Granting Access Using Security Policy

Describes how to grant access to objects, using access control expressions in a security policy.

You can define access controls in a security policy using the Control System, CLI, and REST API.

Defining Access Controls in Security Policy Using the Control System

  1. Log in to the Control System and go to the Create Security Policy page.
    See Creating a Security Policy for more information.
  2. Grant or deny access to all users (Public) or to specific users or groups in the Data Access Control Section.
    The following types of access can be granted to all (Public) or specific users or groups:
    Object Permission
    Directories
    • Read the contents of a directory. If you do not select this permission, mode bits are used to determine read access. To read the contents of a directory that is tagged with this security policy, the user must also have read permissions on the volume, the parent directory (if any), and the file.
    • Lookup or list the contents in a directory. If you do not select this permission, mode bits are used to determine lookup access. To lookup a file of directory that is tagged with this security policy, the user must also have read permissions on the volume and the lookup permission on the directory.
    • List the contents of a directory. If you do not select this permission, mode bits are used to determine directorylist access. To list the contents of a directory that is tagged with this security policy, the user must also have read permissions on the volume, and lookup permission on all directories in the path (if any).
    • Add a file or subdirectory. If you do not select this permission, mode bits are used to determine permissions to create files or subdirectories. To add a child to a directory that is tagged with this security policy, the user must also have write permissions on the volume and the parent directory, add child permission on the parent directory, and read and execute permissions on all directories in the path.
    • Delete a file or subdirectory. If you do not select this permission, mode bits are used to determine permissions to create files and/or subdirectories. To delete a child of a directory that is tagged with this security policy, the user must also have write permissions on the volume and delete child permission on the parent directory, and lookup permissions on all directories in the path.
    For more information, see Managing File and Directory ACEs.
    Files
    • Read a file. If you do not select this permission, mode bits are used to determine read access to file. To read a file that is tagged with this security policy, the user must also have read permissions on the volume, and lookup permission on all directories in path.
    • Write to a file. If you do not select this permission, mode bits are used to determine read access to the file. To write to a file that is tagged with this security policy, the user must also have write permissions on the volume, and lookup permission on all directories in the path.
    • Execute a file. If you do not select this permission, mode bits are used to determine execute access to the file. To execute a file that is tagged with this security policy, the user must also have read permissions on the volume, and lookup permission on all directories in the path.
    For more information, see Managing File and Directory ACEs.
    Tables
    • Read new column families that are created in the table.
    • Traverse to descend a hierarchy of column families.
    • Write to new column families that are created in the table.
    For more information, see Enabling Table and Stream Authorizations with ACEs.
  3. Complete the steps to create the security policy.
    See Creating a Security Policy for more information.

Granting Access Using the CLI and REST API

You can grant access to filesystem and HPE Ezmeral Data Fabric Database data objects using a security policy at the time of creating or modifying a security policy.
Use the following command to set access controls when creating a security policy:
/opt/mapr/bin/maprcli security policy create -<ACEparam> <ACEsyntax>
Use the following command to specify Access Control Expression (ACE)s when modifying a security policy:
/opt/mapr/bin/maprcli security policy modify -<ACEparam> <ACEsyntax>
Send a request of type POST. For example:
curl -k -X POST ''https://<hostname>:8443/rest/security/policy/create?name=<policyName>&<ACEparam>=<ACEsyntax>' --user <username>:<pwd>
curl -k -X POST 'https://<hostname>:8443/rest/security/policy/modify?name=<policyName>&<ACEparam>=<ACEsyntax>' --user <username>:<pwd>
For more information on the ACE syntax, refer to the ACE Syntax. The following sections describe the ACE parameter to specify for a specific type of access on a data object.
Directories
  • readdirace to read the contents of a directory. See Read for Directories in the Defining Access Controls in Security Policy Using the Control System section for more information.
  • lookupdirace to lookup or list the contents in a directory. See Lookup for Directories in the Defining Access Controls in Security Policy Using the Control System section for more information.
  • addchildace to add a file or subdirectory. See Add for Directories in the Defining Access Controls in Security Policy Using the Control System section for more information.
  • deletechildace to delete a file or subdirectory. See Delete for Directories in the Defining Access Controls in Security Policy Using the Control System section for more information.
For more information, see Managing File and Directory ACEs.
Files
  • readfileace to read a file. See Read for Files in the Defining Access Controls in Security Policy Using the Control System section for more information.
  • writefileace to write to a file. See Write for Files in the Defining Access Controls in Security Policy Using the Control System section for more information.
  • executefileace to execute a file. See Execute for Files in the Defining Access Controls in Security Policy Using the Control System section for more information.
For more information, see Managing File and Directory ACEs.
JSON Tables
  • readdbace to read new column families that are created in the table.
  • traversedbace to descend a hierarchy of column families.
  • writedbace to write to new column families that are created in the table.
For more information, see Enabling Table and Stream Authorizations with ACEs.