Policy-Based Security Quick Reference

This quick reference provides tips and maprcli commands for the most common tasks related to Policy-Based Security.

Task Commands
Enable PBS

(Required for upgrades from pre-6.2.0 versions of data-fabric)

If upgrading from a data-fabric version that does not support extended attributes, enable extended attributes before you enable PBS:
/opt/mapr/bin/maprcli cluster feature enable -name mfs.feature.fileace.support
Enable PBS:
/opt/mapr/bin/maprcli cluster feature enable -name mfs.feature.pbs
Designate a master security policy cluster

(Required to create and modify security policies)

You must designate a master security policy cluster to set the security policy global namespace. This is the cluster on which you create and modify security policies. You can also designate member clusters. Master and member security policies form a security policy domain. The system enforces security policies across the security policy domain.
maprcli config save -values '{"cldb.pbs.global.master":"1"}'

#1 = master security policy cluster
#0 = member of the security policy cluster
To identify which cluster is master, run:
maprcli dashboard info -json | grep -i global "globalPolicyMaster":true
Grant an admin cp permission

(Required to create security policies)

Admins with cluster-level a (admin) permission can assign cp (create security policy) permission to themselves or other admins.
/opt/mapr/bin/maprcli acl edit -type cluster -name <cluster-name> \
-user <user>:<action>[,<action>...][<user>:<action>[,<action...]]

#Example: Grant jsmith cp cluster-level permission
#/opt/mapr/bin/maprcli acl edit -type cluster -name myCluster -user jsmith:cp
Grant admins access to a security policy Admins with cluster-level cp permission can set permissions on a security policy during policy creation. Alternatively, the admin can modify the policy after creation or set security policy-level permissions through policy-level ACLs. Regardless of how or when the admin sets permissions on a security policy, the -user or -group parameter sets the permissions a user or group has on a security policy. Note that the commands shown do not include all possible parameters for creating and modifying a security policy.
#Grant user permission to a security policy during policy creation:
/opt/mapr/bin/maprcli security policy create -name <security-policy-name> -user <user:permission,permission...> 

#Modify a security policy and grant user permission to the policy
/opt/mapr/bin/maprcli security policy modify -name <security-policy-name> -user <user:permission,permission...> 

#Overwrite the existing permissions on a security policy
/opt/mapr/bin/maprcli acl set -cluster <cluster name> -name <security-policy-name> -type securitypolicy -user <user>    

#Adds or modifies the existing permissions on a security policy
/opt/mapr/bin/maprcli acl edit -cluster <cluster name> -name <security-policy-name> -type securitypolicy -user <user>
Create|View|Modify|Remove security policies Basic commands are listed. For a list of parameters related to each command, refer to the documentation.
NOTE Users cannot apply a security policy to data objects unless the allowtagging parameter is set to true. The system does not enforce ACEs configured in a security policy unless the accesscontrol parameter is set to Armed. You can set these parameters when you create or modify a security policy.
Create security policy
/opt/mapr/bin/maprcli security policy create [create-policy-parameters]
View list of security policies
/opt/mapr/bin/maprcli security policy list -json
Modify security policies
/opt/mapr/bin/maprcli security policy modify [modify-policy-parameters]
Remove security policies
  • Data Fabric File System
    #Remove all security policies from a volume
    /opt/mapr/bin/maprcli volume modify -securitypolicy "" -name <volume-name>
    
    #Apply the security policies listed to the volume; remove all security policies not included in the list
    /opt/mapr/bin/maprcli volume modify -securitypolicy <policy1,policy2...> -name <volume-name>
    
    #Remove all security policies from a file or directory
    hadoop mfs -removeallsecuritypolicytag [-R] <path/to/file/or/directory>
    
    #Remove specific security policies from a file or directory
    hadoop mfs -removesecuritypolicytag [-R] <comma-separated list of security policy tags> <path/to/file/or/directory>
  • Data Fabric Database
    #Remove security policies from a JSON table
    maprcli table securitypolicy remove -path <path/to/table> -securitypolicy <comma-delimited list of policies>
    
    #Remove security policies from a JSON table column family
    maprcli table cf securitypolicy remove -path <path/to/table> -cfname <column family name> \
    -securitypolicy <comma-delimited list of policies>
    
    #Remove security policies from a JSON table field
    maprcli table cf column securitypolicy remove -path <path/to/table> -cfname <column family name> \
    -column <JSON table field> -securitypolicy <comma-delimited list of policies>
Change the state of a security policy The state of the security policy controls enforcement at the security policy level. The security policy state tells the system if a security policy can be applied to data objects and whether the system should enforce the ACEs set in the security policy. Edit the values of the -allowtagging and -accesscontrol parameters to change the state of a security policy:
/opt/mapr/bin/maprcli security policy modify|create -name <security-policy-name> -cluster <cluster-name> \
-allowtagging true|false -accesscontrol Disarmed|Armed|Denied
Display security policy information and permissions Display information about a security policy:
/opt/mapr/bin/maprcli security policy info -name <security-policy-name> -cluster <cluster-name> \
[ -output <terse|verbose> -columns <comma-separated list of column names> -expandaces true|false ]

Display cluster-level permissions:

/opt/mapr/bin/maprcli acl show -type cluster

Display policy-level permissions:

/opt/mapr/bin/maprcli security policy info -name employeeData -columns acl,securityPolicyAces -json
Related documentation:
Apply security policies to data objects Apply security policies to Data Fabric File System data objects
  • Volume
    /opt/mapr/bin/maprcli volume create -name <volName> -path <mountPath> \
    -securitypolicy <policy1,policy2,...>
  • Directory or File
    hadoop mfs -setsecuritypolicytag <policyName> <filePath>

Apply security policies to Data Fabric Database data objects

  • Table
    #Apply security policies during table creation
    maprcli table create -path <tablePath> -securitypolicy <policyName,...>
    
    #Apply security policies to a table; does not replace existing policies
    maprcli table securitypolicy add -path <tablePath> -securitypolicy <policyName,...>
    
    #Apply security policies to a table; replaces existing policies
    maprcli table securitypolicy set -path <tablePath> -securitypolicy <policyName,...>
    
  • Column family
    #Apply security policies during column family creation
    maprcli table cf create -path <tablePath> -cfname <column-family-name> -jsonpath <family path> \
    -securitypolicy <policyName,...> -force true
    
    #Apply security policies to a column family; does not replace existing policies
    maprcli table cf securitypolicy add -path <tablePath> -cfname <column-family-name> -securitypolicy <policyName,...>
    
    #Apply security policies to a column family; replaces existing policies on the table
    maprcli table cf securitypolicy set -path <tablePath> -cfname <column-family-name> -securitypolicy <policyName,...>
  • Field
    #Apply security policies to a JSON-table field; does not replace existing policies
    maprcli table cf column securitypolicy add -path <tablePath> -cfname <column-family-name> \
    -column <column-name> -securitypolicy <policyName,...>
    
    #Apply security policies to a JSON-table field; replaces existing policies 
    maprcli table cf column securitypolicy set -path <tablePath> -cfname <column-family-name> \
    -column <column-name> -securitypolicy <policyName,...>
View security policies applied to data objects
Data Fabric File System Data Objects
#View security polices on all volumes in the cluster
maprcli volume list -columns volumename,securitypolicy -json

#View security policies on files and directories
hadoop mfs -getsecuritypolicytag <path/to/file/or/directory>
Data Fabric Database Objects
#View security policies applied to a MapR Database JSON table
maprcli table info -path <path/to/table> -json

#View security policies applied to a column family in a MapR Database JSON table
maprcli table cf list -path <path/to/table> -cfname <column family name>

#View security policies applied to a field in a MapR Database JSON table
maprcli table cf column securitypolicy list -path <path/to/table> -cfname <column family name> \
-column <JSON table field>
Enforce security policies Security policy-level enforcement
/opt/mapr/bin/maprcli security policy modify -name <security-policy-name> \
-allowtagging true|false -accesscontrol Armed|Disarmed|Denied
Volume-level enforcement
/opt/mapr/bin/maprcli volume modify -name <volName> \
-enforcementmode PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly

Cluster-level enforcement

Applies to all data operations in the cluster where the cluster is either a member or master security policy cluster.
  • Disable ACEs configured in security policies
    maprcli config save -values '{"cldb.pbs.access.control.enabled":"0"}'
  • Enable ACEs configured in security policies (default)
    maprcli config save -values '{"cldb.pbs.access.control.enabled":"1" }'