Setting Global Configuration Options for Policy-Based Security

The CLDB stores global configuration settings for Policy-Based Security. Before creating security policies, an administrator must designate a master security policy cluster through the cldb.pbs.global.master option.

You can modify global configuration settings through the maprcli config save command and the REST API.

The following table describes the global configuration settings related to Policy-Based Security.
Parameter Default Description
cldb.pbs.max.security.policy 10000 Maximum number of configured security policies allowed. Prevents users from arbitrarily creating numerous security policies which could impact performance.
cldb.pbs.global.master 0 (Required) Sets the master security policy cluster for the global namespace. Configure a cluster to perform one of the following roles:
  • Master—A master security policy cluster is required to create and manage security policies.

    Only one master security policy cluster should be chosen among clusters sharing data (using mirroring).

  • Member—On a cluster designated as a member, you can view security policies available for tagging and tag data objects.
By default, the host is set to member (0) upon a new installation or upgrade. To set the host to master and enable the creation and modification of security policies, set the value of this property to 1.
NOTE
Policy creation or modification on a member cluster is not allowed.
cldb.pbs.audit.only.policy.check 0

Set the value to 1 to enforce permissive mode across all volumes in the cluster. In permissive mode, the system only enforces resource-level ACEs and POSIX mode bits. The system checks the security policies for access and audits denied access events. (It does not actually deny access.) See Volume-Level Security Policy Enforcement Mode.

cldb.pbs.access.control.enabled 1

Enables and disables policy ACEs set in security policies at the cluster-level. It is set to 0 to disable policy access checks across all volumes in the cluster. The DataAce enforcement mode is automatically enabled. See Disabling Policy Access Controls at the Cluster-Level and Volume-Level Security Policy Enforcement Mode for additional information.

Setting the Policy-Based Security Mode Using the CLI and REST API

Run the following command to set a cluster as the Master for security policies:
maprcli config save -values '{"cldb.pbs.global.master":"1"}'
Send a request of type POST. For example, to designate a cluster as the Master for policy-based security creation and management, send a request similar to the following:
curl -X POST 'https://<hostname>:8443/rest/config/save?values={"cldb.pbs.global.master":"1"}' --user <username>:<password>

Setting the Policy-Based Security Mode Using the Control System

From the Control System, to set the cluster as the Master for security policies:

  1. Click the Security Settings icon.
  2. Click the PBS Mode setting.
  3. Select PBS Mode as Master from the drop-down.
  4. Click Submit to save the setting.

Changing the Policy-Based Security Global Master

To elect a new PBS master:
  1. Make sure that the cluster to be set as the master is still a member and not a master already. The value of cldb.pbs.global.master on this cluster should be 0.
  2. Ensure that no policies are being created or modified on the current master cluster.
  3. Export all policies from the current master cluster, and then import them to the cluster you want to set as the new master.
  4. Demote the current master cluster to a member by setting cldb.pbs.global.master to 0.
  5. Promote the cluster to be set as the master to be the global master by setting cldb.pbs.global.master to 1.