policy modify

Modify a security policy using the CLI.

Syntax

CLI
/opt/mapr/bin/maprcli security policy modify
              [ -name <security-policy-name> ]
              [ -description <description> ]
              [ -cluster cluster-name]
              [ -allowtagging true|false ]
              [ -accesscontrol Armed|Disarmed|Denied ]
              [ -auditenabled true|false ]
              [ -dataauditops <+|- operations>|all ]
              [ -disableddataauditops <+|- operations>|all ]
              [ -wiresecurityenabled true|false ]
              [ -readfileace <file read ACE> ]
              [ -writefileace <file write ACE> ]
              [ -executefileace <file execute ACE> ]
              [ -readdirace <directory read ACE> ]
              [ -addchildace <directory add child ACE> ]
              [ -deletechildace <directory delete child ACE> ]
              [ -lookupdirace <directory lookup ACE> ]
              [ -readdbace <db cf read ACE]> ]
              [ -writedbace <db cf write ACE]> ]
              [ -traversedbace <db cf traverse ACE> ]
              [ -readaces <file, directory, db ACE> ]
              [ -writeaces <file, directory, db ACE> ]
              [ -unmaskedreaddbace <DB unmasked read ace> ]
              [ -user space separated list of user:permissions,permissions,... to be set ]
              [ -group space separated list of group:permissions,permissions,... to be set ]   
REST
Request Type POST
Request URL
http[s]://<host>:<port>/rest/security/policy/modify?<parameters>

Parameters

You must specify either name or path, but not both.

Parameter

Description

name The name of this security policy. Security policy names must be unique within the cluster and must contain only alphanumeric characters, hyphen (-) and underscore (_). Other characters like space and commas are not allowed. Maximum length of the security policy name is 32 characters. This parameter is mandatory.
description An ASCII string that gives a user-readable description of the policy.
cluster The cluster name on which to run the command. If the cluster name is not supplied, the command is run on the current cluster.
allowtagging Allows or disallows tagging for the security policy. If set to true, this security policy can be used to tag HPE Ezmeral Data Fabric file system resources. When the security policy is first created, the allowtagging flag is set to false to give the administrator time to configure the security policy, before allowing users to tag HPE Ezmeral Data Fabric resources with this security policy. Default is false.
accesscontrol Determines whether the relevant Access Control Expression (ACE)s in this security policy are enforced for HPE Ezmeral Data Fabric resources that are tagged with this security policy. The following settings are supported:
  • Armed: When a HPE Ezmeral Data Fabric resource is tagged with this security policy, the relevant ACEs in this security policy are enforced when the resource is accessed. This is the normal operation mode.
  • Disarmed (default setting): Even if a HPE Ezmeral Data Fabric resource is tagged with this security policy, the ACEs in this security policy are NOT enforced. Use this setting as an emergency switch when an incorrectly configured security policy denies authorized users from accessing resources.
  • Denied: Access is always denied to any HPE Ezmeral Data Fabric resources tagged with this security policy. Use this setting for security policies that are no longer in use, but are still tagged to some HPE Ezmeral Data Fabric resources. Administrators can look at the audit logs to determine the root cause.
auditenabled Specifies whether or not to audit operation on the resource on which the policy is tagged. Set to true to enable auditing, and false to disable auditing.

Default: false.

dataauditops The comma separated list of file system operations to include (specified with a preceding plus sign (+)), or exclude (specified with a preceding minus sign (-)) from auditing.

To exclude the first operation in the list of operations from auditing, you must precede the operation by two minus (--) signs. You must precede subsequent operations to exclude, by only a single minus (-) sign, irrespective of whether the first operation was included (using a plus (+) sign) or excluded (using two minus (--) signs). If neither sign is specified, the given operation is included for auditing.

The operations that can be included (+) or excluded (-) from auditing are listed in Auditing Data Access Operations. You can, alternatively, group all the operations using the keyword all, which:

  • If included (+), cannot be specified with a list of other included operations.
  • If excluded (-), cannot be specified with a list of other excluded operations.

All specified operations must either be included or excluded from auditing. You cannot specify a mixed list of included and excluded operations. Other than the specified operations, by default, all other operations are:

  • Included for auditing, if the specified list is a list of excluded operations.

  • Excluded from auditing, if the specified list is a list of included operations.

Including setattr automatically enables the following operations:
  • chown
  • chgrp
  • chperm

If you do nothing with setattr (neither enable nor disable), you can enable or disable chown, chgrp, and chperm in any combination.

disableddataauditops The comma-separated list of disabled file system audit operations to set. This is an alternate way of setting audit operations from the dataauditops option.

No plus (+) or minus signs (-) are allowed for this option.

Any audit operations specified with this option replace any existing disabled audit operations configured for this security policy, while any audit operations that are not specified, are enabled.

Merging of the specified audit operations with existing audit operations is not done, as compared to the dataauditops option.

Excluding setattr automatically disables the following operations:
  • chown
  • chgrp
  • chperm

If you do nothing with setattr (neither enable nor disable), you can enable or disable chown, chgrp, and chperm in any combination.

wiresecurityenabled Determines whether or not to perform wire-level encryption for data of resource on which security is tagged. Set to true to enable wire-level encryption, and false to disable wire-level encryption.

Default: true

readfileace An ACE that controls who can read from this file. If you do not set an ACE, basic file permissions are used. Files created with basic file permissions have mode 0755. Anyone can read the file contents. To read a file that is tagged with this security policy, you must have the following permissions:
  • Read permission to the volume
  • Read permission to the file
writefileace An ACE that controls who can write to this file. If you do not set an ACE, basic file permissions are used. Files created with basic file permissions have mode 0755. Only the owner can write to the file. To write to a file that is tagged with this security policy, you must have the following permissions:
  • Write permission to the volume
  • Write permission to the file
executefileace An ACE that controls who can execute this file. If you do not set an ACE, basic file permissions are used. Files created with basic file permissions have mode 0755. Anyone can execute this file (assuming that the contents are executable). To execute a file that is tagged with this security policy, you must have the following permissions:
    • Read permission to the volume
    • Read and execute permissions to the file
readdirace Controls who can read the contents of files in this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode 0755. Anyone can read the contents of files in this directory. To read the contents of a file in a directory tagged with this security policy, you must have the following permissions:
  • Read permission to the volume

  • Read permission to the parent directory

  • Read permission to the file

addchildace Controls who can create objects (files and directories) in this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode 0755. By default, only the owner can create files and directories in this directory. To create files and directories in a directory tagged with this security policy, you must have the following permissions:
  • Add child permission for the parent directory

  • Read and execute permissions to all directories in the path

  • Write permission to the parent directory, and

  • Write permission to the volume.

deletechildace Controls who can delete objects (files and directories) in this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode 0755. By default, only the owner can delete files and directories in this directory. To delete files and directories in a directory tagged with this security policy, you must have the following permissions:
  • Delete child permission for the parent directory

  • Read and execute access to all directories in the path

  • Write permission to the parent directory

  • Write permission to the volume

lookupdirace Controls who can list the contents (files and directories) of this directory. If you do not set an ACE, basic file permissions are used. Directories created with basic file permissions have mode 0755. Anyone can list the files in this directory. To list the contents of a directory tagged with this security policy, you must have the following permissions:
  • Read permission to the directory

  • Read permission to the volume
readdbace The ACE for column reads. Fields within the column family inherit this permission.

Default: u:creator.

To read fields in JSON DB column families tagged with this security policy, you must have the following permissions:

  • Read permission to the DB column family

  • Read and execute permissions to all directories in the path

  • Read permission to the volume

writedbace The ACE for column writes (puts and deletes). Fields within the column family inherit this permission.

Default:u:creator.

To perform column writes, you must have the following permissions:

  • Write permission to the DB column family

  • Read and execute permission to all directories in the path

  • Write permission to the parent directory

  • Write permission to the volume

traversedbace DB CF traverse permission settings, which determine the permission to pass over fields in JSON documents. Fields within the column family inherit this permission.

Default: u:creator.

To traverse fields in JSON DB column families tagged with this security policy, you must have the following permissions:

  • Traverse permission to the DB column family

  • Read and execute permissions to all directories in the path

  • Read permission to the volume

readaces A convenience option to set read permissions for all objects. This is equivalent to setting the same ACE for the readfileace, readdirace, lookupdirace, , readdbace, and traversedbace options.
writeaces A convenience option to set write permissions for all objects. This is equivalent to setting the same ACE for writefileace, addchildace, deletechildace, and writedbace, options.
unmaskedreaddbace This is the ACE for determining whether the users have the unmaskedreadperm permission to enable them to read the masked column data unmasked. These users must also have readdbace permission. The unmaskedreadperm permission will not be automatically set when using the convenience readaces parameter. The unmaskedreadperm permission must be specifically enabled in the security policy by using the unmaskedreaddbace ACE. See Dynamic Data Masking for more information.
user Space separated list of user:permission,permission pairs. Use commas to separate each permission, and spaces to separate each user. For example, to give user tom, admin (a) and full control (fc) permissions, and user jane, admin (a) permission, use -user tom:a,fc jane:a

If you do not specify this option, a security policy level administrative ACL is added for the administrator who created this security policy to have full privileges by default, that is [r,a,fc]. However, any other user with admin (a) privilege for this security policy can remove this privilege . Specifying this option overwrites the default setting to give security policy level privileges only to the users specified in the -user list.

Use this option with care. You MUST specify admin (a) privilege for at least one administrator (for example, -user admin1:r,a,fc) in addition to privileges for any other users, to modify this security policy after creation. Otherwise, if the -user or -group options are specified but without admin (a) or full control (fc) permission, (for example, -user operator:r), no one other than the mapr administrator can modify the security policy.

group Space separated list of group:permission,permission pairs. Use commas to separate each permission, and spaces to separate each group. For example, to give group operators read (r) permission, and group secadmin full control (fc) permission, use -group operators:r secadmin:a,fc

ACE Handling Behaviour

Specified ACE are merged with the existing ACE for the security policy. For example, assume there is a security policy hipaa that currently only has readfileace and writefileace specified, with all other ACEs not specified:

ACE Type ACE Value
readfileace g:staff
writefileace g:staff

Use the maprcli security policy modify command to set the writefileace and addchildace ACE:

maprcli security policy modify -name hipaa -writefileace g:mapr -addchildace g:admin

Here, the value of readfileace remains as g:staff, writefileace is replaced by the new value g:mapr, and addchildace is added to the list of ACE for this security policy:

ACE Type ACE Value
readfileace g:staff
writefileace g:mapr (overwrites older value)
addchildace g:admin (new ACE)

Using the readaces convenience

The following example illustrates how to use the readaces convenience feature.

You create a security policy named hipaa, and set the readfileace and writefileace to u:mapr:

/opt/mapr/bin/maprcli security policy create -name hipaa -readfileace u:mapr -writefileace u:mapr

/opt/mapr/bin/maprcli security policy  info -name hipaa -json
        {
        "timestamp":1548660146619,
        "timeofday":"2019-01-27 11:22:26.619 GMT-0800 PM",
        "status":"OK",
        "total":1,
        "data":[
        {
        "name":"hipaa",
        "id":3,
        "mtime":"Sun Jan 27 23:22:08 PST 2019",
        "ctime":"Sun Jan 27 23:22:08 PST 2019",
        "wireEncrypt":true,
        "auditEnabled":false,
        "allowTagging":false,
        "accessControl":"Disarmed",
        "enabled_dataAuditOps":"getattr,setattr,chown,chperm,chgrp,getxattr,listxattr,setxattr,removexattr,read,write,create,delete,mkdir,readdir,rmdir,createsym,lookup,rename,createdev,truncate,tablecfcreate,tablecfdelete,tablecfmodify,tablecfScan,tableget,tableput,tablescan,tablecreate,tableinfo,tablemodify,getperm,getpathforfid,hardlink,filescan,fileoffload,filerecall,filetierjobstatus,filetierjobabort,filetieroffloadevent,filetierrecallevent",
        "disabled_dataAuditOps":"",
        "acl":{
        "Principal":"User test1",
        "Allowed actions":"[r, a, fc]"
        },
        "securityPolicyAces":{
        "readfileace":"u:mapr",
        "writefileace":"u:mapr"
        }
        }
        ]
        }

You use the maprcli security policy modify command to change all the read ACE, using the readaces option. readaces replaces all read ACE (executefileace, readfileace, lookupdirace, readdirace, readdbace, traversedbace) with the specified ACE, leaving the write ACE intact:

/opt/mpr/bin/maprcli security policy modify -name hipaa -readaces g:mapr

/opt/mapr/bin/maprcli security policy info -name hipaa -json
        {
        "timestamp":1548660250167,
        "timeofday":"2019-01-27 11:24:10.167 GMT-0800 PM",
        "status":"OK",
        "total":1,
        "data":[
        {
        "name":"hipaa",
        "id":3,
        "mtime":"Sun Jan 27 23:24:04 PST 2019",
        "ctime":"Sun Jan 27 23:22:08 PST 2019",
        "wireEncrypt":true,
        "auditEnabled":false,
        "allowTagging":false,
        "accessControl":"Disarmed", "enabled_dataAuditOps":"getattr,setattr,chown,chperm,chgrp,getxattr,listxattr,setxattr,removexattr,read,write,create,delete,mkdir,readdir,rmdir,createsym,lookup,rename,createdev,truncate,tablecfcreate,tablecfdelete,tablecfmodify,tablecfScan,tableget,tableput,tablescan,tablecreate,tableinfo,tablemodify,getperm,getpathforfid,hardlink,filescan,fileoffload,filerecall,filetierjobstatus,filetierjobabort,filetieroffloadevent,filetierrecallevent",
        "disabled_dataAuditOps":"",
        "acl":{
        "Principal":"User test1",
        "Allowed actions":"[r, a, fc]"
        },
        "securityPolicyAces":{
        "executefileace":"g:mapr",
        "readfileace":"g:mapr",
        "lookupdirace":"g:mapr",
        "readdirace":"g:mapr",
        "writefileace":"u:mapr",
        "readdbace":"g:mapr",
        "traversedbace":"g:mapr",
        
        }
        }
        ]
        }

Examples

For example, add the writeaces ACE setting to the existing security policy MILITARY:
/opt/mapr/bin/maprcli security policy modify -name MILITARY -writeaces "u:user7|u:user10" -json
{
	"timestamp":1554814308487,
	"timeofday":"2019-04-09 05:51:48.487 GMT-0700 AM",
	"status":"OK",
	"total":0,
	"data":[
		
	],
	"messages":[
		"Successfully updated security policy 'MILITARY'"
	]
} 
curl -u mapr:mapr -X POST -k "https://host:8443/rest/security/policy/modify?name=MILITARY&writeaces=u%3auser7|u%3auser10"
{"timestamp":1554815274740,"timeofday":"2019-04-09 06:07:54.740 GMT-0700 AM","status":"OK","total":0,"data":[],"messages":["Successfully updated security policy 'MILITARY'"]}