Tagging Volumes, Directories, and Files with Security Policies

Associate security policies with data objects in the file system, including volumes, directories, and files. Associate up to sixteen security policies with a data object in the file system.

Tagging Volumes

About this task

Associate security policies after you create or modify a volume from the Control System, CLI, or REST API. Note that security policies are not supported with tenant volumes and tenant volume resources, and tagging via nfsv3/nfsv4 is not supported since these protocols do not support extended attributes.

Associate security policies with a volume, the volume mount path, or both the volume and the volume mount path. You can only tag a volume mount path through the maprcli create volume command with the rootdirsecuritypolicy option. You cannot tag a volume mount path through the Control System.

IMPORTANT A snapshot contains the security policy that was tagged on the volume after the snapshot was taken. If you modify the security policy on the volume after creating the snapshot, the snapshot continues to use the older security policy.
CLI
The basic command to tag a volume with a security policy is: 
/opt/mapr/bin/maprcli volume create -name <volName> -path <mountPath> -securitypolicy <policy1,policy2,...>
REST API
Send a request of type POST. For example: 
curl -k -X POST 'https://<hostname>:8443/rest/volume/create?name=<volName>&path=<volPath>&securityPolicy=<policy>' --user mapr:mapr
TIP For more information, including a complete list of required and optional properties, see volume create.
Control System
  1. Log in to the Control System and go to the Create New Volume page or the Edit Volume page.
  2. Enter or select the name of the security policies to associate with the volume in the SECURITY POLICIES field under the Security section.
  3. Complete the steps to create or modify the volume.
TIP See Creating a Volume or Modifying a Volume for more information.

Tagging Directories and Files

About this task

Associate security policies with directories and files using hadoop mfs, extended attributes, and Java APIs.
hadoop mfs
Use the following command syntax to tag a directory or file with one or more security policies:
hadoop mfs -setsecuritypolicytag <policyName> <filePath>
TIP For more information, see hadoop mfs.
Extended attributes
  • For Linux, use the setfattr command to tag and restore security attributes. Security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.
  • For Hadoop, security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.
  • For Java and C APIs, security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.
Command Type
Linux Tag an extended attribute name Use the following command to set an extended attribute name on a file/directory and/or a FUSE-mounted file path:
setfattr {-n attribute-name} [-v value] [-h] pathToDataObject
Associate one or more security policies To associate one or more security policies with the file /mapr/lab/foo.txt, specify a comma-separated list of security policy names. For example, to associate two security policies named Lab_Security_Policy and Sensitive_Data to /mapr/lab/foo.txt, use:
setfattr -n security.mapr.policy -v "Lab_Security_Policy,Sensitive_Data" /mapr/lab/foo.txt
Replace security policies The setfattr command replaces any existing security policies with the specified policies. To remove the Sensitive_Data policy and keep the Lab_Security_Policy, specify the Lab_Security_Policy in the -v argument without the Sensitive_Data policy:
setfattr -n security.mapr.policy -v "Lab_Security_Policy" /mapr/lab/foo.txt
Associate a security policy with a directory Use a similar command to associate a security policy to a directory:
setfattr -n security.mapr.policy -v "Lab_Security_Policy,Sensitive_Data" /mapr/lab
If a directory is tagged with one or more security policies:
  • The data access Access Control Expression (ACE)s in the security policy tags apply when files and sub-directories are created within that directory.
  • These tags are inherited by new files and directories created within the directory, if the setinherit flag is set to true (default).
  • If the setinherit flag is set to false, then new files and directories are created with no tags. The files and directories get the default ACE, which is the empty string for all access types; POSIX mode bits are set on the files and directories in the traditional way.
Hadoop Set security policy attributes 
hadoop fs -setfattr -n security.mapr.policy -v comma-separated list of policy names path

The -v parameter is mandatory, and is a comma-separated list of security policy tags.

For example, to associate a security policy Lab_Security_Policy with the file /mapr/lab/foo.txt, use the command:

hadoop fs -setfattr -n security.mapr.policy -v "Lab_Security_Policy" /mapr/lab/foo.txt

If security policy tags already exist for the specified object, this command replaces any existing security policies with the specified policies. Assume that there are two security policies - Sensitive_Data_Policy and Lab_Security_Policy tagged to the file /mapr/lab/foo.txt.

To remove Sensitive_Data_Policy, and keep Lab_Security_Policy, specify only Lab_Security_Policy in the -v parameter:

hadoop fs -setfattr -n security.policy -v "Lab_Security_Policy" /mapr/lab/foo.txt

You can use the hadoop mfs command as well.

To add policies to an already exisitng set of policies, use the format: 
hadoop mfs [-addsecuritypolicytag [-R] <comma-separated list of security policy tags> <path>]
To overwrite existing policies with the new policies, use the format: 
hadoop mfs [-setsecuritypolicytag [-R] <comma-separated list of security policy tags> <path>]
Java API Tag security policy attributes 
public void setXAttr(Path path, String name, byte[] value) throws IOException

The following example demonstrates how to use the Java API to tag the security policy as an extended attribute security.mapr.policy with the value Lab_Security_Policy for the file /mapr/lab/foo.txt:

import java.net.*;
import org.apache.hadoop.fs.*;
import org.apache.hadoop.conf.*;
…
Configuration conf = new Configuration(); 
FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
fs.setXAttr(path, "security.mapr.policy", "Lab_Security_Policy");
C APIs Associate a security policy with a file system object in C Use the setxattr or fsetxattr system call. The brief synopsis is as follows. For more details, refer to the setxattr(2) Linux manual pages.

NAME

setxattr, fsetxattr -- set an extended attribute value

SYNOPSIS

#include <sys/xattr.h>
int setxattr (const char *path, const char *name, void *value, size_t size, 
     u_int32_t position, int options);
int fsetxattr (int fd, const char *name, void *value, size_t size, 
     u_int32_t position, int options);
Java APIs
Associate security policies with data objects using the file system Java APIs. See Security Policy Java APIs for more information.