Viewing the List of Security Policies

View the list of security policies using the Control System and extended attributes.

About this task

You can retrieve and view the list of security policies using the Control System, the CLI, and REST API.

Viewing the List of Security Policies Using the Control System

Procedure

Log in to the Control System, and click the Security Policies tab and then Admin > Cluster Settings.
The list of security policies display in the Security Policies pane. Filter the list of policies by one of the following Access Control statuses: All, Armed, Disarmed, Denied. For each security policy, the page displays the following fields.
Column Name Description
Policy Name Shows the name of the policy.
Access Control Indicates whether access control is enforced by the Access Control Expression (ACE) setting in the policy:
  • Armed
  • Disarmed
  • Denied
See Changing the State of a Security Policy.
Tagging Indicates whether data objects can be tagged with the policy. See Changing the State of a Security Policy.
Description Displayes the description of the policy.
Date Created Displays the date when the policy was created.
Date Modified Displays the date when the policy was last modified.

Viewing the List of Security Policies Using the CLI and REST API

About this task

The basic command to retrieve the list of security policies that you are allowed to view is: 
/opt/mapr/bin/maprcli security policy list -json
Send a request of type GET. For example: 
curl -X GET 'https://<host>:8443/rest/security/policy/list' --user <username>:<password>
For more information, see policy list.

Retrieving Security Policies Using Extended Attributes

About this task

Describes how to retrieve security policies that are tagged using extended attributes.

Security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.

To retrieve extended attributes, run one of the following commands:

  • getfattr [-hRLP] -n name pathname...
  • getfattr [-hRLP] -d [-m pattern] pathname...

The above commands retrieve both policy tags, as well as other extended attributes.

For example, to retrieve all extended attributes for the /mapr/lab/foo.txt file, use: 

getfattr -d /mapr/lab/foo.txt
 # file: /mapr/lab/foo.txt
 security.mapr.policy="Lab_Security_Policy,Sensitive_data" ← policy tag
 user.test="test"                                     ← other attributes

To retrieve the security policy tags without retrieving the rest of the extended attributes, use the -n option to match the security policy extended attribute name:

getfattr -d -n security.mapr.policy /mapr/lab/foo.txt
 # file: /mapr/lab/foo.txt
 security.mapr.policy="Lab_Security_Policy,Sensitive_Data"
Security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.

To retrieve security policy attributes, use the command:

hadoop fs -getfattr [-R] -n security.mapr.policy | -d <pathname>

For example, to retrieve security policy attributes for the /mapr/lab/foo.txt file, use:

hadoop fs -getfattr -n security.mapr.policy | -d /mapr/lab/foo.txt
Alternatively, use the Hadoop MFS command to retrieve security policy attributes:
hadoop mfs -getsecuritypolicytag [-R] <path>

To retrieve security policy attributes, use the following Java APIs:

  • public byte[] getXAttr(Path path, String name) throws IOException Gets an extended attribute name and value for a file or directory. The name must be prefixed with the namespace, followed by . (period). For security policy tags, the extended attribute name is security.mapr.policy.
  • public Map<String,byte[]> getXAttrs(Path path) throws IOException Gets all the extended attribute name/value pairs for a file or directory. Only those extended attributes that the logged-in user has permissions to view are returned.
  • public Map<String,byte[]> getXAttrs(Path path, List<String> names) throws IOException Gets the extended attributes specified by the given list of names. Only those extended attributes that the logged-in user has permissions to view are returned.
  • public List<String> listXAttrs(Path path) throws IOException Gets all the extended attribute names for a file or directory. Only those extended attribute names that the logged-in user has permissions to view are returned.

Security policies use a special format for the extended attribute name and is always set to the keyword security.mapr.policy.

Retrieve extended attribute values

The getxattr, lgetxattr, and fgetxattr system calls are used to retrieve an extended attribute value associated with a file system object, which may be either a file or directory. The synopsis of these commands are shown below. For additional details, refer to the getxattr(2) Linux manual page.

NAME

getxattr, lgetxattr, fgetxattr - retrieve an extended attribute value

SYNOPSIS

#include <sys/types.h>
#include <attr/xattr.h>
 ssize_t getxattr (const char *path, const char *name, void *value, 
                                        size_t size);
 ssize_t lgetxattr (const char *path, const char *name, void *value, 
                                        size_t size);
 ssize_t fgetxattr (int filedes, const char *name, void *value, 
                                        size_t size);

List extended attribute values

Use the listxattr, llistxattr, and flistxattr to list extended attribute names. For more details, refer to the listxattr(2) Linux manual page.

NAME

listxattr, llistxattr, flistxattr - list extended attribute names

#include <sys/types.h>
#include <attr/xattr.h>
 ssize_t listxattr (const char *path, char *list, size_t size);
 ssize_t llistxattr (const char *path, char *list, size_t size);
 ssize_t flistxattr (int filedes, char *list, size_t size);