Security Policy Java APIs

You can create, retrieve, and remove security policies, and associate security policies with a data object using filesystem APIs.

The standard Linux extended attributes to tag filesystem objects are POSIX-compliant. You can use these attributes on any Linux or POSIX-compliant client without installing additional MapR software.

However, with the extended attribute syntax, applications need to ensure that to combine tags, they first retrieve the old tags and then combine them with the new tags. Otherwise, the new tags replace the old tags. Alternatively, your applications can use an API with the following features:

  1. Setting tags should be additive, that is, new tags should be added to the existing tags, and not replace the existing tags.
  2. Set multiple tags for the same resource in a single API.
  3. Set tags for multiple filesystem resources in a single operation.

The extended MapRFileSystem Java class provides such an API for setting policy tags.

The list of MapRFileSystem API methods for data tagging is as follows:

public class MapRFileSystem extends FileSystem;
Method and Description Modifier and Type
Add a Security Policy Tag

addSecurityPolicyTag (Path path, String securityPolicyTag) throws IOException;

Use this method to add a single security policy tag to the list of existing security policy tags (if any) for the file or directory specified in path. The securityPolicyTag parameter contains a security policy tag.

public int

addSecurityPolicyTag (Pathpath, List<String>securityPolicyTags) throws IOException;

Use this method to add one or more security policies to the list of existing security policies (if any) for the file or directory specified in path. The securityPolicyTags parameter contains a list of one or more security policy tags.

public int
Replace a Security Policy Tag

setSecurityPolicyTag (Path path, String securityPolicyTag) throws IOException;

Use this method to set the security policy tag to the file or directory specified in path, replacing all existing tags. The securityPolicyTag parameter contains a security policy tag.

public int

setSecurityPolicyTag (Pathpath, List<String>securityPolicyTags) throws IOException;

Use this method to set one or more security policy tags for the file or directory specified in path, replacing any existing security policy tags. The securityPolicyTags parameter contains a list of one or more security policy tags.

public int
Remove a Security Policy Tag

removeSecurityPolicyTag (Path path, String securityPolicyTag) throws IOException;

Use this method to remove the security policy tag contained in the securityPolicyTag parameter from the list of existing security policy tags (if any) for the file or directory specified in path.

public int

removeSecurityPolicyTag (Pathpath, List<String>securityPolicyTags) throws IOException;

Use this method to remove one or more security policy tags from the list of existing security policy tags (if any) for the file or directory specified in path. The securityPolicyTags parameter contains a list of one or more security policy tags.

public int

removeAllSecurityPolicyTags (Path path) throws IOException;

Use this method to remove all security policies tagged to the file or directory specified by path.

public int
Retrieve Security Policy Tags

getSecurityPolicyTag (Pathpath, List<String>securityPolicyTags) throws IOException;

Use this method to retrieve the security policy tags associated with the file or directory specified in path. The securityPolicyTags parameter contains a list of one or more security policy tags.

public int

The following example illustrates the usage of filesystem APIs, and the interchangeability of using the filesystem API with the extended attribute APIs:

  1. Set three security policy tags, general, hipaa, and pci, on the file /mapr/lab/foo.txt.
  2. Retrieve these security policy tags using the extended attribute commands and the getSecurityPolicyTag API.
  3. Remove the tag pci. Two tags remain: hipaa and general.
  4. Add a new tag topsecret.

    The two existing tags, general and hipaa, are preserved. Finally, there are three tags: general, hipaa, and topsecret.

Step 1: Set Security Policy Tags

Use the Java addSecurityPolicyTag API to set three security policies, pci, general, and hipaa, for the file /mapr/lab/foo.txt as follows.

import java.net.*;
import org.apache.hadoop.fs.*;
import org.apache.hadoop.conf.*;
import com.mapr.fs.MapRFileSystem;
import java.util.List;
import java.util.ArrayList;
…
Configuration conf = new Configuration(); 
FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
List<String> securityPolicies = new ArrayList<String>();
securityPolicies.add ("pci");
securityPolicies.add ("general");
securityPolicies.add ("hipaa");
((MapRFileSystem fs).addSecurityPolicyTag (path, securityPolicies);

Step 2: Retrieve Security Policy Tags

The getSecurityPolicyTag API returns the same set of security policies general, hipaa, and pci in a List of String object, instead of a comma-separated list:

List<String> securityPolicies = new ArrayList<String>();
int status = getSecurityPolicyTag (path, securityPolicies); 

Alternatively, use the getfattr extended attribute API, to retrieve the three security policy tags:

getfattr -d /mapr/lab/foo.txt
# file: /mapr/lab/foo.txt
security.mapr.policy="general,hipaa,pci"

The tags are always returned in alphabetical order regardless of the tags that you set first. All security policies are considered equal in terms of determining access rights.

Use the extended attribute Java API getXAttr to obtain the same result: retrieve the three security policy tags. The following segment prints the comma-separated list: general,hipaa,pci.

import java.net.*;
import org.apache.hadoop.fs.*;
import org.apache.hadoop.conf.*;
…
Configuration conf = new Configuration(); 
FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
byte[] securityPolicyBytes = fs.getXAttr(path, "security.mapr.policy");
System.out.println ("Security Policies: " + securityPolicyBytes.toString());

Step 3: Remove a Security Policy Tag

At this point, the example has three tags for /mapr/lab/foo.txt: general, hipaa, and pci. Now, remove the tag pci using the removeSecurityPolicyTag API:

Configuration conf = new Configuration(); 
FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
… 
((MapRFileSystem fs).removeSecurityPolicyTag (path, "pci"); 

Use any of the methods listed in step 2, to see that the pci tag is removed.

Step 4: Add a Security Policy Tag

Add a tag topsecret using the addSecurityPolicyTag API:

FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
… 
((MapRFileSystem fs).addSecurityPolicyTag (path, "topsecret");

Since this API sets the tags in an additive fashion, it preserves the two existing tags general and hipaa. The final output is three tags: general, hipaa and topsecret.

Complete Example of Setting and Retrieving Security Policies

The following sample program uses the tagging APIs on the file /user/root/disks.txt.

This program does the following tasks:

  1. Tags the file with two tags, namely general, and pci.
  2. Retrieve the tags. The output should display general, and pci.
  3. Remove the tag pci.
  4. Retrieve the tags. The output should display general.
  5. Add the tag hipaa.
  6. Retrieve the tags. The output should display general, and hipaa.
 package com.mapr.fs;
 import java.net.*;
 import org.apache.hadoop.fs.*;
 import org.apache.hadoop.conf.*;
 import java.io.*;
 import com.mapr.fs.MapRFileSystem;
 import java.util.List;
 import java.util.ArrayList;
                    
 class SecurityPolicyTest
   {
    public static void main (String [] args) throws IOException
      {
       Configuration conf = new Configuration(); 
       if (args.length != 1) {
       System.out.println ("Usage: com.mapr.fs.SecurityPolicyTest <path>");
       System.exit(-1);
                        }
        String pathName = args[0];
        System.out.println ("Path name: " + pathName);
        FileSystem fs = FileSystem.get(conf);
        Path path = new Path (pathName);
        List<String> securityPolicies = new ArrayList<String>();
        System.out.println ("Adding general,pci"); 
        securityPolicies.clear();
        securityPolicies.add ("general");
        securityPolicies.add ("pci");
        ((MapRFileSystem)fs).setSecurityPolicyTag(path, securityPolicies);
        List<String> tags = new ArrayList<String>();
        int status = ((MapRFileSystem)fs).getSecurityPolicyTag(path, tags);
        if (status == 0) {
                           System.out.println ("Tags:");
                           for (int i=0; i<tags.size(); i++) {
                           System.out.println (tags.get(i));
                          }
                          }
            System.out.println ("Removing pci");
            ((MapRFileSystem)fs).removeSecurityPolicyTag (path,"pci");
            tags.clear();
            status = ((MapRFileSystem)fs).getSecurityPolicyTag(path, tags);
            if (status == 0) {
                                System.out.println ("Tags:");
                                for (int i=0; i<tags.size(); i++) {
                                 System.out.println (tags.get(i));
                                }
                            }
               System.out.println ("Add hipaa");
               ((MapRFileSystem)fs).addSecurityPolicyTag(path, "hipaa");  
               tags.clear();
               status = ((MapRFileSystem)fs).getSecurityPolicyTag(path, tags);
               if (status == 0) {
                                 System.out.println ("Tags:");
                                 for (int i=0; i<tags.size(); i++) {
                                 System.out.println (tags.get(i));
                                    }
                                 }
        }
   }

Output

# sh RUN
# export CLASSPATH=`mapr classpath`
# java -cp $CLASSPATH com.mapr.fs.SecurityPolicyTest /user/root/disks.txt
   Path name: /user/root/disks.txt
   Adding general,pci
   Tags:
        general,pci
        Removing pci
   Tags:
        general
        Add hipaa
   Tags:
        general,hipaa