Enforcing Security Policies at the Volume-Level
Describes how to set enforcement modes for security policies at the volume-level.
About this task
The system enforces data access controls during data operations. Data access controls are the ACEs defined in security policies and ACEs and POSIX mode bits directly defined on data objects. The enforcement mode tells the system which of these data access controls to evaluate and enforce during data operations.
You can set the enforcement mode to one of the following values from the Control System,
CLI, or REST API:
Enforcement Mode | Enforce Security Policies | Enforce Data ACEs and POSIX Mode Bits |
---|---|---|
PolicyAceAndDataAce (Default) | Yes | Yes |
PolicyAceOnly | Yes | No |
DataAceOnly | No | Yes |
PolicyAceAuditAndDataAce (Permissive mode) | Performs checks but does not fail; audits instead | Yes |
For detailed information about the enforcement mode options, see Volume-Level Security Policy Enforcement Mode.
Set the Enforcement Mode from the Control System
Procedure
- Log in to the Control System, and go to the volume information page.
- In the Security pane, click associated with Enforcement Mode to display the Change Enforcement Mode window.
- Select the enforcement mode to apply to the volume.
- Click Save Changes for the changes to take effect.
Set the Enforcement Mode from the CLI or REST API
About this task
Set the enforcement mode when you create a volume:
/opt/mapr/bin/maprcli volume create -name <volName> -path <mountPath> -securitypolicy <policyName> -enforcementmode PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly
Set
the enforcement mode when you modify a volume:
/opt/mapr/bin/maprcli volume modify -name <volName> -enforcementmode PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly
Send a POST request to set the enforcement mode when you create a volume:
curl -X POST 'https://<hostname>:8443/rest/volume/create?name=<volName>&path=<mountPath>&securitypolicy=<policyName>&enforcementmode=PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly' --user <username>:<pwd>
Send a request of type POST to set enforcement mode when you edit a volume:
curl -X POST 'https://<hostname>:8443/rest/volume/modify?name=<volName>&enforcementmode=PolicyAceAndDataAce|PolicyAceOnly|DataAceOnly' --user <username>:<pwd>
volume create
and
volume modify
.