policy create

Describes how to create a security policy using the CLI.

Syntax

CLI
/opt/mapr/bin/maprcli security policy create
              -name <security-policy-name> 
              [ -description <description> ]
              [ -cluster cluster-name]
              [ -allowtagging true|false ]
              [ -accesscontrol Armed|Disarmed|Denied ]
              [ -auditenabled true|false ]
              [ -dataauditops <+|- operations>|all ]
              [ -wiresecurityenabled true|false ]
              [ -readfileace <file read ACE> ]
              [ -writefileace <file write ACE> ]
              [ -executefileace <file execute ACE> ]
              [ -readdirace <directory read ACE> ]
              [ -addchildace <directory add child ACE> ]
              [ -deletechildace <directory delete child ACE> ]
              [ -lookupdirace <directory lookup ACE> ]
              [ -readdbace <db cf read ACE]> ]
              [ -writedbace <db cf write ACE]> ]
              [ -traversedbace <db cf traverse ACE> ]
              [ -readaces <file, directory, db, streams ACE> ]
              [ -writeaces <file, directory, db, streams ACE> ]
              [ -unmaskedreaddbace <DB unmasked read ace> ]
              [ -user <user:permission,permission,... user:permission,permission,...> ]
              [ -group <group:permission,permission,... group:permission,permission,...> ]
   
REST
Request Type POST
Request URL
http[s]://<host>:<port>/rest/security/policy/create?<parameters>

Parameters

Parameter

Description

name The name of this security policy. Security policy names must be unique within the cluster and must contain only alphanumeric characters, hyphen (-) and underscore (_). Other characters like space and commas are not allowed. Maximum length of the security policy name is 128 characters. This parameter is mandatory.
description The description of the policy. The maximum length of the description is 128 characters.

cluster

The cluster name on which to run the command. This parameter is optional. The local cluster is the default cluster.

allowtagging

Allows or disallows tagging for the security policy. If set to true, this security policy can be used to tag HPE Ezmeral Data Fabric filesystem resources. When the security policy is first created, the allowtagging flag is set to false to give the administrator time to configure the security policy, before allowing users to tag HPE Ezmeral Data Fabric resources with this security policy. Default is false.

accesscontrol

Determines whether the relevant Access Control Expression (ACE)s in this security policy are enforced for HPE Ezmeral Data Fabric resources that are tagged with this security policy. The following settings are supported:

  • Armed: When a HPE Ezmeral Data Fabric resource is tagged with this security policy, the relevant ACEs in this security policy are enforced when the resource is accessed. This is the normal operation mode.
  • Disarmed (default setting): Even if a HPE Ezmeral Data Fabric resource is tagged with this security policy, the ACEs in this security policy are NOT enforced. This setting can be used as an emergency switch when an incorrectly configured security policy denies authorized users from accessing resources.
  • Denied: Access is always denied to any HPE Ezmeral Data Fabric resources tagged with this security policy. Use this setting for security policies that are no longer in use, but are still tagged to some HPE Ezmeral Data Fabric resources. Administrators can look at the audit logs to determine the root cause.

auditenabled

Specifies whether or not to enable auditing for this policy. Set to true to enable auditing, and false to disable auditing.

Default: false.

dataauditops

The comma separated list of filesystem operations to include (specified with a preceding plus sign (+)), or exclude (specified with a preceding minus sign (-)) from auditing.

To exclude the first operation in the list of operations from auditing, precede the operation by two minus (--) signs. Precede subsequent operations to exclude by only a single minus (-) sign, irrespective of whether the first operation was included (using a plus (+) sign) or excluded (using two minus (--) signs). If neither sign is specified, the given operation is included for auditing.

The operations that can be included (+) or excluded (-) from auditing are listed in Auditing Data-Access Operations. Alternatively, you can group all the operations using the keyword all, which:

  • If included (+), cannot be specified with a list of other included operations.
  • If excluded (-), cannot be specified with a list of other excluded operations.

All specified operations must either be included or excluded from auditing. You cannot specify a mixed list of included and excluded operations. Other than the specified operations, by default, all other operations are:

  • Included for auditing, if the specified list is a list of excluded operations.

  • Excluded from auditing, if the specified list is a list of included operations.

Including setattr automatically enables the following operations:
  • chown
  • chgrp
  • chperm

If you exclude setattr, these operations are automatically disabled. If you do nothing with setattr (neither enable nor disable), you can enable or disable chown, chgrp, and chperm in any combination.

wiresecurityenabled

Determines whether or not to perform wire-level encryption on the returned data. Set to true to enable wire-level encryption, and false to disable wire-level encryption.

Default: true for secure clusters, false for insecure clusters.

readfileace

An ACE that controls who can read from this file. If you do not set an ACE, basic file permissions are used. Files created with basic file permissions have mode 0755. Anyone can read the file contents. To read a file that is tagged with this security policy, you must have the following permissions:

  • Read permission to the volume
  • Read permission to the file

writefileace

An ACE that controls who can write to this file. If you do not set an ACE, basic file permissions are used. Files created with basic file permissions have mode 0755. Only the owner can write to the file. To write to a file that is tagged with this security policy, you must have the following permissions:

  • Write permission to the volume
  • Write permission to the file

executefileace

An ACE that controls who can execute this file. If you do not set an ACE expression, basic file permissions are used. Files created with basic file permissions have mode 0755. Anyone can execute this file (assuming that the contents are executable). To execute a file that is tagged with this security policy, you must have the following permissions:

    • Read permission to the volume
    • Read and execute permissions to the file

readdirace

Controls who can read the contents of files in this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode 0755. Anyone can read the contents of files in this directory. To read the contents of a file in a directory tagged with this security policy, you must have the following permissions:

  • Read permission to the volume

  • Read permission to the parent directory

  • Read permission to the file

addchildace

Controls who can create objects (files and directories) in this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode 0755. By default, only the owner can create files and directories in this directory. To create files and directories in a directory tagged with this security policy, you must have the following permissions:

  • Add child permission for the parent directory

  • Read and execute permissions to all directories in the path

  • Write permission to the parent directory, and

  • Write permission to the volume.

deletechildace

Controls who can delete objects (files and directories) in this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode 0755. By default, only the owner can delete files and directories in this directory. To delete files and directories in a directory tagged with this security policy, you must have the following permissions:

  • Delete child permission for the parent directory

  • Read and execute access to all directories in the path

  • Write permission to the parent directory

  • Write permission to the volume

lookupdirace

Controls who can list the contents (files and directories) of this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode 0755. Anyone can list the files in this directory. To list the contents of a directory tagged with this security policy, you must have the following permissions:

  • Read permission to the directory

  • Read permission to the volume

readdbace

The ACE for column reads. Fields within the column family inherit this permission.

Default: u:creator.

To read fields in JSON DB column families tagged with this security policy, you must have the following permissions:

  • Read permission to the DB column family

  • Read and execute permissions to all directories in the path

  • Read permission to the volume

writedbace

The ACE for column writes (puts and deletes). Fields within the column family inherit this permission.

Default:u:creator.

To perform column writes, you must have the following permissions:

  • Write permission to the DB column family

  • Read and execute permission to all directories in the path

  • Write permission to the parent directory

  • Write permission to the volume

traversedbace

DB CF traverse permission settings, which determine the permission to pass over fields in JSON documents. Fields within the column family inherit this permission.

Default: u:creator.

To traverse fields in JSON DB column families tagged with this security policy, you must have the following permissions:

  • Traverse permission to the DB column family

  • Read and execute permissions to all directories in the path

  • Read permission to the volume

readaces

A convenience option to set read permissions for all objects. This is equivalent to setting the same ACE for the readfileace, readdirace, lookupdirace, readdbace, and traversedbace options.

writeaces

A convenience option to set write permissions for all objects. This is equivalent to setting the same ACE for writefileace, addchildace, deletechildace, and writedbace options.
unmaskedreaddbace This is the ACE for determining whether the users have the unmaskedreadperm permission to enable them to read the masked column data unmasked. These users must also have readdbace permission. The unmaskedreadperm permission will not be automatically set when using the convenience readaces parameter. The unmaskedreadperm permission must be specifically enabled in the security policy by using the unmaskedreaddbace ACE. See Dynamic Data Masking for more information.

user

Space separated list of user:permission,permission pairs. Use commas to separate each permission, and spaces to separate each user. For example, to give user tom, admin (a) and full control (fc) permissions, and user jane, admin (a) permission, use -user tom:a,fc jane:a

If you do not specify this option, a security policy level administrative ACL is added for the administrator who created this security policy to have full privileges by default, that is [r,a,fc]. However, another user with admin (a) privilege for this security policy can subsequently remove this privilege . Specifying this option overwrites the default setting to give security policy level privileges only to the users specified in the -user list.
CAUTION You must specify admin (a) privilege for at least one administrator (for example, -user admin1:r,a,fc) in addition to privileges for any other users to modify this security policy after creation. If the -user or -group options are specified but without admin (a) or full control (fc) permission, (for example, -user operator:r), only the mapr user can modify the security policy.

group

Space separated list of group:permission,permission pairs. Use commas to separate each permission, and spaces to separate each group. For example, to give group operators read (r) permission, and group secadmin full control (fc) permission, use -group operators:r secadmin:a,fc

Examples

/opt/mapr/bin/maprcli security policy create -name TOPSECRET -allowtagging true -accesscontrol Armed -wiresecurityenabled true -user "user7:a,fc user10:a"

/opt/mapr/bin/maprcli security policy info -name TOPSECRET -json
{
	"timestamp":1554275257851,
	"timeofday":"2019-04-03 12:07:37.851 GMT-0700 AM",
	"status":"OK",
	"total":1,
	"data":[
		{
			"policyname":"TOPSECRET",
			"policyid":5,
			"mtime":"Wed Apr 03 00:06:48 PDT 2019",
			"ctime":"Wed Apr 03 00:06:48 PDT 2019",
			"wiresecurity":"1",
			"audited":"0",
			"allowtagging":"1",
			"accesscontrol":"Armed",
			"enableddataauditoperations":"getattr,setattr,chown,chperm,chgrp,getxattr,listxattr,setxattr,removexattr,read,write,create,delete,mkdir,readdir,rmdir,createsym,lookup,rename,createdev,truncate,tablecfcreate,tablecfdelete,tablecfmodify,tablecfScan,tableget,tableput,tablescan,tablecreate,tableinfo,tablemodify,getperm,getpathforfid,hardlink,filescan,fileoffload,filerecall,filetierjobstatus,filetierjobabort,filetieroffloadevent,filetierrecallevent",
			"disableddataauditoperations":"",
			"acl":[
				{
					"Principal":"User user7",
					"Allowed actions":"[r, a, fc]"
				},
				{
					"Principal":"User user10",
					"Allowed actions":"[a]"
				}
			]
		}
	]
}
curl -u mapr:mapr -X POST -k "https://host:8443/rest/security/policy/create?name=TOPSECRET&allowtagging=true&accesscontrol=Armed&wiresecurityenabled=true&user=user7%3Aa%2Cfc%20user10%3Aa"

curl -u mapr:mapr -X GET  -k "https://host:8443/rest/security/policy/info?name=TOPSECRET"
{"timestamp":1554788296883,"timeofday":"2019-04-08 10:38:16.883 GMT-0700 PM","status":"OK","total":1,"data":[{"policyname":"TOPSECRET","policyid":1,"mtime":"Mon Apr 08 22:33:52 PDT 2019","ctime":"Mon Apr 08 22:33:52 PDT 2019","wiresecurity":"1","audited":"0","allowtagging":"1","accesscontrol":"Armed","enableddataauditoperations":"getattr,setattr,chown,chperm,chgrp,getxattr,listxattr,setxattr,removexattr,read,write,create,delete,mkdir,readdir,rmdir,createsym,lookup,rename,createdev,truncate,tablecfcreate,tablecfdelete,tablecfmodify,tablecfScan,tableget,tableput,tablescan,tablecreate,tableinfo,tablemodify,getperm,getpathforfid,hardlink,filescan,fileoffload,filerecall,filetierjobstatus,filetierjobabort,filetieroffloadevent,filetierrecallevent","disableddataauditoperations":"","acl":[{"Principal":"User user7","Allowed actions":"[r, a, fc]"},{"Principal":"User user10","Allowed actions":"[a]"}]}]}