policy modify

Modify a security policy using the CLI.

Syntax

CLI
/opt/mapr/bin/maprcli security policy modify
              [ -name <security-policy-name> ]
              [ -description <description> ]
              [ -cluster cluster-name]
              [ -allowtagging true|false ]
              [ -accesscontrol Armed|Disarmed|Denied ]
              [ -auditenabled true|false ]
              [ -dataauditops <+|- operations>|all ]
              [ -disableddataauditops <+|- operations>|all ]
              [ -wiresecurityenabled true|false ]
              [ -readfileace <file read ACE> ]
              [ -writefileace <file write ACE> ]
              [ -executefileace <file execute ACE> ]
              [ -readdirace <directory read ACE> ]
              [ -addchildace <directory add child ACE> ]
              [ -deletechildace <directory delete child ACE> ]
              [ -lookupdirace <directory lookup ACE> ]
              [ -readdbace <db cf read ACE]> ]
              [ -writedbace <db cf write ACE]> ]
              [ -traversedbace <db cf traverse ACE> ]
              [ -readaces <file, directory, db ACE> ]
              [ -writeaces <file, directory, db ACE> ]
              [ -user space separated list of user:permissions,permissions,... to be set ]
              [ -group space separated list of group:permissions,permissions,... to be set ]   
REST
Request Type POST
Request URL
http[s]://<host>:<port>/rest/security/policy/modify?<parameters>

Parameters

You must specify either name or path, but not both.

Parameter

Description

name The name of this security policy. Security policy names must be unique within the cluster and must contain only alphanumeric characters, hyphen (-) and underscore (_). Other characters like space and commas are not allowed. Maximum length of the security policy name is 32 characters. This parameter is mandatory.
description An ASCII string that gives a user-readable description of the policy.

cluster

The cluster name on which to run the command. If the cluster name is not supplied, the command is run on the current cluster.

allowtagging

Allows or disallows tagging for the security policy. If set to true, this security policy can be used to tag MapR filesystem resources. When the security policy is first created, the allowtagging flag is set to false to give the administrator time to configure the security policy, before allowing users to tag MapR resources with this security policy. Default is false.

accesscontrol

Determines whether the relevant Access Control Expression (ACE)s in this security policy are enforced for MapR resources that are tagged with this security policy. The following settings are supported:

  • Armed: When a MapR resource is tagged with this security policy, the relevant ACEs in this security policy are enforced when the resource is accessed. This is the normal operation mode.
  • Disarmed (default setting): Even if a MapR resource is tagged with this security policy, the ACEs in this security policy are NOT enforced. Use this setting as an emergency switch when an incorrectly configured security policy denies authorized users from accessing resources.
  • Denied: Access is always denied to any MapR resources tagged with this security policy. Use this setting for security policies that are no longer in use, but are still tagged to some MapR resources. Administrators can look at the audit logs to determine the root cause.

auditenabled

Specifies whether or not to audit operation on the resource on which the policy is tagged. Set to true to enable auditing, and false to disable auditing.

Default: false.

dataauditops

The comma separated list of filesystem operations to include (specified with a preceding plus sign (+)), or exclude (specified with a preceding minus sign (-)) from auditing.

To exclude the first operation in the list of operations from auditing, you must precede the operation by two minus (--) signs. You must precede subsequent operations to exclude, by only a single minus (-) sign, irrespective of whether the first operation was included (using a plus (+) sign) or excluded (using two minus (--) signs). If neither sign is specified, the given operation is included for auditing.

The operations that can be included (+) or excluded (-) from auditing are listed in Auditing Data Access Operations. You can, alternatively, group all the operations using the keyword all, which:

  • If included (+), cannot be specified with a list of other included operations.
  • If excluded (-), cannot be specified with a list of other excluded operations.

All specified operations must either be included or excluded from auditing. You cannot specify a mixed list of included and excluded operations. Other than the specified operations, by default, all other operations are:

  • Included for auditing, if the specified list is a list of excluded operations.

  • Excluded from auditing, if the specified list is a list of included operations.

disableddataauditops

The comma-separated list of disabled filesystem audit operations to set. This is an alternate way of setting audit operations from the dataauditops option.

No plus (+) or minus signs (-) are allowed for this option.

Any audit operations specified with this option replace any existing disabled audit operations configured for this security policy, while any audit operations that are not specified, are enabled.

Merging of the specified audit operations with existing audit operations is not done, as compared to the dataauditops option.

wiresecurityenabled

Determines whether or not to perform wire-level encryption for data of resource on which security is tagged. Set to true to enable wire-level encryption, and false to disable wire-level encryption.

Default: true for secure clusters, false for insecure clusters.

readfileace

An ACE that controls who can read from this file. If you do not set an ACE, basic file permissions are used. Files created with basic file permissions have mode 0755. Anyone can read the file contents. To read a file that is tagged with this security policy, you must have the following permissions:

  • Read permission to the volume
  • Read permission to the file

writefileace

An ACE that controls who can write to this file. If you do not set an ACE, basic file permissions are used. Files created with basic file permissions have mode 0755. Only the owner can write to the file. To write to a file that is tagged with this security policy, you must have the following permissions:

  • Write permission to the volume
  • Write permission to the file

executefileace

An ACE that controls who can execute this file. If you do not set an ACE, basic file permissions are used. Files created with basic file permissions have mode 0755. Anyone can execute this file (assuming that the contents are executable). To execute a file that is tagged with this security policy, you must have the following permissions:

    • Read permission to the volume
    • Read and execute permissions to the file

readdirace

Controls who can read the contents of files in this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode 0755. Anyone can read the contents of files in this directory. To read the contents of a file in a directory tagged with this security policy, you must have the following permissions:

  • Read permission to the volume

  • Read permission to the parent directory

  • Read permission to the file

addchildace

Controls who can create objects (files and directories) in this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode 0755. By default, only the owner can create files and directories in this directory. To create files and directories in a directory tagged with this security policy, you must have the following permissions:

  • Add child permission for the parent directory

  • Read and execute permissions to all directories in the path

  • Write permission to the parent directory, and

  • Write permission to the volume.

deletechildace

Controls who can delete objects (files and directories) in this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode 0755. By default, only the owner can delete files and directories in this directory. To delete files and directories in a directory tagged with this security policy, you must have the following permissions:

  • Delete child permission for the parent directory

  • Read and execute access to all directories in the path

  • Write permission to the parent directory

  • Write permission to the volume

lookupdirace

Controls who can list the contents (files and directories) of this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode 0755. Anyone can list the files in this directory. To list the contents of a directory tagged with this security policy, you must have the following permissions:

  • Read permission to the directory

  • Read permission to the volume

readdbace

The ACE for column reads. Fields within the column family inherit this permission.

Default: u:creator.

To read fields in JSON DB column families tagged with this security policy, you must have the following permissions:

  • Read permission to the DB column family

  • Read and execute permissions to all directories in the path

  • Read permission to the volume

writedbace

The ACE for column writes (puts and deletes). Fields within the column family inherit this permission..

Default:u:creator.

To perform column writes, you must have the following permissions:

  • Write permission to the DB column family

  • Read and execute permission to all directories in the path

  • Write permission to the parent directory

  • Write permission to the volume

traversedbace

DB CF traverse permission settings, which determine the permission to pass over fields in JSON documents. Fields within the column family inherit this permission.

Default: u:creator.

To traverse fields in JSON DB column families tagged with this security policy, you must have the following permissions:

  • Traverse permission to the DB column family

  • Read and execute permissions to all directories in the path

  • Read permission to the volume

readaces

A convenience option to set read permissions for all objects. This is equivalent to setting the same ACE for the readfileace, readdirace, lookupdirace, , readdbace, and traversedbace options.

writeaces

A convenience option to set write permissions for all objects. This is equivalent to setting the same ACE for writefileace, addchildace, deletechildace, and writedbace, options.

user

Space separated list of user:permission,permission pairs. Use commas to separate each permission, and spaces to separate each user. For example, to give user tom, admin (a) and full control (fc) permissions, and user jane, admin (a) permission, use -user tom:a,fc jane:a

If you do not specify this option, a security policy level administrative ACL is added for the administrator who created this security policy to have full privileges by default, that is [r,a,fc]. However, any other user with admin (a) privilege for this security policy can remove this privilege . Specifying this option overwrites the default setting to give security policy level privileges only to the users specified in the -user list.

Use this option with care. You MUST specify admin (a) privilege for at least one administrator (for example, -user admin1:r,a,fc) in addition to privileges for any other users, to modify this security policy after creation. Otherwise, if the -user or -group options are specified but without admin (a) or full control (fc) permission, (for example, -user operator:r), no one other than the mapr administrator can modify the security policy.

group

Space separated list of group:permission,permission pairs. Use commas to separate each permission, and spaces to separate each group. For example, to give group operators read (r) permission, and group secadmin full control (fc) permission, use -group operators:r secadmin:a,fc

ACE Handling Behaviour

Specified ACE are merged with the existing ACE for the security policy. For example, assume there is a security policy hipaa that currently only has readfileace and writefileace specified, with all other ACEs not specified:

ACE Type ACE Value
readfileace g:staff
writefileace g:staff

Use the maprcli security policy modify command to set the writefileace and addchildace ACE:

maprcli security policy modify -name hipaa -writefileace g:mapr -addchildace g:admin

Here, the value of readfileace remains as g:staff, writefileace is replaced by the new value g:mapr, and addchildace is added to the list of ACE for this security policy:

ACE Type ACE Value
readfileace g:staff
writefileace g:mapr (overwrites older value)
addchildace g:admin (new ACE)

Using the readaces convenience

The following example illustrates how to use the readaces convenience feature.

You create a security policy named hipaa, and set the readfileace and writefileace to u:mapr:

/opt/mapr/bin/maprcli security policy create -name hipaa -readfileace u:mapr -writefileace u:mapr

/opt/mapr/bin/maprcli security policy  info -name hipaa -json
        {
        "timestamp":1548660146619,
        "timeofday":"2019-01-27 11:22:26.619 GMT-0800 PM",
        "status":"OK",
        "total":1,
        "data":[
        {
        "name":"hipaa",
        "id":3,
        "mtime":"Sun Jan 27 23:22:08 PST 2019",
        "ctime":"Sun Jan 27 23:22:08 PST 2019",
        "wireEncrypt":true,
        "auditEnabled":false,
        "allowTagging":false,
        "accessControl":"Disarmed",
        "enabled_dataAuditOps":"getattr,setattr,chown,chperm,chgrp,getxattr,listxattr,setxattr,removexattr,read,write,create,delete,mkdir,readdir,rmdir,createsym,lookup,rename,createdev,truncate,tablecfcreate,tablecfdelete,tablecfmodify,tablecfScan,tableget,tableput,tablescan,tablecreate,tableinfo,tablemodify,getperm,getpathforfid,hardlink,filescan,fileoffload,filerecall,filetierjobstatus,filetierjobabort,filetieroffloadevent,filetierrecallevent",
        "disabled_dataAuditOps":"",
        "acl":{
        "Principal":"User test1",
        "Allowed actions":"[r, a, fc]"
        },
        "securityPolicyAces":{
        "readfileace":"u:mapr",
        "writefileace":"u:mapr"
        }
        }
        ]
        }

You use the maprcli security policy modify command to change all the read ACE, using the readaces option. readaces replaces all read ACE (executefileace, readfileace, lookupdirace, readdirace, readdbace, traversedbace) with the specified ACE, leaving the write ACE intact:

/opt/mpr/bin/maprcli security policy modify -name hipaa -readaces g:mapr

/opt/mapr/bin/maprcli security policy info -name hipaa -json
        {
        "timestamp":1548660250167,
        "timeofday":"2019-01-27 11:24:10.167 GMT-0800 PM",
        "status":"OK",
        "total":1,
        "data":[
        {
        "name":"hipaa",
        "id":3,
        "mtime":"Sun Jan 27 23:24:04 PST 2019",
        "ctime":"Sun Jan 27 23:22:08 PST 2019",
        "wireEncrypt":true,
        "auditEnabled":false,
        "allowTagging":false,
        "accessControl":"Disarmed", "enabled_dataAuditOps":"getattr,setattr,chown,chperm,chgrp,getxattr,listxattr,setxattr,removexattr,read,write,create,delete,mkdir,readdir,rmdir,createsym,lookup,rename,createdev,truncate,tablecfcreate,tablecfdelete,tablecfmodify,tablecfScan,tableget,tableput,tablescan,tablecreate,tableinfo,tablemodify,getperm,getpathforfid,hardlink,filescan,fileoffload,filerecall,filetierjobstatus,filetierjobabort,filetieroffloadevent,filetierrecallevent",
        "disabled_dataAuditOps":"",
        "acl":{
        "Principal":"User test1",
        "Allowed actions":"[r, a, fc]"
        },
        "securityPolicyAces":{
        "executefileace":"g:mapr",
        "readfileace":"g:mapr",
        "lookupdirace":"g:mapr",
        "readdirace":"g:mapr",
        "writefileace":"u:mapr",
        "readdbace":"g:mapr",
        "traversedbace":"g:mapr",
        
        }
        }
        ]
        }

Examples

For example, add the writeaces ACE setting to the existing security policy MILITARY:
/opt/mapr/bin/maprcli security policy modify -name MILITARY -writeaces "u:user7|u:user10" -json
{
	"timestamp":1554814308487,
	"timeofday":"2019-04-09 05:51:48.487 GMT-0700 AM",
	"status":"OK",
	"total":0,
	"data":[
		
	],
	"messages":[
		"Successfully updated security policy 'MILITARY'"
	]
} 
curl -u mapr:mapr -X POST -k "https://host:8443/rest/security/policy/modify?name=MILITARY&writeaces=u%3auser7|u%3auser10"
{"timestamp":1554815274740,"timeofday":"2019-04-09 06:07:54.740 GMT-0700 AM","status":"OK","total":0,"data":[],"messages":["Successfully updated security policy 'MILITARY'"]}