HPE Ezmeral Data Fabric 6.2 is In Maintenance and transitions to "End of Maintenance" in June 2024. Please see the latest documentation.

About Release 6.2
This site contains documentation for HPE Ezmeral Data Fabric release 6.2 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
6.2 Installation
This section contains information about installing and upgrading HPE Ezmeral Data Fabric software. It also contains information about how to migrate data and applications from an Apache Hadoop cluster to a HPE Ezmeral Data Fabric cluster.
6.2 Data Fabric
HPE Ezmeral Data Fabric is the industry-leading data platform for AI and analytics that solves enterprise business needs.
6.2 Administration
This section describes how to manage the nodes and services that make up a cluster.
- Administering Users and Clusters
  Lists topics that help manage a data-fabric cluster.
- Administering Nodes
  Provides a synopsis of managing nodes in a cluster.
- Administering Volumes
  This section provide information about how to organize and manage data using volumes, a unique feature of HPE Ezmeral Data Fabric clusters.
- Administering Files and Directories
- Administering Tables
  Administration of the HPE Ezmeral Data Fabric Database is done primarily via the command line (maprcli) or with the Managed Control System (MCS). Regardless of whether the HPE Ezmeral Data Fabric Database table is used for binary files or JSON documents, the same types of commands are used with slightly different parameter options. HPE Ezmeral Data Fabric Database administration is associated with tables, columns and column families, and table regions.
- Administering Streams
- Administering Data Fabric Gateways
  A HPE Ezmeral Data Fabric gateway mediates one-way communication between a source HPE Ezmeral Data Fabric cluster and a destination cluster. You can replicate HPE Ezmeral Data Fabric Database tables (binary and JSON) and HPE Ezmeral Data Fabric Streams streams. HPE Ezmeral Data Fabric gateways also apply updates from JSON tables to their secondary indexes and propagate Change Data Capture (CDC) logs.
- Administering Services
- Monitoring the Cluster
  This section describes how to monitor the health and performance of a MapR cluster.
- Configuring Security
  Describes how to configure security and manage secure clusters.
  - Configuring Data-Fabric Security
    Provides usage information for frequently used security functionality, including Access Control Lists (ACLs), Access Control Expressions (ACEs), file permissions, and subnet whitelisting.
    - Getting Started with HPE Ezmeral Data Fabric Security
      Describes quick implementation of security.
    - Managing Encryption for MapR Core
      Provides information that allows you to use encryption across the MapR platform.
    - Determining if a Cluster is Secure and Enabled for Encryption
      Explains how to use the Control System, the CLI, and REST API to determine whether a cluster is secure and whether on-wire encryption and data-at-rest encryption are enabled at the cluster and volume levels.
    - Configuring Authentication
      Provides information about MapR ticket, Kerberos, Pluggable Authentication Module (PAM) authentication.
    - Managing Access Controls
      Describes how to create, enable, and use ACLs and ACEs.
    - Configuring Policy-Based Security
      Starting in HPE Ezmeral Data Fabric 6.2.0 (EEP 7.0.0), HPE Ezmeral Data Fabric supports Policy-Based Security. Policy-Based Security is a mechanism that enables administrators to create security policies for simplified data management. Administrative users can create and manage security policies through the control system, maprcli, REST API, Hadoop and Linux commands, and Java APIs.
      - Setting Global Configuration Options for Policy-Based Security
        The CLDB stores global configuration settings for Policy-Based Security. Before creating security policies, an administrator must designate a master security policy cluster through the cldb.pbs.global.master option.
      - Granting Security Policy Permissions
        Permissions define which administrative users can create, view, and modify security policies. Administrators set the permissions on security policies through cluster-level and security policy-level ACLs.
      - Creating a Security Policy
        Describes how to create a security policy using the Control System, CLI, and REST API.
      - Changing the State of a Security Policy
        The security policy state indicates whether users can apply a security policy to data objects and whether the system enforces the ACEs set in the security policy. An administrator can change the state of a security policy through the allowtagging and accesscontrol parameters when creating or modifying a security policy from the maprcli or equivalent REST API comands.
      - Tagging Data Objects with Security Policies
        Once security policies are configured (with tagging enabled), permitted users can associate the security policies with data objects through the Control System, CLI, and REST API. A data object can be associated with one or multiple security policies.
      - Security Policy Java APIs
        You can create, retrieve, and remove security policies, and associate security policies with a data object using file system APIs.
      - Enforcing Security Policies at the Volume-Level
        Describes how to set enforcement modes for security policies at the volume-level.
      - Troubleshooting Security Policies
        This topic describes problems that you may encounter when creating and using security policies. It includes recommendations on how to troubleshoot and resolve problems.
      - Policy-Based Security Quick Reference
        This quick reference provides tips and maprcli commands for the most common tasks related to Policy-Based Security.
    - Customizing Security in HPE Ezmeral Data Fabric
      Describes the .customSecure file and how HPE Ezmeral Data Fabric 6.x handles custom security settings.
  - Managing Impersonation
    Provides instructions for enabling and using MapR impersonation features.
- Managing Secure Clusters
  Provides procedures that will enable you to use MapR clusters securely.
- Administering the Data Access Gateway
  The HPE Ezmeral Data Fabric Data Access Gateway is a service that acts as a proxy and gateway for translating requests between lightweight client applications and the HPE Ezmeral Data Fabric cluster. This section describes considerations when upgrading the service, how to modify configuration settings, and how to administer and manage the service.
- Planning for High Availability
- Administrator's Reference
  This section contains in-depth reference information for the administrator.
- Troubleshooting Cluster Administration
  Lists the common errors and their solutions.
- Best Practices for Backing Up HPE Ezmeral Data Fabric Information
  Lists the best practices and performance considerations to follow when backing up HPE Ezmeral Data Fabric information.
6.2 Development
This section contains information related to application development for Ezmeral ecosystem components and HPE Ezmeral Data Fabric products, including the file system, Database (Key-Value and JSON), and Event Streams.
Other Docs
This section contains release-independent information, including: Installer documentation, Ecosystem release notes, interoperability matrices, security vulnerabilities, and links to other data-fabric version documentation.
Glossary
Definitions for commonly used terms in MapR Converged Data Platform environments.

Enforcing Security Policies at the Volume-Level

Describes how to set enforcement modes for security policies at the volume-level.

About this task

The system enforces data access controls during data operations. Data access controls are the ACEs defined in security policies and ACEs and POSIX mode bits directly defined on data objects. The enforcement mode tells the system which of these data access controls to evaluate and enforce during data operations.

You can set the enforcement mode to one of the following values from the Control System, CLI, or REST API:

Enforcement Mode	Enforce Security Policies	Enforce Data ACEs and POSIX Mode Bits
PolicyAceAndDataAce (Default)	Yes	Yes
PolicyAceOnly	Yes	No
DataAceOnly	No	Yes
PolicyAceAuditAndDataAce (Permissive mode)	Performs checks but does not fail; audits instead	Yes

For detailed information about the enforcement mode options, see Volume-Level Security Policy Enforcement Mode.

Set the Enforcement Mode from the Control System

Procedure

Log in to the Control System, and go to the volume information page.
In the Security pane, click associated with Enforcement Mode to display the Change Enforcement Mode window.
Select the enforcement mode to apply to the volume.
Click Save Changes for the changes to take effect.

Set the Enforcement Mode from the CLI or REST API

About this task

Set the enforcement mode when you create a volume:

/opt/mapr/bin/maprcli volume create -name <volName> -path <mountPath> -securitypolicy <policyName> -enforcementmode PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly

Set the enforcement mode when you modify a volume:

/opt/mapr/bin/maprcli volume modify -name <volName> -enforcementmode PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly

Send a POST request to set the enforcement mode when you create a volume:

curl -k -X POST 'https://<hostname>:8443/rest/volume/create?name=<volName>&path=<mountPath>&securitypolicy=<policyName>&enforcementmode=PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly' --user <username>:<pwd>

Send a request of type POST to set enforcement mode when you edit a volume:

curl -k -X POST 'https://<hostname>:8443/rest/volume/modify?name=<volName>&enforcementmode=PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly' --user <username>:<pwd>

For more information, see volume create and volume modify.