dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding Configuration File based authentication to OCI ObjectStorage state store docs 

Signed-off-by: lucasjellema <lucasjellema@gmail.com>
This commit is contained in:
lucasjellema 2022-01-10 14:52:10 +01:00
parent 61c072e4ff
commit 6cd8144d74
1 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
daprdocs/content/en/reference/components-reference/supported-state-stores/setup-oci-objectstorage.md
View File

@ -23,19 +23,25 @@ spec:
metadata:
- name: instancePrincipalAuthentication
value: <"true" or "false"> # Optional. default: "false"
- name: configFileAuthentication
value: <"true" or "false"> # Optional. default: "false" . Not used when instancePrincipalAuthentication == "true"
- name: configFilePath
value: <REPLACE-WITH-FULL-QUALIFIED-PATH-OF-CONFIG-FILE> # Optional. default: the operating system specific default location for the OCI config file; on Linux: "~/.oci/config" . Only used when configFileAuthentication == "true"
- name: configFileProfile
value: <REPLACE-WITH-NAME-OF-PROFILE-IN-CONFIG-FILE> # Optional. default: "DEFAULT" . Only used when configFileAuthentication == "true"
- name: tenancyOCID
value: <REPLACE-WITH-TENANCY-OCID> # Not used when instancePrincipalAuthentication == "true"
value: <REPLACE-WITH-TENANCY-OCID> # Not used when configFileAuthentication == "true" or instancePrincipalAuthentication == "true"
- name: userOCID
value: <REPLACE-WITH-USER-OCID> # Not used when instancePrincipalAuthentication == "true"
value: <REPLACE-WITH-USER-OCID> # Not used when configFileAuthentication == "true" or instancePrincipalAuthentication == "true"
- name: fingerPrint
value: <REPLACE-WITH-FINGERPRINT> # Not used when instancePrincipalAuthentication == "true"
- name: privateKey # Not used when instancePrincipalAuthentication == "true"
value: <REPLACE-WITH-FINGERPRINT> # Not used when configFileAuthentication == "true" or instancePrincipalAuthentication == "true"
- name: privateKey # Not used when configFileAuthentication == "true" or instancePrincipalAuthentication == "true"
value: |
-----BEGIN RSA PRIVATE KEY-----
REPLACE-WIH-PRIVATE-KEY-AS-IN-PEM-FILE
-----END RSA PRIVATE KEY-----
- name: region
value: <REPLACE-WITH-OCI-REGION> # Not used when instancePrincipalAuthentication == "true"
value: <REPLACE-WITH-OCI-REGION> # Not used when configFileAuthentication == "true" or instancePrincipalAuthentication == "true"
- name: bucketName
value: <REPLACE-WITH-BUCKET-NAME>
- name: compartmentOCID
@ -52,6 +58,9 @@ The above example uses secrets as plain strings. It is recommended to use a secr
| Field | Required | Details | Example |
|--------------------|:--------:|---------|---------|
| instancePrincipalAuthentication | N | Boolean to indicate whether instance principal based authentication is used. Default: `"false"` | `"true"` or `"false"` .
| configFileAuthentication | N | Boolean to indicate whether identity credential details are provided through a configuration file. Default: `"false"` Not required nor used when instancePrincipalAuthentication is true. | `"true"` or `"false"` .
| configFilePath | N | Full path name to the OCI configuration file. Default: the default location on your operating system for the OCI confile file, for example `"~/.oci/config"` on Linux. Not used when instancePrincipalAuthentication is true. | `"/home/apps/configuration-files/myOCIConfig.txt"`.
| configFileProfile | N | Name of profile in configuration file to use. Default: `"DEFAULT"` Not used when instancePrincipalAuthentication is true. | `"DEFAULT"` or `"PRODUCTION"` .
| tenancyOCID | Y | The OCI tenancy identifier. Not required nor used when instancePrincipalAuthentication is true. | `"ocid1.tenancy.oc1..aaaaaaaag7c7sljhsdjhsdyuwe723"`.
| userOCID | Y | The OCID for an OCI account (this account requires permissions to access OCI Object Storage). Not required nor used when instancePrincipalAuthentication is true.| `"ocid1.user.oc1..aaaaaaaaby4oyyyuqwy7623yuwe76"`
| fingerPrint | Y | Fingerprint of the public key. Not required nor used when instancePrincipalAuthentication is true. | `"02:91:6c:49:e2:94:21:15:a7:6b:0e:a7:34:e1:3d:1b"`
@ -65,17 +74,22 @@ The OCI Object Storage state store needs to interact with Oracle Cloud Infrastru
Dapr-applications running on Oracle Cloud Infrastructure - in a compute instance or as a container on Kubernetes - can leverage instance principal authentication. See the [OCI documentation on calling OCI Services from instances](https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm) for more background. In short: The instance needs to be member of a Dynamic Group and this Dynamic Group needs to get permissions for interacting with the Object Storage service through IAM policies. In case of such instance principal authentication, specify property instancePrincipalAuthentication as `"true"`. You do not need to configure the properties tenancyOCID, userOCID, region, fingerPrint and privateKey - these will be ignored if you define values for them.
Identity based authentication interact with OCI through an OCI account that has permissions to create, read and delete objects through OCI Object Storage in the indicated bucket and that is allowed to create a bucket in the specified compartment if the bucket is not created beforehand. The OCI documentation [describes how to create an OCI Account](https://docs.oracle.com/en-us/iaas/Content/GSG/Tasks/addingusers.htm#Adding_Users). The interaction by the state store is performed using the public key's fingerprint and a private key from an RSA Key Pair generated for the OCI account. The [instructions for generating the key pair and getting hold of the required information](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm) are available in the OCI documentation.
Identity based authentication interacts with OCI through an OCI account that has permissions to create, read and delete objects through OCI Object Storage in the indicated bucket and that is allowed to create a bucket in the specified compartment if the bucket is not created beforehand. The OCI documentation [describes how to create an OCI Account](https://docs.oracle.com/en-us/iaas/Content/GSG/Tasks/addingusers.htm#Adding_Users). The interaction by the state store is performed using the public key's fingerprint and a private key from an RSA Key Pair generated for the OCI account. The [instructions for generating the key pair and getting hold of the required information](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm) are available in the OCI documentation.
Details for the identity and identity's credentials to be used for interaction with OCI can be provided directly in the Dapr component properties file - using the properties tenancyOCID, userOCID, fingerPrint, privateKey and region - or can be provided from a configuration file as is common for many OCI related tools (such as CLI and Terraform) and SDKs. In the latter case, a default configuration file can be assumed (such as ~/.oci/config on Linux) or the exact file name and path can be provided through property configFilePath. A configuration file can contain multiple profiles; the desired profile can be specified through property configFileProfile. If no value is provided, DEFAULT is used as the name for the profile to be used. Note: if the indicated profile is not found, then the DEFAULT profile (if it exists) is used instead. The OCI SDK documentation gives [details about the definition of the configuration file](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdkconfig.htm).
If you wish to create the bucket for Dapr to use, you can do so beforehand. However, Object Storage state provider will create one - in the specified compartment - for you automatically if it doesn't exist.
In order to setup OCI Object Storage as a state store, you will need the following properties:
- **instancePrincipalAuthentication**: The flag that indicates if instance principal based authentication should be used.
- **tenancyOCID**: The identifier for the OCI cloud tenancy in which the state is to be stored. Not used when **instancePrincipalAuthentication** is true.
- **userOCID**: The identifier for the account used by the state store component to connect to OCI; this must be an account with appropriate permissions on the OCI Object Storage service in the specified compartment and bucket. Not used when **instancePrincipalAuthentication** is true.
- **fingerPrint**: The fingerprint for the public key in the RSA key pair generated for the account indicated by **userOCID**. Not used when **instancePrincipalAuthentication** is true.
- **privateKey**: The private key in the RSA key pair generated for the account indicated by **userOCID**. Not used when **instancePrincipalAuthentication** is true.
- **region**: The OCI region - for example **us-ashburn-1**, **eu-amsterdam-1**, **ap-mumbai-1**. Not used when **instancePrincipalAuthentication** is true.
- **configFileAuthentication**: The flag that indicates if the OCI identity credential details are provided through a configuration file. Not used when **instancePrincipalAuthentication** is true.
- **configFilePath**: Full path name to the OCI configuration file. Not used when **instancePrincipalAuthentication** is true or **configFileAuthentication** is not true.
- **configFileProfile**: Name of profile in configuration file to use. Default: `"DEFAULT"` Not required nor used when instancePrincipalAuthentication is true or **configFileAuthentication** is not true. When the specified profile is not found in the configuration file, the DEFAULT profile is used when it exists
- **tenancyOCID**: The identifier for the OCI cloud tenancy in which the state is to be stored. Not used when **instancePrincipalAuthentication** is true or **configFileAuthentication** is true.
- **userOCID**: The identifier for the account used by the state store component to connect to OCI; this must be an account with appropriate permissions on the OCI Object Storage service in the specified compartment and bucket. Not used when **instancePrincipalAuthentication** is true or **configFileAuthentication** is true.
- **fingerPrint**: The fingerprint for the public key in the RSA key pair generated for the account indicated by **userOCID**. Not used when **instancePrincipalAuthentication** is true or **configFileAuthentication** is true.
- **privateKey**: The private key in the RSA key pair generated for the account indicated by **userOCID**. Not used when **instancePrincipalAuthentication** is true or **configFileAuthentication** is true.
- **region**: The OCI region - for example **us-ashburn-1**, **eu-amsterdam-1**, **ap-mumbai-1**. Not used when **instancePrincipalAuthentication** is true
- **bucketName**: The name of the bucket on OCI Object Storage in which state will be created. This bucket can exist already when the state store is initialized or it will be created during initialization of the state store. Note that the name of buckets is unique within a namespace
- **compartmentOCID**: The identifier of the compartment within the tenancy in which the bucket exists or will be created.