSTRE_FILE_SYSTEM_CREATE
`UpdateLustreFileSystem`	LUSTRE_FILE_SYSTEM_UPDATE
`DeleteLustreFileSystem`	LUSTRE_FILE_SYSTEM_DELETE
`ChangeLustreFileSystemCompartment`	LUSTRE_FILE_SYSTEM_MOVE
`ListObjectStorageLinks`	LFS_OBJECT_STORAGE_LINK_INSPECT
`GetObjectStorageLink`	LFS_OBJECT_STORAGE_LINK_READ
`CreateObjectStorageLink`	LFS_OBJECT_STORAGE_LINK_CREATE
`DeleteObjectStorageLink`	LFS_OBJECT_STORAGE_LINK_DELETE
`ChangeObjectStorageLinkCompartment`	LFS_OBJECT_STORAGE_LINK_MOVE
`ListSyncJobs`	LFS_OBJECT_STORAGE_LINK_INSPECT
`GetSyncJob`	LFS_OBJECT_STORAGE_LINK_READ
`StartExportToObject`	LFS_EXPORT_TO_OBJECT
`StartImportFromObject`	LFS_IMPORT_FROM_OBJECT
`StopExportToObject`	LFS_EXPORT_TO_OBJECT
`StopImportFromObject`	LFS_IMPORT_FROM_OBJECT
`ListWorkRequests`	LFS_WORK_REQUEST_INSPECT
`GetWorkRequest`	LFS_WORK_REQUEST_READ
`CancelWorkRequest`	LFS_WORK_REQUEST_DELETE
`ListWorkRequestErrors`	LFS_WORK_REQUEST_INSPECT
`ListWorkRequestLogs`	LFS_WORK_REQUEST_INSPECT

Policies for Bidirectional Sync between Object Storage and Lustre

Before a Lustre file system can sync data with Object Storage, you need to grant it specific permissions. To do this, create Identity and Access Management (IAM) policies that let the Lustre file system read from and manage objects within Object Storage buckets.

The user configuring the sync needs these permissions:

View Object Storage buckets (for selection)
Create, update, and manage Object Storage Links
Ability to start and stop jobs on the Lustre file system.

The Lustre file system needs these permissions:

Read and manage objects in the specified Object Storage bucket (for data sync).

The Object Storage Bucket doesn't need explicit permissions. Instead, you control access to the bucket by granting the Lustre resource permission to read and manage objects.

Here's how you can assign permissions:

Option 1: Assign permissions using a dynamic group: Create Dynamic groups to group resources, such as Lustre file systems, and assign policies to them collectively. We've provided some examples.
Option 2: Control access to Lustre file systems (no dynamic group): If you don't want to set up a dynamic group, you can still control access to Lustre file systems using resource-type conditions, with or without tags. We've provided some examples.

Policy Examples

Use the following examples to create common policies in addition to those required for file systems and those required if you're encrypting file systems with your own key.

Allow a group to use but not delete file systems

allow group lfsadminusers to use lustre-file-family in compartment <file_system_compartment>

Object Storage Bidirectional Sync Policies Using Dynamic Groups

To define a dynamic group that includes all Lustre file systems, use:

resource.type='lustrefilesystem'

To extend the dynamic group's definition to only a specific Lustre compartment, use:

All {resource.type = 'lustrefilesystem', resource.compartment.id = '<comp_ocid>'}

To give the dynamic group access to any Object Storage bucket in a tenancy, use:

allow dynamic-group lustre-fs-group to read buckets in tenancy
allow dynamic-group lustre-fs-group to manage objects in tenancy

To give the dynamic group access to a single Lustre compartment in a tenancy, use:

allow dynamic-group lustre-fs-group to read buckets in compartment <comp id or name e.g. cell:compute-data>
allow dynamic-group lustre-fs-group to manage objects in compartment <comp id or name e.g. cell:compute-data>

Object Storage Bidirectional Sync Policies Without Using Dynamic Groups

To let any Lustre file system in a compartment to read Object Storage buckets and manage their content, use:

allow any-user to read buckets in compartment <comp id or name e.g. cell:compute-data> where ALL { request.principal.type = 'lustrefilesystem'}
allow any-user to manage objects in compartment <comp id or name e.g. cell:compute-data> where ALL { request.principal.type = 'lustrefilesystem'}

Note

Don't remove the request.principal.type = 'lustrefilesystem' condition. It restricts access to Lustre file system resources only - not users or other services.

To limit permissions to only Object Storage buckets that have a specific tag, combine a principal type with a tag, like this:

allow any-user to read buckets in compartment <comp id or name e.g. cell:compute-data> where ALL { request.principal.type = 'lustrefilesystem' , target.bucket.tag.<tag-namespace>.<tag-key> = <"tag-value">}
allow any-user to manage objects in compartment <comp id or name e.g. cell:compute-data> where ALL { request.principal.type = 'lustrefilesystem' , target.bucket.tag.<tag-namespace>.<tag-key> = <"tag-value">}

Oracle Cloud Infrastructure Documentation