Creating a Security Policy

Describes how to create a security policy using the Control System, CLI, and REST API.

Administrators with cluster-level cp (create security policy) permission can create security policies from the Control System, CLI, and REST API. Before creating security policies, you must first set a cluster as the global policy master. After you create the policy, as the owner of the policy, you can edit all parts of the policy, including the Access Control Expression (ACE)s on the policy. When you create a security policy, the policy is in a disarmed state with the AllowTagging setting set to false, by default, which makes the policy unavailable for tagging. You can modify the policy state to make it available for tagging. See Changing the State of a Security Policy for more information.

Creating a Security Policy Using the Control System

  1. Log in to the Control System and click to display the Security page.
  2. Click Create Policy to display the Create Security Policy page.
  3. Specify the following properties:
    1. Specify a name for the policy in the Name field and a brief description of the policy in the Description text box.
      Security policy names must be unique within the cluster and must contain only alphanumeric characters, hyphen (-), and underscore (_). The maximum length of the security policy name is 32 characters.
    2. Specify whether (Yes) or not (No) to enable wire-level encryption by moving the slider.
      By default, this setting is enabled on secure clusters and disabled on insecure clusters.
    3. Specify whether (Yes) or not (No) to enable auditing by moving the slider.
      If auditing is enabled, you can choose the Default radio button to accept the default list of operations to audit or choose the Custom radio button to select/deselect the operations to audit.
    4. Specify whether (Yes) or not (No) to allow data-fabric data objects to be tagged with this security policy.
      For more information, see Changing the State of a Security Policy.
  4. Select one of the following access control states in the Data Access Control section:
    • Armed — enforce the ACEs in the security policy on the data-fabric data objects tagged with the policy
    • Disarmed — do not enforce the ACEs, if any, in the policy on the data-fabric data objects tagged with the policy
    • Denied — to deny all access to the data-fabric data objects tagged with the policy and log any attempt to access
    For more information, see Changing the State of a Security Policy.
  5. Set data access controls by clicking Add Access Permissions in the Data Access Control section.
    The Add Access Permission window displays.
    You can either set the policy to be Public or customize the access permissions. Setting the Public slider to Yes, makes this policy accessible to everyone. Leave this slider at its default setting of No to cutomize access permissions.
    1. Enter comma-separated list of users, groups, or roles to grant access to in the Users, Groups, and Roles text boxes respectively or select the Custom ACE checkbox to manually enter the access control expression in the text box below.
      For more information on how to build the custom access control expression, see Managing Access Control Expressions.
    2. Click Next: Select Permissions to display the Add Access Permissions page.
      The following table describes the permissions that can be granted to the specified users, groups, and/or roles in this page:
      Object Permission
      Directories
      • Read the contents of a directory. If this is not selected, mode bits are used to determine read access. To read the contents of a directory that is tagged with this security policy, the user must also have read permissions on the volume, the parent directory (if any), and the file.

        This is the same as the readdirace property in the CLI.

      • Lookup or list the contents in a directory. If this is not selected, mode bits are used to determine lookup access. To read the contents of a directory that is tagged with this security policy, the user must also have read permissions on the volume and the directory.

        This is the same as the lookupdirace property in the CLI.

      • Add Child to add a file or subdirectory. If this is not selected, mode bits are used to determine permissions to create files and/or subdirectories. To add child to a directory that is tagged with this security policy, the user must also have write permissions on the volume and the parent directory, add child permission on the parent directory, and read and execute permissions on all directories in the path.

        This is the same as the addchildace property in the CLI.

      • Delete Child to delete a file or subdirectory. If this is not selected, mode bits are used to determine permissions to create files and/or subdirectories. To delete a child of a directory that is tagged with this security policy, the user must also have write permissions on the volume and the parent directory, delete child permission on the parent directory, and read and execute permissions on all directories in the path.

        This is the same as the deletechildace property in the CLI.

      For more information, see Managing File and Directory ACEs.
      Files
      • Read a file. If this is not selected, mode bits are used to determine read access to file. To read a file that is tagged with this security policy, the user must also have read permissions on the volume.

        This is the same as the readfileace property in the CLI.

      • Write to a file. If this is not selected, mode bits are used to determine read access to the file. To write to a file that is tagged with this security policy, the user must also have write permissions on the volume.

        This is the same as the writefileace property in the CLI.

      • Execute a file. If this is not selected, mode bits are used to determine execute access to the file. To execute a file that is tagged with this security policy, the user must also have read permissions on the volume.

        This is the same as the executefileace property in the CLI.

      For more information, see Managing File and Directory ACEs.
    3. Select the checkbox associated with the individual permission to grant that type of permission to the user, group, and/or role or click the following:
      • Reads to grant:
        • read permission on directories and files
        • lookup permission on directories
        This is the same as the readaces property in the CLI.
      • Writes to grant:
        • write permission on files
        • add and delete child permissions on directories
        This is the same as the writeaces property in the CLI.
      • Executes to grant execute permission on files.

        This is the same as the executefileace property in the CLI.

    4. Click Add to add the data access permissions to the policy.
    5. Proceed to the next step to set up access controls on the policy or click one of the following to add additional data access controls:
      • Add Another button to repeat steps 4.a to 4.d to add access permission for other users, groups, and/or roles.
      • to create a copy of the data access controls, which can then be modified by clicking .
  6. Grant users and/or groups permissions to perform administrative operations on the policy in the Policy Administration Control section.
    1. Select the entity type, user or group, from the Type drop-down list and enter the entity name in the Entities field.
    2. Select the checkbox associated with the following permissions to grant the entity the type of permission:
      • Read access for the policy
      • Admin access to set and modify ACLs on the policy
      • Full control over the policy
    3. Proceed to the next step or click one of the following to add access controls for other users and/or groups:
      • Add Another button to repeat steps 5.a and 5.b to add access controls for other users and/or groups.
      • to create a copy of the access control.
  7. Click Save to create the security policy.

Creating a Security Policy Using the CLI and REST API

The basic command to create a security policy is the following:
/opt/mapr/bin/maprcli security policy create -name <policyName>
Send a request of type POST. For example:
curl -k -X POST 'https://<hostname>:8443/rest/security/policy/create?name=<policyName>" --user mapr:mapr
For more information, see policy create.