00:00Welcome to this demo on OCI authentication and authorization. As you recall from the theory
00:11lesson, authentication is all about your users, who your users are and what they are requesting
00:18and authorization is all about permissions. Once your users are authenticated, what level of access
00:25they have, what permissions do they have, to which resources. So let's look at both of these in
00:31action. I am in the OCI console here and in the previous demo, we had created an identity domain.
00:39So let's leverage that. So click on identity and security and right here I can see compartments
00:43and domain. So we created a domain identity domain in the previous demo called sandbox domain. So if
00:50I click here, I can see that if I hover over here, I can see there are no users here. So let's go
00:56ahead and create a user. So I'll click on sandbox domain, click on users and you can see there is
01:02no user which exists right now. So let's give create a user and let's give a very creative name
01:08OCI admin. The username could be what we choose or it could be an email ID if we choose an email ID
01:17here. And we also need to specify an email ID here. So the user can access their passwords, reset their
01:26passwords, etc.
01:29So we'll provide an email ID here and I'm not going to add the user to any of the groups here. So let me
01:34just go ahead and create this user. Now in OCI, the policies are defined at a group level, not for
01:42individual users. So let's go ahead and actually create a group as well. So if I click groups here,
01:47you can see there are two groups which are existing by default. Let's go ahead and create another group
01:52here. So we'll call this group OCI admin group. And as you recall, from the theory lesson, it's a good
02:04practice best practice to create separate administrators and not use the root user for
02:11day-to-day operations. So I create this OCI admin group and here I can specify which user should be
02:17part of this group. So OCI admin is fine. I'll click create. And now what I have done is I have created
02:23a user and I have created a group in to which the user belongs. But right now, first, what I need to do
02:31now is to activate the user. So the user has access to the system that's authentication. And then we
02:38need to write some policies so the user can perform some actions in OCI. So let's go ahead and I'll log
02:44into my email account and I'll activate the user. As you can see here, I got an email asking me to
02:53activate my account. So I'll click here and it will prompt me to first thing you see here, which it's
02:59prompting. It's prompting that identity domain is sandbox-domain. It's no longer giving this as the
03:06default domain. So you see the difference there. And now it's asking me to set up a password for my
03:12for my username. So I'll go ahead and choose a password, which actually will work here.
03:21And I'll reset my password here. And then it says continue to sign in. So I can sign in here.
03:26But instead of doing that, let me actually open an incognito window and actually sign in through
03:32the incognito window. So I'll access the URL for OCI console. And it will ask me to enter my
03:42tenancy name. In OCI foundation, it is the tenancy name. So click next. And then it will ask me to
03:49provide username and password. This is how you would access OCI console. So right now, I get a choice of
03:54identity domain, whether it's default or sandbox domain. So I'll pick sandbox domain because that's
03:59where my user belongs. And click next. And it will ask me to provide a username and a password. So I'll
04:07provide OCI admin. That's my username. And I'll provide the password, which I just reset. And now I'm
04:17logged in as OCI admin to the OCI console. So if I click on the right hand side, you can see my
04:23profile. You can see here right now, my identity domain is sandbox domain. And my username is OCI
04:29admin. So this is authentication. Now I can authenticate to the system, meaning I have access
04:35to the system. So I can see all the services, I can see the console, etc. But can I do anything?
04:41Actually not, because I really don't have any authorization, no permissions have been given
04:46to me. So if I click here, and I see my my compartment, you can see that I'll get an error
04:52message saying I do not have authorization to perform this request. And it's not just for storage
04:57buckets. If I go to compute, I'll see that, you know, I cannot do anything on compute, because I have
05:03no authorization here, and so on and so forth, right? It's basically, I have just created a user and
05:09and put that user in a group. And I have created a logged into the system. So that's authentication.
05:17But beyond that, there is nothing else which I have done, because authorization is still to be to be
05:24done. So to do that, what we'll do is we'll go back to the OCI console. And here I'm logged in as my
05:32tenancy administrator. And you see, if I go back out of domains, the policies are defined actually
05:40outside the domain. So I'll click on policies, and we'll create a policy for OCI admin group. So I'll
05:47click on create policy here. And it's rather straightforward to create policies. So I'll say
05:53this is policies for OCI admins. And right here, there is a policy builder, which I can use, I'll
06:03show you in a second, or I could actually manually write policies here. And these are human readable
06:09formats are not like complex JSON, etc. But it's actually quite simple to use this policy builder.
06:16So because we want to create a storage bucket, I'll click a policy use case as storage management.
06:21And right here, it gives me all sorts of policies, I can write for storage. So I'm interested in object
06:26storage. So I'll click on that. And right below that, it's asking me what groups, what identity
06:33domains, etc, I want to leverage. So my identity domain, which I want to use a sandbox domain. And
06:39the group which I have is the OCI admin group. And it also gives me a location, which is which is
06:45whether it's for a compartment, or it's for a tenancy. So I'll, I'll choose the sandbox compartment. And
06:50that's all it takes. And now you can see it, it spits out the policy statement. So it says allow
06:57group sandbox domain, OCI admin group to manage buckets, and manage objects in this compartment.
07:03So outside that compartment, I still don't have access. But within that compartment, I should be
07:08able to create buckets and upload objects. So I'll go ahead and create these policies, quite
07:14straightforward to to create these policies. And if I come back here, now in the same, you know,
07:21login as OCI admin here, if I go back to if I go to compute and refresh the page here, you will see
07:28that I still don't have access to creating to compute resources. So I cannot create any any compute
07:35resource. Because, you know, we didn't write a policy for compute. So it will kind of error out,
07:41as as is shown here. But if I go to storage now and bring up object storage, I should be able to
07:47create an object storage bucket, not in the root compartment, but in the sandbox compartment. So if
07:53I click here, first thing is I see sandbox compartment here, and I can click create bucket,
07:59the default name is fine, click create. And here you can see that my bucket can be created. But if I go to
08:05the root compartment, and I try to create a bucket here, you will see that the bucket, you know, it
08:11says it already exists, or you're not authorized to create it, it's of course, not authorized to create,
08:16because our policy is only operating at the at the sandbox compartment level. So hope to this is
08:24exactly what authorization does, where we write specific policies, giving access to a set of users
08:32to specific resources, whether it's in a compartment or in the whole entire tenancy. I hope you found this
08:38demo useful. Thanks for your time.
Comments