Enforcing Security Policies at the Volume-Level

Describes how to set enforcement modes for security policies at the volume-level.

The system enforces data access controls during data operations. Data access controls are the ACEs defined in security policies and ACEs and POSIX mode bits directly defined on data objects. The enforcement mode tells the system which of these data access controls to evaluate and enforce during data operations.

You can set the enforcement mode to one of the following values from the Control System, CLI, or the REST API:
Enforcement Mode Enforce Security Policies Enforce Data ACEs and POSIX Mode Bits
PolicyAceAndDataAce (Default) Yes Yes
PolicyAceOnly Yes No
DataAceOnly No Yes
PolicyAceAuditAndDataAce (Permissive mode) Performs checks, but does not fail; audits instead Yes

For detailed information about the enforcement mode options, see Volume-Level Security Policy Enforcement Mode.

Set the Enforcement Mode from the Control System

  1. Log in to the Control System, and go to the volume information page.
  2. In the Security pane, click associated with Enforcement Mode to display the Change Enforcement Mode window.
  3. Select the enforcement mode you want to apply to the volume.
  4. Click Save Changes for the changes to take effect.

Set the Enforcement Mode from the CLI or REST API

Set the enforcement mode when you create a volume:
/opt/mapr/bin/maprcli volume create -name <volName> -path <mountPath> -securitypolicy <policyName> -enforcementmode PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly 
Set the enforcement mode when you modify a volume:
/opt/mapr/bin/maprcli volume modify -name <volName> -enforcementmode PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly 
Send a POST request to set the enforcement mode when you create a volume:
curl -k -X POST 'https://<hostname>:8443/rest/volume/create?name=<volName>&path=<mountPath>&securitypolicy=<policyName>&enforcementmode=PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly' --user <username>:<pwd>
Send a request of type POST to set enforcement mode when you edit a volume:
curl -k -X POST 'https://<hostname>:8443/rest/volume/modify?name=<volName>&enforcementmode=PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly' --user <username>:<pwd>
For more information, see volume create and volume modify.