policy modify

Modify a security policy using the CLI.

Syntax

CLI

/opt/mapr/bin/maprcli security policy modify
              [ -name <security-policy-name> ]
              [ -description <description> ]
              [ -cluster cluster-name]
              [ -allowtagging true|false ]
              [ -accesscontrol Armed|Disarmed|Denied ]
              [ -auditenabled true|false ]
              [ -dataauditops <+|- operations>|all ]
              [ -disableddataauditops <+|- operations>|all ]
              [ -wiresecurityenabled true|false ]
              [ -readfileace <file read ACE> ]
              [ -writefileace <file write ACE> ]
              [ -executefileace <file execute ACE> ]
              [ -readdirace <directory read ACE> ]
              [ -addchildace <directory add child ACE> ]
              [ -deletechildace <directory delete child ACE> ]
              [ -lookupdirace <directory lookup ACE> ]
              [ -readdbace <db cf read ACE]> ]
              [ -writedbace <db cf write ACE]> ]
              [ -traversedbace <db cf traverse ACE> ]
              [ -readaces <file, directory, db ACE> ]
              [ -writeaces <file, directory, db ACE> ]
              [ -unmaskedreaddbace <DB unmasked read ace> ]
              [ -user space separated list of user:permissions,permissions,... to be set ]
              [ -group space separated list of group:permissions,permissions,... to be set ]

REST

Request Type	POST
Request URL	`http[s]://<host>:<port>/rest/security/policy/modify?<parameters>`

Parameters

You must specify either name or path, but not both.

Parameter	Description
`name`	The name of this security policy. Security policy names must be unique within the cluster and must contain only alphanumeric characters, hyphen (-) and underscore (_). Other characters like space and commas are not allowed. Maximum length of the security policy name is 32 characters. This parameter is mandatory.
`description`	An ASCII string that gives a user-readable description of the policy.
`cluster`	The cluster name on which to run the command. If the cluster name is not supplied, the command is run on the current cluster.
`allowtagging`	Allows or disallows tagging for the security policy. If set to `true`, this security policy can be used to tag HPE Ezmeral Data Fabric filesystem resources. When the security policy is first created, the `allowtagging` flag is set to `false` to give the administrator time to configure the security policy, before allowing users to tag HPE Ezmeral Data Fabric resources with this security policy. Default is `false`.
`accesscontrol`	Determines whether the relevant Access Control Expression (ACE)s in this security policy are enforced for HPE Ezmeral Data Fabric resources that are tagged with this security policy. The following settings are supported: `Armed`: When a HPE Ezmeral Data Fabric resource is tagged with this security policy, the relevant ACEs in this security policy are enforced when the resource is accessed. This is the normal operation mode. `Disarmed (default setting)`: Even if a HPE Ezmeral Data Fabric resource is tagged with this security policy, the ACEs in this security policy are NOT enforced. Use this setting as an emergency switch when an incorrectly configured security policy denies authorized users from accessing resources. `Denied`: Access is always denied to any HPE Ezmeral Data Fabric resources tagged with this security policy. Use this setting for security policies that are no longer in use, but are still tagged to some HPE Ezmeral Data Fabric resources. Administrators can look at the audit logs to determine the root cause.
`auditenabled`	Specifies whether or not to audit operation on the resource on which the policy is tagged. Set to `true` to enable auditing, and `false` to disable auditing. Default: `false`.
`dataauditops`	The comma separated list of filesystem operations to include (specified with a preceding plus sign (+)), or exclude (specified with a preceding minus sign (-)) from auditing. To exclude the first operation in the list of operations from auditing, you must precede the operation by two minus (--) signs. You must precede subsequent operations to exclude, by only a single minus (-) sign, irrespective of whether the first operation was included (using a plus (+) sign) or excluded (using two minus (--) signs). If neither sign is specified, the given operation is included for auditing. The operations that can be included (+) or excluded (-) from auditing are listed in Auditing Data Access Operations. You can, alternatively, group all the operations using the keyword all, which: If included (+), cannot be specified with a list of other included operations. If excluded (-), cannot be specified with a list of other excluded operations. All specified operations must either be included or excluded from auditing. You cannot specify a mixed list of included and excluded operations. Other than the specified operations, by default, all other operations are: Included for auditing, if the specified list is a list of excluded operations. Excluded from auditing, if the specified list is a list of included operations. Including `setattr` automatically enables the following operations: `chown` `chgrp` `chperm` If you do nothing with `setattr` (neither enable nor disable), you can enable or disable `chown, chgrp,` and `chperm` in any combination.
`disableddataauditops`	The comma-separated list of disabled filesystem audit operations to set. This is an alternate way of setting audit operations from the `dataauditops` option. No plus (+) or minus signs (-) are allowed for this option. Any audit operations specified with this option replace any existing disabled audit operations configured for this security policy, while any audit operations that are not specified, are enabled. Merging of the specified audit operations with existing audit operations is not done, as compared to the `dataauditops` option. Excluding `setattr` automatically disables the following operations: `chown` `chgrp` `chperm` If you do nothing with `setattr` (neither enable nor disable), you can enable or disable `chown, chgrp,` and `chperm` in any combination.
`wiresecurityenabled`	Determines whether or not to perform wire-level encryption for data of resource on which security is tagged. Set to `true` to enable wire-level encryption, and `false` to disable wire-level encryption. Default: `true` for secure clusters, `false` for insecure clusters.
`readfileace`	An ACE that controls who can read from this file. If you do not set an ACE, basic file permissions are used. Files created with basic file permissions have mode `0755`. Anyone can read the file contents. To read a file that is tagged with this security policy, you must have the following permissions: `Read` permission to the volume `Read` permission to the file
`writefileace`	An ACE that controls who can write to this file. If you do not set an ACE, basic file permissions are used. Files created with basic file permissions have mode `0755`. Only the owner can write to the file. To write to a file that is tagged with this security policy, you must have the following permissions: `Write` permission to the volume `Write` permission to the file
`executefileace`	An ACE that controls who can execute this file. If you do not set an ACE, basic file permissions are used. Files created with basic file permissions have mode `0755`. Anyone can execute this file (assuming that the contents are executable). To execute a file that is tagged with this security policy, you must have the following permissions: `Read` permission to the volume `Read` and `execute` permissions to the file
`readdirace`	Controls who can read the contents of files in this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode `0755`. Anyone can read the contents of files in this directory. To read the contents of a file in a directory tagged with this security policy, you must have the following permissions: `Read` permission to the volume `Read` permission to the parent directory `Read` permission to the file
`addchildace`	Controls who can create objects (files and directories) in this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode `0755`. By default, only the owner can create files and directories in this directory. To create files and directories in a directory tagged with this security policy, you must have the following permissions: `Add child` permission for the parent directory `Read` and `execute` permissions to all directories in the path `Write` permission to the parent directory, and `Write` permission to the volume.
`deletechildace`	Controls who can delete objects (files and directories) in this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode `0755`. By default, only the owner can delete files and directories in this directory. To delete files and directories in a directory tagged with this security policy, you must have the following permissions: `Delete child` permission for the parent directory `Read` and `execute` access to all directories in the path `Write` permission to the parent directory `Write` permission to the volume
`lookupdirace`	Controls who can list the contents (files and directories) of this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode `0755`. Anyone can list the files in this directory. To list the contents of a directory tagged with this security policy, you must have the following permissions: `Read` permission to the directory `Read` permission to the volume
`readdbace`	The ACE for column reads. Fields within the column family inherit this permission. Default: `u:creator`. To read fields in JSON DB column families tagged with this security policy, you must have the following permissions: `Read` permission to the DB column family `Read` and `execute` permissions to all directories in the path `Read` permission to the volume
`writedbace`	The ACE for column writes (puts and deletes). Fields within the column family inherit this permission.. Default:`u:creator`. To perform column writes, you must have the following permissions: `Write` permission to the DB column family `Read` and `execute` permission to all directories in the path `Write` permission to the parent directory `Write` permission to the volume
`traversedbace`	DB CF traverse permission settings, which determine the permission to pass over fields in JSON documents. Fields within the column family inherit this permission. Default: `u:creator`. To traverse fields in JSON DB column families tagged with this security policy, you must have the following permissions: `Traverse` permission to the DB column family `Read` and `execute` permissions to all directories in the path `Read` permission to the volume
`readaces`	A convenience option to set read permissions for all objects. This is equivalent to setting the same ACE for the `readfileace`, `readdirace`, `lookupdirace`, , `readdbace`, and `traversedbace` options.
`writeaces`	A convenience option to set write permissions for all objects. This is equivalent to setting the same ACE for `writefileace`, `addchildace`, `deletechildace`, and `writedbace`, options.
`unmaskedreaddbace`	This is the ACE for determining whether the users have the `unmaskedreadperm` permission to enable them to read the masked column data unmasked. These users must also have `readdbace` permission. The `unmaskedreadperm` permission will not be automatically set when using the convenience `readaces` parameter. The `unmaskedreadperm` permission must be specifically enabled in the security policy by using the `unmaskedreaddbace` ACE. See Dynamic Data Masking for more information.
`user`	Space separated list of `user:permission,permission` pairs. Use commas to separate each permission, and spaces to separate each user. For example, to give user `tom`, `admin (a) and full control (fc)` permissions, and user `jane`, admin (a) permission, use `-user tom:a,fc jane:a` If you do not specify this option, a security policy level administrative ACL is added for the administrator who created this security policy to have full privileges by default, that is `[r,a,fc]`. However, any other user with `admin (a)` privilege for this security policy can remove this privilege . Specifying this option overwrites the default setting to give security policy level privileges only to the users specified in the `-user` list. Use this option with care. You MUST specify `admin (a)` privilege for at least one administrator (for example, `-user admin1:r,a,fc`) in addition to privileges for any other users, to modify this security policy after creation. Otherwise, if the `-user` or `-group` options are specified but without `admin (a)` or `full control (fc)` permission, (for example, `-user operator:r`), no one other than the mapr administrator can modify the security policy.
`group`	Space separated list of group:permission,permission pairs. Use commas to separate each permission, and spaces to separate each group. For example, to give group operators `read (r)` permission, and group secadmin `full control (fc)` permission, use `-group operators:r secadmin:a,fc`

ACE Handling Behaviour

Specified ACE are merged with the existing ACE for the security policy. For example, assume there is a security policy hipaa that currently only has readfileace and writefileace specified, with all other ACEs not specified:

ACE Type	ACE Value
`readfileace`	`g:staff`
`writefileace`	`g:staff`

Use the maprcli security policy modify command to set the writefileace and addchildace ACE:

maprcli security policy modify -name hipaa -writefileace g:mapr -addchildace
        g:admin

Here, the value of readfileace remains as g:staff, writefileace is replaced by the new value g:mapr, and addchildace is added to the list of ACE for this security policy:

ACE Type	ACE Value
`readfileace`	`g:staff`
`writefileace`	`g:mapr` (overwrites older value)
`addchildace`	`g:admin` (new ACE)

Using the readaces convenience

The following example illustrates how to use the readaces convenience feature.

You create a security policy named hipaa, and set the readfileace and writefileace to u:mapr:

/opt/mapr/bin/maprcli security policy create -name hipaa -readfileace u:mapr -writefileace u:mapr

/opt/mapr/bin/maprcli security policy  info -name hipaa -json
        {
        "timestamp":1548660146619,
        "timeofday":"2019-01-27 11:22:26.619 GMT-0800 PM",
        "status":"OK",
        "total":1,
        "data":[
        {
        "name":"hipaa",
        "id":3,
        "mtime":"Sun Jan 27 23:22:08 PST 2019",
        "ctime":"Sun Jan 27 23:22:08 PST 2019",
        "wireEncrypt":true,
        "auditEnabled":false,
        "allowTagging":false,
        "accessControl":"Disarmed",
        "enabled_dataAuditOps":"getattr,setattr,chown,chperm,chgrp,getxattr,listxattr,setxattr,removexattr,read,write,create,delete,mkdir,readdir,rmdir,createsym,lookup,rename,createdev,truncate,tablecfcreate,tablecfdelete,tablecfmodify,tablecfScan,tableget,tableput,tablescan,tablecreate,tableinfo,tablemodify,getperm,getpathforfid,hardlink,filescan,fileoffload,filerecall,filetierjobstatus,filetierjobabort,filetieroffloadevent,filetierrecallevent",
        "disabled_dataAuditOps":"",
        "acl":{
        "Principal":"User test1",
        "Allowed actions":"[r, a, fc]"
        },
        "securityPolicyAces":{
        "readfileace":"u:mapr",
        "writefileace":"u:mapr"
        }
        }
        ]
        }

You use the maprcli security policy modify command to change all the read ACE, using the readaces option. readaces replaces all read ACE (executefileace, readfileace, lookupdirace, readdirace, readdbace, traversedbace) with the specified ACE, leaving the write ACE intact:

/opt/mpr/bin/maprcli security policy modify -name hipaa -readaces g:mapr

/opt/mapr/bin/maprcli security policy info -name hipaa -json
        {
        "timestamp":1548660250167,
        "timeofday":"2019-01-27 11:24:10.167 GMT-0800 PM",
        "status":"OK",
        "total":1,
        "data":[
        {
        "name":"hipaa",
        "id":3,
        "mtime":"Sun Jan 27 23:24:04 PST 2019",
        "ctime":"Sun Jan 27 23:22:08 PST 2019",
        "wireEncrypt":true,
        "auditEnabled":false,
        "allowTagging":false,
        "accessControl":"Disarmed", "enabled_dataAuditOps":"getattr,setattr,chown,chperm,chgrp,getxattr,listxattr,setxattr,removexattr,read,write,create,delete,mkdir,readdir,rmdir,createsym,lookup,rename,createdev,truncate,tablecfcreate,tablecfdelete,tablecfmodify,tablecfScan,tableget,tableput,tablescan,tablecreate,tableinfo,tablemodify,getperm,getpathforfid,hardlink,filescan,fileoffload,filerecall,filetierjobstatus,filetierjobabort,filetieroffloadevent,filetierrecallevent",
        "disabled_dataAuditOps":"",
        "acl":{
        "Principal":"User test1",
        "Allowed actions":"[r, a, fc]"
        },
        "securityPolicyAces":{
        "executefileace":"g:mapr",
        "readfileace":"g:mapr",
        "lookupdirace":"g:mapr",
        "readdirace":"g:mapr",
        "writefileace":"u:mapr",
        "readdbace":"g:mapr",
        "traversedbace":"g:mapr",
        
        }
        }
        ]
        }

Examples

For example, add the writeaces ACE setting to the existing security policy MILITARY:

/opt/mapr/bin/maprcli security policy modify -name MILITARY -writeaces "u:user7|u:user10" -json
{
	"timestamp":1554814308487,
	"timeofday":"2019-04-09 05:51:48.487 GMT-0700 AM",
	"status":"OK",
	"total":0,
	"data":[
		
	],
	"messages":[
		"Successfully updated security policy 'MILITARY'"
	]
}

curl -u mapr:mapr -X POST -k "https://host:8443/rest/security/policy/modify?name=MILITARY&writeaces=u%3auser7|u%3auser10"
{"timestamp":1554815274740,"timeofday":"2019-04-09 06:07:54.740 GMT-0700 AM","status":"OK","total":0,"data":[],"messages":["Successfully updated security policy 'MILITARY'"]}