Removing Tagged Security Policies from Data Objects

You can remove security policies associated with data objects using the Control System, CLI, or REST API.

About this task

WARNING
Remove a security policy from data objects before retiring the policy. The system denies all access to data objects tagged with a retired security policy afterwards. See Changing the State of a Security Policy.
The following table lists the methods for removing security policies for each type of data object and provides links to command references, where applicable:
HPE Ezmeral Data Fabric Component Data Object How to Remove Security Policies
HPE Ezmeral Data Fabric File System Volume
Directory
File
  • Same as directory
HPE Ezmeral Data Fabric Database JSON Table
Column family
Field

The following sections describe how to remove security policies from data objects through the Control System and extended attributes.

Removing Security Policies from Objects Using the Control System

About this task

You can remove security policies from volumes, JSON tables, JSON column families, and JSON fields using the Control System.
Removing Security Policies from Volumes
  1. Log in to the Control System, and click Data > Volumes.
    NOTE
    The Volumes page is under the Volumes menu in the Kubernetes version of the Control System.
  2. On the Volumes page, locate and select the volume that is tagged with the security policy to be removed.
  3. Click Edit Volume.
  4. In the Security section, click next to the security policy associated with the volume to remove the security policy.
  5. Click Save Changes.
Removing Security Policies from Tables, Column Families, and Fields
  1. Log in to the Control System, and click Data > Tables.
  2. In the Tables view, locate and select the table with the security policy to be removed. To remove a security policy from a column family or field, select the table that contains the column family or field.
  3. On the Summary tab, locate the Security section.
  4. In the Security section, click next to the security policy associated with the table to remove the security policy.
    • To remove a security policy from a column family, click on the table to expand the view. Click next to security policy associated with the column family to remove the security policy.
    • To remove a security policy from a field, click the column family name to expand the view, and remove the security policy.

Removing Security Policies Using Extended Attributes

About this task

The following sections describe how to use extended attributes to remove security policies.

Security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.

To remove the extended attribute by name, run the setfattr command with the -x option:

setfattr [-h] -x name pathname...

Remove all security policy tags

Use the -x option to remove all security policy tags from the specified File Store object. For example, to remove all security policies for the file /mapr/lab/foo.txt, use the following command:

setfattr -x security.mapr.policy /mapr/lab/foo.txt

Security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.

To remove security policy tags, run the hadoop fs -setfattr command with one of the following parameters:

  • -x to remove all security policy tags
  • -v to remove the specified security policy tags

For example, to remove all the security policy tags for the file /mapr/lab/foo.txt, use:

hadoop fs -setfattr -x security.mapr.policy /mapr/lab/foo.txt

To remove some security policy tags, and keep the rest, use the -v parameter.

This parameter replaces existing security policy tags with the ones specified.

For example, if two security policies are tagged to the file /mapr/lab/foo.txt (namely, Sensitive_Data policy and Lab_Security_Policy) and you want to remove the Sensitive_Data policy tag, specify just the Lab_Security_Policy tag in the -v parameter:

hadoop fs -setfattr -n security.mapr.policy -v "Lab_Security_Policy,Sensitive_Data" /mapr/lab/foo.txt

Alternatively, use the hadoop mfs command to remove security policies.

For example, to remove particular security tags, use the format: 

hadoop mfs [-removesecuritypolicytag [-R] <comma-separated list of security policy tags> <path>]
To remove all security tags, use the format: 
hadoop mfs [-removeallsecuritypolicytags [-R] <path>]

To remove an extended attribute associated with a file or directory, use the following Java API:

public void removeXAttr(Path path, String name) throws IOException

The name must be prefixed with the namespace, followed by . (period). For data-fabric security policy tags, the attribute name is security.mapr.policy.

Security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.

To remove an extended attribute value, use the removexattr or fremovexattr system calls. The brief synopsis is as follows. For more details, refer to the removexattr(2) Linux manual page.

NAME

removexattr, fremovexattr -- remove an extended attribute value

SYNOPSIS

#include <sys/xattr.h>
int removexattr(const char *path, const char *name, int options);
int fremovexattr(int fd, const char *name, int options);