Diagram generation: ref-arch-driven procedure + spec validator + KB enrichment

The diagram path now follows a documented standard procedure (lookup
the closest Oracle Architecture Center reference → confirm components
→ author absolute_layout → spec validator → render → visually verify)
and ships persistent guardrails so layout regressions can't recur.

Persistent procedure changes (apply to all users, all sessions):
- tools/diagram_spec_validator.py — geometry checks (CONTAINER_TOO_THIN,
  CONTAINER_PADDING_VIOLATION, LABEL_OVERFLOW_PARENT) run BEFORE either
  renderer (drawio + PPTX). Catches the subnet-collapse / label-overflow
  bugs that the post-render drawio validator missed.
- tools/oci_diagram_gen.py + tools/oci_pptx_diagram_gen.py — call the
  spec validator before emitting any output. Adds mysql / mysql_heatwave
  type aliases.
- tools/archcenter_pattern_lookup.py — scores against cached page
  descriptions (not just the 1-line summary), supports --queries for
  multi-fragment composition, and applies synonym expansion via
  kb/architecture-center/synonyms.yaml so "LB HA cross AD" matches
  "load balancer high availability availability domain".
- kb/architecture-center/synonyms.yaml — canonical synonym table
  (load balancer, autonomous database, data guard, …) used by the
  lookup scorer.

KB enrichment:
- tools/archcenter_description_fetcher.py + 121 cached _description.md
  under kb/diagram/assets/archcenter-refs/<slug>/. Removes the runtime
  dependency on docs.oracle.com when authoring specs and feeds the
  pattern-lookup scorer.
- 110+ cached .drawio / .svg / .png references for offline reuse,
  plus the OCI Toolkit v24.2 import (kb/diagram/assets/oci-toolkit-drawio).

Documentation:
- docs/skill/output-formats.md — new "Standard diagram-generation
  procedure (MANDATORY)" + geometry rules + the new validator entry.
- SKILL.md option 2 — references the mandatory procedure.
- README.md — describes the spec validator, archcenter_pattern_lookup
  and description fetcher, and updates the KB-health table.

Tooling that backs the procedure (cumulative across recent sessions):
tools/archcenter_case_runner.py, archcenter_batch_driver.py,
archcenter_zip_downloader.py, drawio_visual_validator.py,
drawio_fidelity_eval.py, harvest_drawio_icon.py, import_oci_library.py,
oci_pptx_diagram_gen.py, oci_pptx_render.py, refresh_pptx_icon_index.py.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
root
2026-04-25 21:15:21 -03:00
parent 2491c38d4b
commit b30a4f0d32
635 changed files with 365317 additions and 1014 deletions

View File

@@ -0,0 +1,259 @@
# Implement fine-grained access control on Oracle Integration
- Source: https://docs.oracle.com/en/solutions/integration-access-control/index.html
- Date: 2025-06
- Type: reference-architecture
- Services: oic
- Tags: integration, security
## Summary (catalog)
Fine-grained RBAC for Oracle Integration flows. Project-level access control with custom roles. Separation of duties between integration developers and administrators.
## Architecture (fetched from source)
Architecture
This architecture outlines a fine-grained access control model for Oracle Integration .
Architecture details:
- The OCI API Gateway triggers OCI Functions , which acts as a custom authorizer to handle the authorization logic for the
incoming request. This request includes an access token intended to grant access to
Oracle Integration .
- The authorizer function performs the following steps:
- It extracts the token from the request and uses it to query OCI Vault for sensitive credentials such as the client ID and client secret.
- Using these credentials, the function validates the token
against Oracle Identity Cloud
Service (IDCS) to ensure its authenticity and integrity.
- If the token is valid, the function returns a response containing key
details such as:
- Token validity status
- Principal (user identity)
- Client ID and client secret
- Scope of access
- The OCI API Gateway then uses scope in this response to verify the tokens scope against the required
access level for the Oracle Integration integration.
If the scope matches, the OCI API Gateway forwards the original request to the Oracle Integration API which is protected by an allowlist, now enriched with validated authorization
headers, allowing the integration flow to continue securely.
The following diagram illustrates this reference architecture.
Description of the illustration oracle-integration-rest-oauth-diagram.png
oracle-integration-rest-oauth-diagram-oracle.zip
The architecture has the following components:
- Region
An OCI region
is a localized geographic area that contains one
or more data centers, hosting availability
domains. Regions are independent of other regions,
and vast distances can separate them (across
countries or even continents).
- Virtual cloud network (VCN) and subnets
A
VCN is a customizable, software-defined network
that you set up in an OCI region. Like traditional
data center networks, VCNs give you control over
your network environment. A VCN can have multiple
non-overlapping classless inter-domain routing
(CIDR) blocks that you can change after you create
the VCN. You can segment a VCN into subnets, which
can be scoped to a region or to an availability
domain. Each subnet consists of a contiguous range
of addresses that don't overlap with the other
subnets in the VCN. You can change the size of a
subnet after creation. A subnet can be public or
private.
- API Gateway
Oracle Cloud Infrastructure API Gateway enables you to publish APIs with private
endpoints that are accessible from within your
network, and which you can expose to the public
internet if required. The endpoints support API
validation, request and response transformation,
CORS, authentication and authorization, and
request limiting.
- Functions
Oracle Cloud Infrastructure
Functions is a fully-managed, multitenant, highly
scalable, on-demand, Functions-as-a-Service (FaaS)
platform. It is powered by the Fn Project open
source engine. OCI Functions enables you to deploy your code, and either
call it directly or trigger it in response to
events. OCI Functions uses Docker containers hosted in Oracle Cloud Infrastructure
Registry .
- Integration
Oracle Integration is a fully-managed, preconfigured environment
that allows you to integrate cloud and on-premises
applications, automate business processes, and
develop visual applications. It uses an
SFTP-compliant file server to store and retrieve
files and allows you to exchange documents with
business-to-business trading partners by using a
portfolio of hundreds of adapters and recipes to
connect with Oracle and third-party
applications.
- Identity
and Access Management
Oracle Cloud Infrastructure Identity
and Access Management (IAM) provides user access control for OCI and
Oracle Cloud Applications. The IAM API and the
user interface enable you to manage identity
domains and the resources within them. Each OCI
IAM identity domain represents a standalone
identity and access management solution or a
different user population.
- Oracle Cloud Infrastructure Vault
Oracle Cloud Infrastructure Vault enables you to create and centrally manage the
encryption keys that protect your data and the
secret credentials that you use to secure access
to your resources in the cloud. The default key
management is Oracle-managed keys. You can also
use customer-managed keys which use OCI Vault . OCI Vault offers a rich set of REST APIs to manage vaults
and keys.
Explore More
Learn more about Oracle Integration integrations.
Review these additional resources:
- Overview of API Gateway in Oracle Cloud Infrastructure
Documentation
- Oracle Integration 3
- Configuring OAuth in Oracle
Cloud Infrastructure Documentation
- Validating Tokens to Add
Authentication and Authorization to API Deployments in Oracle Cloud
Infrastructure Documentation
- Oracle Cloud Cost Estimator
- Oracle Cloud
Infrastructure Documentation
- Well-architected framework
for Oracle Cloud Infrastructure
Acknowledgments
- Authors : Pradyumna Kodgi, Ravi Pinto, Sumit
Aneja
- Contributors : John Sulyok
Title and Copyright Information
Implement fine-grained access control on Oracle Integration
G36317-01
June 2025
Copyright © 2025,
Oracle and/or its affiliates.