Oracle Cloud Infrastructure Documentation

File Storage with Lustre Policies

Use the Oracle Cloud Infrastructure Identity and Access Management (IAM) service to create policies for File Storage with Lustre resources.

This topic covers details for writing policies  to control access to the File Storage with Lustre service. For more information, see How Policies Work.

Overview of Policy Syntax

The overall syntax of a policy statement is:

allow <subject> to <verb> <resource-type> in <location> where <condition>

For example, you can specify:

  • A group or dynamic group by name or OCID as the <subject>. Or, you can use any-user to cover all users in the tenancy.

  • inspect, read, use, and manage as the <verb> to give a <subject> access to one or more permissions.

    As you go from inspect > read > use > manage, the level of access generally increases, and the permissions granted are cumulative. For example, use includes read plus the ability to update.

  • A family of resources such as virtual-network-family for the resource-type. Or, you can specify an individual resource in a family such as vcns and subnets.

  • A compartment by name or OCID as the <location>. Or, you can use tenancy to cover the entire tenancy.

For more information about creating policies, see Getting Started with Policies and Policy Reference.

Resource-Types

To give users access to File Storage with Lustre resources, create IAM policies with File Storage with Lustre resource-types.

Aggregate Resource-Type

  • lustre-file-family

A policy that uses <verb> lustre-file-family is equal to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the tables in Details for Verbs + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type included in lustre-file-family.

Individual Resource-Types

For access to File Storage with Lustre resources, use each of the following resource types:

  • lustre-file-system
  • lfs-work-request

See Policy Examples for more information.

Supported Variables

The File Storage with Lustre service supports all the general variables, plus those listed here.

For more information about general variables supported by OCI services, see General Variables for All Requests.

Variable Variable Type Source
target.lustre-file-system.id Entity (OCID) Request

Details for Verbs + Resource-Type Combinations

Various Oracle Cloud Infrastructure verbs and resource-types can be used to create a policy.

The following tables show the permissions and API operations covered by each verb for File Storage with Lustre. The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly preceding it, whereas "no extra" indicates no incremental access.

Permissions Required for Each API Operation

The following table lists the API operations for OCI Database with PostgreSQL in a logical order, grouped by resource-type.

The resource-types are lustre-file-system and lfs-work-request.

For information about permissions, see Permissions.

Required Permissions
API Operation Permissions Required to Use the Operation
ListLustreFileSystems LUSTRE_FILE_SYSTEM_INSPECT
GetLustreFileSystem LUSTRE_FILE_SYSTEM_READ
CreateLustreFileSystem LUSTRE_FILE_SYSTEM_CREATE
UpdateLustreFileSystem LUSTRE_FILE_SYSTEM_UPDATE
DeleteLustreFileSystem LUSTRE_FILE_SYSTEM_DELETE
ChangeLustreFileSystemCompartment LUSTRE_FILE_SYSTEM_MOVE
ListWorkRequests LFS_WORK_REQUEST_INSPECT
GetWorkRequest LFS_WORK_REQUEST_READ
CancelWorkRequest LFS_WORK_REQUEST_DELETE
ListWorkRequestErrors LFS_WORK_REQUEST_INSPECT
ListWorkRequestLogs LFS_WORK_REQUEST_INSPECT