Granting Access Using Security Policy
Describes how to grant access to objects using ACEs in a security policy.
About this task
You can define access controls in a security policy using the Control System, CLI, and REST API.
Defining Access Controls in Security Policy Using the Control System
Procedure
-
Log in to the Control System and go to the Create Security
Policy page.
See Creating a Security Policy for more information.
-
Grant or deny access to all users (Public) or to specific users or groups
in the Data Access Control Section.
The following types of access can be granted to all (Public) or specific users or groups:
Object Permission Directories - Read the contents of a directory. If you do not select this permission, mode bits are used to determine read access. To read the contents of a directory that is tagged with this security policy, the user must also have read permissions on the volume, the parent directory (if any), and the file.
- Lookup or list the contents in a directory. If you do not select this permission, mode bits are used to determine lookup access. To lookup a file of directory that is tagged with this security policy, the user must also have read permissions on the volume and the lookup permission on the directory.
- List the contents of a directory. If you do not select this permission, mode bits are used to determine directorylist access. To list the contents of a directory that is tagged with this security policy, the user must also have read permissions on the volume, and lookup permission on all directories in the path (if any).
- Add a file or subdirectory. If you do not select this permission, mode bits are used to determine permissions to create files or subdirectories. To add a child to a directory that is tagged with this security policy, the user must also have write permissions on the volume and the parent directory, add child permission on the parent directory, and read and execute permissions on all directories in the path.
- Delete a file or subdirectory. If you do not select this permission, mode bits are used to determine permissions to create files and/or subdirectories. To delete a child of a directory that is tagged with this security policy, the user must also have write permissions on the volume and delete child permission on the parent directory, and lookup permissions on all directories in the path.
Files - Read a file. If you do not select this permission, mode bits are used to determine read access to file. To read a file that is tagged with this security policy, the user must also have read permissions on the volume, and lookup permission on all directories in path.
- Write to a file. If you do not select this permission, mode bits are used to determine read access to the file. To write to a file that is tagged with this security policy, the user must also have write permissions on the volume, and lookup permission on all directories in the path.
- Execute a file. If you do not select this permission, mode bits are used to determine execute access to the file. To execute a file that is tagged with this security policy, the user must also have read permissions on the volume, and lookup permission on all directories in the path.
Tables - Read new column families that are created in the table.
- Traverse to descend a hierarchy of column families.
- Write to new column families that are created in the table.
- Mask information when retrieved from the table.
-
Complete the steps to create the security policy.
See Creating a Security Policy for more information.
Granting Access Using the CLI and REST API
About this task
Use the following command to set access controls when creating a
security policy:
/opt/mapr/bin/maprcli security policy create -<ACEparam> <ACEsyntax>
Use the following command to specify Access Control Expression (ACE)s when modifying a
security policy:
/opt/mapr/bin/maprcli security policy modify -<ACEparam> <ACEsyntax>
Send a request of type POST. For example:
curl -k -X POST ''https://<hostname>:8443/rest/security/policy/create?name=<policyName>&<ACEparam>=<ACEsyntax>' --user <username>:<pwd>
curl -k -X POST 'https://<hostname>:8443/rest/security/policy/modify?name=<policyName>&<ACEparam>=<ACEsyntax>' --user <username>:<pwd>
- Directories
readdirace
to read the contents of a directory. See Read for Directories in the Defining Access Controls in Security Policy Using the Control System section for more information.lookupdirace
to lookup or list the contents in a directory. See Lookup for Directories in the Defining Access Controls in Security Policy Using the Control System section for more information.addchildace
to add a file or subdirectory. See Add for Directories in the Defining Access Controls in Security Policy Using the Control System section for more information.deletechildace
to delete a file or subdirectory. See Delete for Directories in the Defining Access Controls in Security Policy Using the Control System section for more information.
- Files
readfileace
to read a file. See Read for Files in the Defining Access Controls in Security Policy Using the Control System section for more information.writefileace
to write to a file. See Write for Files in the Defining Access Controls in Security Policy Using the Control System section for more information.executefileace
to execute a file. See Execute for Files in the Defining Access Controls in Security Policy Using the Control System section for more information.
- JSON Tables
readdbace
to read new column families that are created in the table.traversedbace
to descend a hierarchy of column families.writedbace
to write to new column families that are created in the table.unmaskedreaddbace
to read data masked.