00:00Welcome back to this lesson on Authentication and Authorization.
00:10Before we get into more specific details, let us look at what is a principle.
00:15A principle is an IAM entity that is allowed to interact with OCI resources.
00:20There are two kinds of principles primarily in OCI.
00:23One is your users, think about people who are logging on to your console or using your
00:30CLI or SDKs, users, human beings actually using your cloud resources and then the resources
00:36themselves can be principles.
00:38So a good example of a resource principle is an instance principle which is actually an
00:43instance which becomes a principle which means that it can make API calls against other OCI
00:49services like storage.
00:52Also when we talk about principles, we have groups and groups are basically collection
00:57of users who have the same type of access requirements to resources.
01:02So you can have a storage admin group where you could group all the human beings who are
01:08storage administrators and so on and so forth.
01:12So let us look at some of the details starting with authentication.
01:15Authentication is sometimes also referred to as auth and as we recap from the previous lesson,
01:22authentication is basically figuring out who you say you are.
01:27And the easiest way to understand this is all of us deal with this on an everyday basis.
01:34When you go to a website and you provide your username and password to access some of the content,
01:38you are being authenticated.
01:40There are other ways to do authentication.
01:43The one common for cloud is API signing keys.
01:46So when you are making API calls, whether you are using the SDK or the CLI, you would use
01:52the API signing keys which use a public private key pair to sign these API calls and authenticate
02:03these API calls.
02:06So it uses an RSA key pair as you can see here with both a public key and a private key.
02:13There is also a third way to do authentication and that is based on authentication tokens.
02:18And these are Oracle generated token strings.
02:21And the idea here is you can authenticate third party APIs which do not support OCI authentication
02:28model.
02:29So in this example, we are showing an ADW calling an ADW autonomous data warehouse API call where
02:38we are using these auth tokens till your identity is being followed.
02:44These auth tokens can be used for this purpose.
02:49Now let us look at very quickly look at authorization.
02:52So authorization deals with permissions and figuring out what permissions do you have.
02:57In OCI, authorization is done through what we call as IAM policies.
03:02And policies think about these as human readable statements to define granular permissions.
03:08So you have couple of examples here and the policy syntax is always something similar.
03:14In the next slide, I will talk a little bit more about what this statement means.
03:20Remember policies can be attached to a compartment or they could be attached to a tenancy.
03:25If they are attached to a tenancy, it applies to everything within that tenancy.
03:29If it is applied to a compartment, it applies to only the resources within that compartment.
03:35So how is OCI done in OCI?
03:38We talked about policies.
03:39What does the syntax look like?
03:41As you can see here, the syntax is always you have to start with an allow.
03:49Everything is denied by default.
03:51So you do not really have to write a deny statement.
03:54So you say allow, group name, there is a group is basically a collection of users.
03:59So you cannot write a policy on individual users.
04:01You always operate at a group level.
04:03To do something, there is a verb.
04:05On some resources, there is a resource type and there is a location.
04:09Location can be a tenancy.
04:10Location can be a compartment.
04:12And you can make these policies really complex with adding conditions.
04:16Again, foundations course, so we are not getting into a lot of these complex topics.
04:22But you could really write complex policies.
04:25So just to give you an idea of what the verbs might look like, there are four levels of verb.
04:32There is a manage, there is a use, there is a read and there is an inspect.
04:36So manage basically means you can manage all resources.
04:40Use basically means you can read.
04:43But you could not do things like update and delete and so on and so forth and you can read
04:46more on the documentation.
04:48Resource type basically can be all resources meaning everything in your account or it could
04:53be compute resources, database resources, what not, all the resources you have.
04:58Now you could operate at a family level which is meaning all the entities within that resource
05:04family or you could even go very granular.
05:07So you could say that in compute, I just want somebody to operate on the instances, but not
05:14work on the instance images.
05:16So you could actually do that.
05:18So this is how you would write a policy.
05:20There are some exceptions to this rule.
05:22There are policies you would write for services and such.
05:26But again, it is a foundations course, so we are not getting into those advanced details.
05:31This is typically how you would do authorization in OCI.
05:34To wrap up, we looked at how you do authentication in OCI.
05:39The three mechanisms, username, passwords, API signing keys, authentication tokens.
05:43And then we looked at how you do authorization in OCI through policies.
05:47Policies are really powerful.
05:49They are very easy to understand, human readable, but at the same time, they give you a lot of
05:54advanced capabilities to implement really fine-grained access control.
05:59I hope you found this lesson useful.
06:02Thanks for watching.
Comments