Troubleshooting Security Policies
This topic describes problems that you may encounter when creating and using security policies. It includes recommendations on how to troubleshoot and resolve problems.
Cannot Create a Security Policy
You encounter the following error when attempting to create a security policy:
ERROR (1) - Security policy create of XXX failed: Security policy creation failed: No privileges to create a security policyYou must have cluster-level create/delete security policy (cp) permission
to create a security policy.
To check your cluster-level permissions, assuming you have cluster-level
login permission, run the following command:
maprcli acl show -type clusterThe following shows sample output for a user with the necessary cp
permission:
Allowed actions Principal
[login, cp] User PolicyAdmin Cannot view a Security Policy
If you receive an error when running the maprcli security policy info
command, the root cause depends on the error you encounter:
- No MapR Ticket
-
ERROR (22) - You do not have a ticket to communicate with 10.10.20.40:7222. Retry after obtaining a new ticket using maprloginThis indicates that you do not have a MapR ticket to access the secure MapR cluster.
Create a MapR ticket by running
maprlogin password. - No Policy-Level Permission
-
ERROR (2) - Security policy lookup of XXX failed, Operation not permittedThe possible reasons for this error are as follows:
Possible Cause Troubleshooting Steps Either you or the group that you belong to does not have the policy-level readpermission.- Ask the user who granted you access to confirm your policy-level
permission by
running:
maprcli security policy info \ -name XXX \ -columns acl -json - Request access if you do not have the
readpermission.
You are not a member of a group that has policy-level permission. - Run the
idcommand to verify your group membership. - If you are not a member of the group, request an administrator to add you.
- If you are using MapR tickets, recreate your ticket after updating your group membership.
Your MapR ticket does not reflect your updated group membership because you created the ticket before changing your group membership. - Verify your MapR ticket by examining the output from
maprlogin print. - If the ticket does not include the group that has policy-level permission, then recreate your MapR ticket.
- Ask the user who granted you access to confirm your policy-level
permission by
running:
Cannot Modify a Security Policy
Depending on the property you are trying to modify, you must have certain policy-level permissions:
- Update Non-Permission Properties of a Policy
-
If you encounter the following error:
ERROR (1) - Security policy update of XXX failed: Insufficient privileges to update general section for security policy XXXYou must have one of the following cluster-level or policy-level permissions:
- Cluster-level
cp,a, orfcpermission - Policy-level
aorfcpermission
- Cluster-level
- Update Permission Properties of a Policy
-
If you encounter the following error:
ERROR (1) - Security policy update of XXX failed: Insufficient privileges to update ACL for security policy XXXYou must have one of the following cluster-level or policy-level permissions:
- Cluster-level
cporadminpermission - Policy-level
adminpermission
- Cluster-level
- Cannot tag a security policy to a data object
-
If you cannot tag a policy to a data object or the volume page search in the Control System is not displaying a security policy, verify that
allowtaggingis set totrue, as described in Changing the State of a Security Policy. - Policies not visible after the CLDB starts
- After the CLDB master starts, it can take a couple of minutes for the policyserver to come up. Currently, only the policy server on the cluster designated as the global policy master serves operations. Member clusters standby and do not serve operations. Wait for the policyserver to come up.
- Mirroring/Restore fails due to no policies
-
If mirroring or restore fails due to no policies, import the policies from the global policy master or a member cluster that has the policies, as described in Security Policy Domain and Policy Management.
- Access check on mirror source and destination clusters differ
-
The policies may have been modified on the global policy master and not propagated to either of them. Get the latest policies, as described in Security Policy Domain and Policy Management.
- Access checks fail
-
View the filesystem audit logs on the master node.
- Where are the logs?
- The following table lists the log locations for components related to security
policies:
Component Location PolicyServer cldb.log Access Check MFS Audit Logs NC master node FS Audit Logs Client (For tagging) Regular Client logs (ffs.log or enable Hadoop debug then stdout)