policy modify
Modify a security policy using the CLI.
Syntax
- CLI
-
/opt/mapr/bin/maprcli security policy modify [ -name <security-policy-name> ] [ -description <description> ] [ -cluster cluster-name] [ -allowtagging true|false ] [ -accesscontrol Armed|Disarmed|Denied ] [ -auditenabled true|false ] [ -dataauditops <+|- operations>|all ] [ -disableddataauditops <+|- operations>|all ] [ -wiresecurityenabled true|false ] [ -readfileace <file read ACE> ] [ -writefileace <file write ACE> ] [ -executefileace <file execute ACE> ] [ -readdirace <directory read ACE> ] [ -addchildace <directory add child ACE> ] [ -deletechildace <directory delete child ACE> ] [ -lookupdirace <directory lookup ACE> ] [ -readdbace <db cf read ACE]> ] [ -writedbace <db cf write ACE]> ] [ -traversedbace <db cf traverse ACE> ] [ -readaces <file, directory, db ACE> ] [ -writeaces <file, directory, db ACE> ] [ -unmaskedreaddbace <DB unmasked read ace> ] [ -user space separated list of user:permissions,permissions,... to be set ] [ -group space separated list of group:permissions,permissions,... to be set ]
- REST
-
Request Type POST Request URL http[s]://<host>:<port>/rest/security/policy/modify?<parameters>
Parameters
You must specify either name or path, but not both.
Parameter |
Description |
---|---|
name |
The name of this security policy. Security policy names must be unique within the cluster and must contain only alphanumeric characters, hyphen (-) and underscore (_). Other characters like space and commas are not allowed. Maximum length of the security policy name is 32 characters. This parameter is mandatory. |
description |
An ASCII string that gives a user-readable description of the policy. |
cluster |
The cluster name on which to run the command. If the cluster name is not supplied, the command is run on the current cluster. |
allowtagging |
Allows or disallows tagging for the security policy. If set to
true , this security policy can be used to tag HPE Ezmeral Data
Fabric file system resources. When the security policy is first created, the
allowtagging flag is set to false to give the
administrator time to configure the security policy, before allowing users to tag
HPE Ezmeral Data Fabric resources with this security policy. Default is
false . |
accesscontrol |
Determines whether the relevant Access Control Expression (ACE)s in this security policy are
enforced for HPE Ezmeral Data Fabric resources that are tagged with this security
policy. The following settings are supported:
|
auditenabled |
Specifies whether or not to audit operation on the resource on which the policy
is tagged. Set to true to enable auditing, and
false to disable auditing.Default:
|
dataauditops |
The comma separated list of file system operations to include (specified with a
preceding plus sign (+)), or exclude (specified with a preceding minus sign (-))
from auditing. To exclude the first operation in the list of operations from auditing, you must precede the operation by two minus (--) signs. You must precede subsequent operations to exclude, by only a single minus (-) sign, irrespective of whether the first operation was included (using a plus (+) sign) or excluded (using two minus (--) signs). If neither sign is specified, the given operation is included for auditing. The operations that can be included (+) or excluded (-) from auditing are listed in Auditing Data Access Operations. You can, alternatively, group all the operations using the keyword all, which:
All specified operations must either be included or excluded from auditing. You cannot specify a mixed list of included and excluded operations. Other than the specified operations, by default, all other operations are:
setattr automatically enables the following
operations:
If you do nothing with |
disableddataauditops |
The comma-separated list of disabled file system audit operations to set. This
is an alternate way of setting audit operations from the
dataauditops option.No plus (+) or minus signs (-) are allowed for this option. Any audit operations specified with this option replace any existing disabled audit operations configured for this security policy, while any audit operations that are not specified, are enabled. Merging of the
specified audit operations with existing audit operations is not done, as compared
to the setattr
automatically disables the following operations:
If you do nothing with |
wiresecurityenabled |
Determines whether or not to perform wire-level encryption for data of resource
on which security is tagged. Set to true to enable wire-level
encryption, and false to disable wire-level encryption.Default:
|
readfileace |
An ACE that
controls who can read from this file. If you do not set an ACE, basic file permissions are used.
Files created with basic file permissions have mode 0755 . Anyone
can read the file contents. To read a file that is tagged with this security policy,
you must have the following permissions:
|
writefileace |
An ACE that
controls who can write to this file. If you do not set an ACE, basic file permissions are used.
Files created with basic file permissions have mode 0755 . Only the
owner can write to the file. To write to a file that is tagged with this security
policy, you must have the following permissions:
|
executefileace |
An ACE that
controls who can execute this file. If you do not set an ACE, basic file permissions are used.
Files created with basic file permissions have mode 0755 . Anyone
can execute this file (assuming that the contents are executable). To execute a file
that is tagged with this security policy, you must have the following permissions:
|
readdirace |
Controls who can read the contents of files in this directory. If you do not
set an ACE, basic file
permissions are used. Directories created with basic file permissions have mode
0755 . Anyone can read the contents of files in this directory. To
read the contents of a file in a directory tagged with this security policy, you
must have the following permissions:
|
addchildace |
Controls who can create objects (files and directories) in this directory. If
you do not set an ACE,
basic file permissions are used. Directories created with basic file permissions
have mode 0755 . By default, only the owner can create files and
directories in this directory. To create files and directories in a directory tagged
with this security policy, you must have the following permissions:
|
deletechildace |
Controls who can delete objects (files and directories) in this directory. If
you do not set an ACE,
basic file permissions are used. Directories created with basic file permissions
have mode 0755 . By default, only the owner can delete files and
directories in this directory. To delete files and directories in a directory tagged
with this security policy, you must have the following permissions:
|
lookupdirace |
Controls who can list the contents (files and directories) of this directory.
If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions
have mode 0755 . Anyone can list the files in this directory. To
list the contents of a directory tagged with this security policy, you must have the
following permissions:
|
readdbace |
The ACE for
column reads. Fields within the column family inherit this
permission. Default: To read fields in JSON DB column families tagged with this security policy, you must have the following permissions:
|
writedbace |
The ACE for
column writes (puts and deletes). Fields within the column family
inherit this permission. Default: To perform column writes, you must have the following permissions:
|
traversedbace |
DB CF traverse permission settings, which determine the permission to pass over
fields in JSON documents. Fields within the column family inherit this
permission. Default: To traverse fields in JSON DB column families tagged with this security policy, you must have the following permissions:
|
readaces |
A convenience option to set read permissions for all objects. This is
equivalent to setting the same ACE for the
readfileace , readdirace ,
lookupdirace , ,
readdbace , and traversedbace
options. |
writeaces |
A convenience option to set write permissions for all objects. This is
equivalent to setting the same ACE for writefileace ,
addchildace , deletechildace ,
and writedbace ,
options. |
unmaskedreaddbace |
This is the ACE for determining whether the users have the
unmaskedreadperm permission to enable them to read the masked
column data unmasked. These users must also have readdbace
permission. The unmaskedreadperm permission will not be
automatically set when using the convenience readaces parameter.
The unmaskedreadperm permission must be specifically enabled in the
security policy by using the unmaskedreaddbace ACE. See Dynamic Data Masking for more information. |
user |
Space separated list of user:permission,permission pairs. Use
commas to separate each permission, and spaces to separate each user. For example,
to give user tom , admin (a) and full control (fc)
permissions, and user jane , admin (a) permission, use -user
tom:a,fc jane:a If you do not specify this option, a security policy
level administrative ACL is added for the administrator who created this security
policy to have full privileges by default, that is Use this option with care.
You MUST specify |
group |
Space separated list of group:permission,permission pairs. Use commas to
separate each permission, and spaces to separate each group. For example, to give
group operators read (r) permission, and group secadmin
full control (fc) permission, use -group operators:r
secadmin:a,fc
|
ACE Handling Behaviour
Specified ACE are merged with the existing
ACE for the security policy.
For example, assume there is a security policy hipaa
that currently only
has readfileace
and writefileace
specified, with all other
ACEs not specified:
ACE Type | ACE Value |
---|---|
readfileace |
g:staff |
writefileace |
g:staff |
Use the maprcli security policy modify
command to set the
writefileace
and addchildace
ACE:
maprcli security policy modify -name hipaa -writefileace g:mapr -addchildace
g:admin
Here, the value of readfileace
remains as g:staff
,
writefileace
is replaced by the new value g:mapr
, and
addchildace
is added to the list of ACE for this security policy:
ACE Type | ACE Value |
---|---|
readfileace |
g:staff |
writefileace |
g:mapr (overwrites older value) |
addchildace |
g:admin (new ACE) |
Using the readaces convenience
The following example illustrates how to use the readaces
convenience
feature.
You create a security policy named hipaa
, and set the
readfileace
and writefileace
to
u:mapr
:
/opt/mapr/bin/maprcli security policy create -name hipaa -readfileace u:mapr -writefileace u:mapr
/opt/mapr/bin/maprcli security policy info -name hipaa -json
{
"timestamp":1548660146619,
"timeofday":"2019-01-27 11:22:26.619 GMT-0800 PM",
"status":"OK",
"total":1,
"data":[
{
"name":"hipaa",
"id":3,
"mtime":"Sun Jan 27 23:22:08 PST 2019",
"ctime":"Sun Jan 27 23:22:08 PST 2019",
"wireEncrypt":true,
"auditEnabled":false,
"allowTagging":false,
"accessControl":"Disarmed",
"enabled_dataAuditOps":"getattr,setattr,chown,chperm,chgrp,getxattr,listxattr,setxattr,removexattr,read,write,create,delete,mkdir,readdir,rmdir,createsym,lookup,rename,createdev,truncate,tablecfcreate,tablecfdelete,tablecfmodify,tablecfScan,tableget,tableput,tablescan,tablecreate,tableinfo,tablemodify,getperm,getpathforfid,hardlink,filescan,fileoffload,filerecall,filetierjobstatus,filetierjobabort,filetieroffloadevent,filetierrecallevent",
"disabled_dataAuditOps":"",
"acl":{
"Principal":"User test1",
"Allowed actions":"[r, a, fc]"
},
"securityPolicyAces":{
"readfileace":"u:mapr",
"writefileace":"u:mapr"
}
}
]
}
You use the maprcli security policy modify
command to change all the read
ACE, using the
readaces
option. readaces
replaces all read
ACE (executefileace,
readfileace, lookupdirace, readdirace, readdbace, traversedbace) with
the specified ACE, leaving the
write ACE intact:
/opt/mpr/bin/maprcli security policy modify -name hipaa -readaces g:mapr
/opt/mapr/bin/maprcli security policy info -name hipaa -json
{
"timestamp":1548660250167,
"timeofday":"2019-01-27 11:24:10.167 GMT-0800 PM",
"status":"OK",
"total":1,
"data":[
{
"name":"hipaa",
"id":3,
"mtime":"Sun Jan 27 23:24:04 PST 2019",
"ctime":"Sun Jan 27 23:22:08 PST 2019",
"wireEncrypt":true,
"auditEnabled":false,
"allowTagging":false,
"accessControl":"Disarmed", "enabled_dataAuditOps":"getattr,setattr,chown,chperm,chgrp,getxattr,listxattr,setxattr,removexattr,read,write,create,delete,mkdir,readdir,rmdir,createsym,lookup,rename,createdev,truncate,tablecfcreate,tablecfdelete,tablecfmodify,tablecfScan,tableget,tableput,tablescan,tablecreate,tableinfo,tablemodify,getperm,getpathforfid,hardlink,filescan,fileoffload,filerecall,filetierjobstatus,filetierjobabort,filetieroffloadevent,filetierrecallevent",
"disabled_dataAuditOps":"",
"acl":{
"Principal":"User test1",
"Allowed actions":"[r, a, fc]"
},
"securityPolicyAces":{
"executefileace":"g:mapr",
"readfileace":"g:mapr",
"lookupdirace":"g:mapr",
"readdirace":"g:mapr",
"writefileace":"u:mapr",
"readdbace":"g:mapr",
"traversedbace":"g:mapr",
}
}
]
}
Examples
writeaces
ACE setting to the
existing security policy MILITARY:
/opt/mapr/bin/maprcli security policy modify -name MILITARY -writeaces "u:user7|u:user10" -json
{
"timestamp":1554814308487,
"timeofday":"2019-04-09 05:51:48.487 GMT-0700 AM",
"status":"OK",
"total":0,
"data":[
],
"messages":[
"Successfully updated security policy 'MILITARY'"
]
}
curl -u mapr:mapr -X POST -k "https://host:8443/rest/security/policy/modify?name=MILITARY&writeaces=u%3auser7|u%3auser10"
{"timestamp":1554815274740,"timeofday":"2019-04-09 06:07:54.740 GMT-0700 AM","status":"OK","total":0,"data":[],"messages":["Successfully updated security policy 'MILITARY'"]}