Merge branch 'main' into ppaolucc-SQL-Product-Restyling-I

ai/generative-ai-service/image-to-text/requirements.txt

@@ -1,3 +1,3 @@
-streamlit==1.33.0
+streamlit==1.37.0
 oci==3.50.1
 Pillow

cloud-infrastructure/ai-infra-gpu/ai-infrastructure/rag-langchain-vllm-mistral/files/requirements.txt

@@ -1,4 +1,4 @@
-aiohttp==3.10.2
+aiohttp==3.10.11
 aiosignal==1.3.1
 annotated-types==0.6.0
 anyio==4.3.0

cloud-infrastructure/private-cloud-and-edge/compute-cloud-at-customer/hsp/README.md

@@ -1,99 +1 @@
-# C3 Hosting Service Provider - IAM Policies for Isolation
-
-Reviewed: 18.11.2024
-
-The Hosting Service Provider (HSP) model on Compute Cloud@Customer (C3) allows
-hosting for multiple end customers, each isolated in a dedicated compartment
-with separate VCN(s) per customer. To ensure the end customer can only
-create resources in just their own compartment, a set of IAM policies are
-required.
-
-The HSP documentation suggests the following policies per end customer
-based on an example with two hosting customers, A & B. They assume that
-each end customer will have two roles for their
-staff: Customer Administrator and Customer End User. 
-
-## Example Policies for Customer Administrator
-```
-Allows the group specified to use all C3 services in the compartment
-listed:
-
-Allow group CustA-Admin-grp to manage all-resources in compartment
-path:to:CustA
-
-Allow group CustB-Admin-grp to manage all-resources in compartment
-path:to:CustB
-```
-Note that the above policy grants permissions in the CustA and CustB
-compartments of the C3 but **also in the same compartment in the OCI
-tenancy**! To prevent permissions being granted in the OCI tenancy
-append a condition such as:
-
-```Allow group CustA-Admin-grp to manage all-resources in compartment
-path:to:CustA where all {request.region != 'LHR',request.region !=
-'FRA'}
-
-Allow group CustB-Admin-grp to manage all-resources in compartment
-path:to:CustB where all {request.region != 'LHR',request.region !=
-'FRA'}
-```
-In the example above the condition prevents resource creation in London
-and Frankfurt regions. Adjust the list to include all regions the
-tenancy is subscribed to.
-
-The path to the end user compartment must be explicitly stated, using
-the comma format, relative to the compartment where the policy is
-created. 
-
-## Example Policies for Customer End User
-```
-Allow group CustA-Users-grp to manage instance-family in compartment
-path:to:CustA  
-Allow group CustA-Users-grp to use volume-family in compartment
-path:to:CustA  
-Allow group CustA-Users-grp to use virtual-network-family in compartment
-path:to:CustA  
-Allow group CustB-Users-grp to manage instance-family in compartment
-path:to:CustB  
-Allow group CustB-Users-grp to use volume-family in compartment
-path:to:CustB  
-Allow group CustB-Users-grp to use virtual-network-family in compartment
-path:to:CustB
-```
-As above append a condition to limit permissions to the C3 and prevent
-resource creation in OCI regions:
-```
-Allow group CustA-Users-grp to manage instance-family in compartment
-path:to:CustA where all {request.region != 'LHR',request.region !=
-'FRA'}  
-Allow group CustA-Users-grp to use volume-family in compartment
-path:to:CustA where all {request.region != 'LHR',request.region !=
-'FRA'}  
-Allow group CustA-Users-grp to use virtual-network-family in compartment
-path:to:CustA where all {request.region != 'LHR',request.region !=
-'FRA'}  
-Allow group CustB-Users-grp to manage instance-family in compartment
-path:to:CustB where all {request.region != 'LHR',request.region !=
-'FRA'}  
-Allow group CustB-Users-grp to use volume-family in compartment
-path:to:CustB where all {request.region != 'LHR',request.region !=
-'FRA'}  
-Allow group CustB-Users-grp to use virtual-network-family in compartment
-path:to:CustB where all {request.region != 'LHR',request.region !=
-'FRA'}
-```
-## Common Policy
-
-Currently any user of a C3 needs access to certain resources located at
-the tenancy level to use IaaS resources in the web UI.
-Backup policies, tag namespaces, platform images, all reside at the
-tenancy level and need a further policy to allow normal use of C3 IaaS
-services. Note that this is a subtle difference to the behaviour on OCI. 
-
-An extra policy as below is required (where CommonGroup contains **all**
-HSP users on the C3):
-```
-allow group CommonGroup to read all-resources in tenancy where
-target.compartment.name='root-compartment-name'
-```
 

cloud-infrastructure/private-cloud-and-edge/compute-cloud-at-customer/hsp/iam-policies-for-isolation/README.md

@@ -0,0 +1,99 @@
+# C3 Hosting Service Provider - IAM Policies for Isolation
+
+Reviewed: 18.11.2024
+
+The Hosting Service Provider (HSP) model on Compute Cloud@Customer (C3) allows
+hosting for multiple end customers, each isolated in a dedicated compartment
+with separate VCN(s) per customer. To ensure the end customer can only
+create resources in just their own compartment, a set of IAM policies are
+required.
+
+The HSP documentation suggests the following policies per end customer
+based on an example with two hosting customers, A & B. They assume that
+each end customer will have two roles for their
+staff: Customer Administrator and Customer End User. 
+
+## Example Policies for Customer Administrator
+```
+Allows the group specified to use all C3 services in the compartment
+listed:
+
+Allow group CustA-Admin-grp to manage all-resources in compartment
+path:to:CustA
+
+Allow group CustB-Admin-grp to manage all-resources in compartment
+path:to:CustB
+```
+Note that the above policy grants permissions in the CustA and CustB
+compartments of the C3 but **also in the same compartment in the OCI
+tenancy**! To prevent permissions being granted in the OCI tenancy
+append a condition such as:
+
+```Allow group CustA-Admin-grp to manage all-resources in compartment
+path:to:CustA where all {request.region != 'LHR',request.region !=
+'FRA'}
+
+Allow group CustB-Admin-grp to manage all-resources in compartment
+path:to:CustB where all {request.region != 'LHR',request.region !=
+'FRA'}
+```
+In the example above the condition prevents resource creation in London
+and Frankfurt regions. Adjust the list to include all regions the
+tenancy is subscribed to.
+
+The path to the end user compartment must be explicitly stated, using
+the colon delimited format, relative to the compartment where the policy is
+created. 
+
+## Example Policies for Customer End User
+```
+Allow group CustA-Users-grp to manage instance-family in compartment
+path:to:CustA  
+Allow group CustA-Users-grp to use volume-family in compartment
+path:to:CustA  
+Allow group CustA-Users-grp to use virtual-network-family in compartment
+path:to:CustA  
+Allow group CustB-Users-grp to manage instance-family in compartment
+path:to:CustB  
+Allow group CustB-Users-grp to use volume-family in compartment
+path:to:CustB  
+Allow group CustB-Users-grp to use virtual-network-family in compartment
+path:to:CustB
+```
+As above append a condition to limit permissions to the C3 and prevent
+resource creation in OCI regions:
+```
+Allow group CustA-Users-grp to manage instance-family in compartment
+path:to:CustA where all {request.region != 'LHR',request.region !=
+'FRA'}  
+Allow group CustA-Users-grp to use volume-family in compartment
+path:to:CustA where all {request.region != 'LHR',request.region !=
+'FRA'}  
+Allow group CustA-Users-grp to use virtual-network-family in compartment
+path:to:CustA where all {request.region != 'LHR',request.region !=
+'FRA'}  
+Allow group CustB-Users-grp to manage instance-family in compartment
+path:to:CustB where all {request.region != 'LHR',request.region !=
+'FRA'}  
+Allow group CustB-Users-grp to use volume-family in compartment
+path:to:CustB where all {request.region != 'LHR',request.region !=
+'FRA'}  
+Allow group CustB-Users-grp to use virtual-network-family in compartment
+path:to:CustB where all {request.region != 'LHR',request.region !=
+'FRA'}
+```
+## Common Policy
+
+Currently any user of a C3 needs access to certain resources located at
+the tenancy level to use IaaS resources in the web UI.
+Backup policies, tag namespaces, platform images, all reside at the
+tenancy level and need a further policy to allow normal use of C3 IaaS
+services. Note that this is a subtle difference to the behaviour on OCI. 
+
+An extra policy as below is required (where CommonGroup contains **all**
+HSP users on the C3):
+```
+allow group CommonGroup to read all-resources in tenancy where
+target.compartment.name='root-compartment-name'
+```
+

cloud-infrastructure/private-cloud-and-edge/compute-cloud-at-customer/hsp/restrict-access-to-oci-console/README.md

@@ -0,0 +1,34 @@
+# C3 HSP - Restricting Access to the OCI Console
+
+In the HSP scenario where end users are not employees of the rack
+operator it's probably not appropriate for them to be able to access the
+OCI console and to, possibly, create resources in the public cloud.
+
+In an OCI tenancy using Identity Domains, i.e. all new tenancies, then
+there is an option to use [IAM Sign-On
+Policies](https://docs.oracle.com/en-us/iaas/Content/Identity/signonpolicies/managingsignonpolicies.htm#understand-sign-policies)
+to prevent access to the OCI Console. There is a [specific Sign-On
+Policy that controls access to the OCI
+Console](https://docs.oracle.com/en-us/iaas/Content/Identity/signonpolicies/managingsignonpolicies.htm#understand-sign-policies__securitypolicy-console-signonpolicy)
+and adding a new Sign-On Rule will disable access. Note that all users
+of a C3 must be created in the **default identity domain**. The Security
+Policy for OCI Console sign-on policy is activated by default and
+preconfigured with Oracle security best practices. Once located a new
+Sign-On rule as below will deny access to a specifed group:  
+![](./files/media/image1.png)
+
+Once the new Sign-On rule is created then it should be added to the
+Policy as shown, in this case before the MFA rule: 
+
+![](./files/media/image2.png)
+
+Note!
+
+Even with OCI console access disabled there are still "live" OCI users
+who will have access to create/delete/modify resources via teh API in the OCI tenancy
+as well as the C3 as the policies and compartments are common across
+both. It would be wise to further restrict the capability of these users
+as per
+<https://docs.oracle.com/en-us/iaas/Content/Identity/users/edit-users-capabilities.htm>.   
+
+Ideally a policy should be implemented that restricts permissions **only** to the C3, see [this](../iam-policies-for-isolation/README.md) note.