OCI Object Storage Access Management for Dataset Versioning

Question

Pulumi · Accepted Answer

Access management and dataset versioning in OCI Object Storage involves creating and managing resources that support these features. You'll want to use buckets with versioning enabled to maintain different iterations of your datasets. For access management, pre-authenticated requests might be useful. You will also need to set up the appropriate bucket with an associated lifecycle policy to control how different versions of your datasets are managed over time.

Here is a Pulumi program written in Python that sets up a bucket with versioning enabled, a pre-authenticated request for controlled access, and a lifecycle policy to manage dataset versions.

In this program:
- `oci.ObjectStorage.Bucket` is used to create a new bucket with versioning enabled.
- `oci.ObjectStorage.Preauthrequest` creates a 'read' pre-authenticated request for accessing the bucket without having to share your credentials.
- `oci.ObjectStorage.ObjectLifecyclePolicy` applies a lifecycle rule to the bucket to automatically manage the versions of the datasets.

```python
import pulumi
import pulumi_oci as oci

# Replace the following variables with your own data
compartment_id = 'your-compartment-id'
namespace = 'your-namespace'
bucket_name = 'your-dataset-versioning-bucket'
preauth_request_name = 'your-read-access-preauth-request'

# Create an Object Storage Bucket with versioning enabled
bucket = oci.ObjectStorage.Bucket('VersionedBucket',
    compartment_id=compartment_id,
    namespace=namespace,
    name=bucket_name,
    versioning="Enabled")

# Create a Pre-Authenticated Request to provide read access
read_par = oci.ObjectStorage.Preauthrequest('ReadOnlyPreAuthRequest',
    bucket=bucket.name,
    namespace=bucket.namespace,
    name=preauth_request_name,
    access_type="ObjectRead",
    time_expires=pulumi.Output.concat('2024-12-31T23:59:59.000Z')) # Change to your desired expiry time (in UTC)

# Lifecycle policy to manage dataset versions, for example, delete after 365 days.
# Adjust the rule and action according to your requirements.
lifecycle_policy = oci.ObjectStorage.ObjectLifecyclePolicy('DatasetVersionsLifecyclePolicy',
    bucket=bucket.name,
    namespace=bucket.namespace,
    rules=[{
        'name': 'ExpireOldVersions',
        'action': 'DELETE',
        'isEnabled': True,
        'timeAmount': 365,
        'timeUnit': 'DAYS',
    }])

# Output the pre-authenticated request URL
pulumi.export('pre_authenticated_request_url', read_par.access_uri)
```

This program starts by creating a versioned bucket in OCI Object Storage. Versioning is crucial as it allows you to keep, retrieve, and restore every version of every object stored in your bucket, which is highly beneficial for dataset versioning.

Next, a pre-authenticated request is created for controlled access, enabling read access to the objects in the bucket without the need to provide OCI credentials or user authentication.

Last, the lifecycle policy is specified to automatically manage your dataset versions according to the defined rule – in the given example, it deletes versions that are older than 365 days.

This setup ensures that your datasets in OCI Object Storage are versioned and managed in an orderly fashion, with controlled access for external parties as needed.

Remember to replace the placeholder variables (`compartment_id`, `namespace`, `bucket_name`, `preauth_request_name`, and the expiry time) in the Pulumi program with your actual configuration values.

After deploying this program, you will get a pre-authenticated request URL, which predetermined users can use to access the datasets in read-only mode until the specified expiry date and time. Any modifications to this program should take into consideration your specific dataset versioning and access requirements.