Tip Tuesday: Setting up OCI Data Science Service with an Oracle Template
To create a user group, dynamic group, and policies required to use the data science service you can take advantage of a pre-built Oracle template.
To use the template, from within the OCI console navigate to Developer Services → Resource Manager.
Next, select the compartment you wish your data science work to be completed in. I would recommend a separate compartment for Data Science work, this compartment would need to have been already created.
Click "Create stack", and select “Template”. You can now choose from a range of Oracle-created templates.
Under “Service”, select the “Data Science” Template.
You are given the option to customise the names of the user group and dynamic group, and you can optionally create a vault and master key at the same time to store secrets such as passwords.
Click “Next” to review your set up.
Check the “Run apply” checkbox, so when you click “Create”, the resources required will be provisioned immediately.
On clicking “Create” a job is started to create your stack.
Upon succeeding, the job will have created:
- A data science specific user group;
- A data science specific dynamic group;
- The policies required for these groups to use data science resources (see listed below);
- A Vault and a Master Key (if it was optionally selected).
Policies created:
Allow service datascience to use virtual-network-family in compartment <compartment_name>
Allow group <group_name> to read metrics in compartment <compartment_name>
Allow group <group_name> to manage data-science-family in compartment <compartment_name>
Allow group <group_name> to manage log-groups in compartment <compartment_name>
Allow group <group_name> to use log-content in compartment <compartment_name>
Allow group <group_name> to use virtual-network-family in compartment <compartment_name>
Allow group <group_name> to use object-family in compartment <compartment_name>
Allow dynamic-group <dynamic-group-name> to use log-content in compartment <compartment_name>
Allow dynamic-group <dynamic-group-name> to read virtual-network-family in compartment <compartment_name>
Allow dynamic-group <dynamic-group-name> to manage data-science-family in compartment <compartment_name>
Allow dynamic-group <dynamic-group-name> to use object-family in compartment <compartment_name>
Allow dynamic-group <dynamic-group-name> to read repos in compartment <compartment_name>
Allow group <group_name> to use vaults in compartment <compartment_name>
Allow group <group_name> to manage keys in compartment <compartment_name>
Allow dynamic-group <dynamic-group-name> to use vaults in compartment <compartment_name>
Allow dynamic-group <dynamic-group-name> to manage keys in compartment <compartment_name>
These policies will allow data science users to: create notebook sessions, models, model deployments, data science jobs, pipelines, create log groups, write logs, as well as connect to, read and write to, but not create object storage buckets.
Note: Additional polices would be required if data science users need to create storage buckets, create secrets from outside of a notebook session, use the Data Integration Service (for example for scheduling Jobs), or use the OCI AI Services.