Security Policy Java APIs
You can create, retrieve, and remove security policies, and associate security policies with a data object using file system APIs.
The standard Linux extended attributes to tag file system objects are POSIX-compliant. You can use these attributes on any Linux or POSIX-compliant client without installing additional Data Fabric software.
With the extended attribute syntax, applications need to ensure that to combine tags, they first retrieve the old tags and then combine them with the new tags. Otherwise, the new tags replace the old tags. Alternatively, applications can use an API with the following features:
- Setting tags should be additive: new tags should be added to the existing tags, and not replace the existing tags.
- Set multiple tags for the same resource in a single API.
- Set tags for multiple file system resources in a single operation.
The extended MapRFileSystem
Java class provides such an API for setting
policy tags.
The list of MapRFileSystem
API methods for data tagging is as follows:
public class MapRFileSystem extends FileSystem;
Method and Description | Modifier and Type |
---|---|
Add a Security Policy Tag | |
Use this method to add a single security policy tag to the list of existing security policy tags (if any) for the file or directory specified in path. The securityPolicyTag parameter contains a security policy tag. |
public int |
Use this method to add one or more security policies to the list of existing security policies (if any) for the file or directory specified in path. The securityPolicyTags parameter contains a list of one or more security policy tags. |
public int |
Replace a Security Policy Tag | |
Use this method to set the security policy tag to the file or directory specified in path, replacing all existing tags. The securityPolicyTag parameter contains a security policy tag. |
public int |
Use this method to set one or more security policy tags for the file or directory specified in path, replacing any existing security policy tags. The securityPolicyTags parameter contains a list of one or more security policy tags. |
public int |
Remove a Security Policy Tag | |
Use this method to remove the security policy tag contained in the securityPolicyTag parameter from the list of existing security policy tags (if any) for the file or directory specified in path. |
public int |
Use this method to remove one or more security policy tags from the list of existing security policy tags (if any) for the file or directory specified in path. The securityPolicyTags parameter contains a list of one or more security policy tags. |
public int |
Use this method to remove all security policies tagged to the file or directory specified by path. |
public int |
Retrieve Security Policy Tags | |
Use this method to retrieve the security policy tags associated with the file or directory specified in path. The securityPolicyTags parameter contains a list of one or more security policy tags. |
public int |
The following example illustrates the usage of file system APIs, and the interchangeability of using the file system API with the extended attribute APIs:
- Set three security policy tags:
general
,hipaa
, andpci
, on the file/mapr/lab/foo.txt
. - Retrieve these security policy tags using the extended attribute commands and the
getSecurityPolicyTag
API. - Remove the tag
pci
. Two tags remain:hipaa
andgeneral
. - Add a new tag
topsecret
.The two existing tags,
general
andhipaa
, are preserved. Finally, there are three tags:general
,hipaa
, andtopsecret
.
Step 1: Set Security Policy Tags
Use the Java addSecurityPolicyTag
API to set three security policies,
pci
, general
, and hipaa
, for the file
/mapr/lab/foo.txt
as follows.
import java.net.*;
import org.apache.hadoop.fs.*;
import org.apache.hadoop.conf.*;
import com.mapr.fs.MapRFileSystem;
import java.util.List;
import java.util.ArrayList;
…
Configuration conf = new Configuration();
FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
List<String> securityPolicies = new ArrayList<String>();
securityPolicies.add ("pci");
securityPolicies.add ("general");
securityPolicies.add ("hipaa");
((MapRFileSystem fs).addSecurityPolicyTag (path, securityPolicies);
Step 2: Retrieve Security Policy Tags
The getSecurityPolicyTag
API returns the same set of security policies
general
, hipaa, and pci
in a List of String object,
instead of a comma-separated list:
List<String> securityPolicies = new ArrayList<String>();
int status = getSecurityPolicyTag (path, securityPolicies);
Alternatively, use the getfattr
extended attribute API, to retrieve the three
security policy tags:
getfattr -d /mapr/lab/foo.txt
# file: /mapr/lab/foo.txt
security.mapr.policy="general,hipaa,pci"
The tags are always returned in alphabetical order regardless of the tags that you set first. All security policies are considered equal in terms of determining access rights.
Use the extended attribute Java API getXAttr
to obtain the same result: retrieve
the three security policy tags. The following segment prints the comma-separated list:
general,hipaa,pci
.
import java.net.*;
import org.apache.hadoop.fs.*;
import org.apache.hadoop.conf.*;
…
Configuration conf = new Configuration();
FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
byte[] securityPolicyBytes = fs.getXAttr(path, "security.mapr.policy");
System.out.println ("Security Policies: " + securityPolicyBytes.toString());
Step 3: Remove a Security Policy Tag
At this point, the example has three tags for /mapr/lab/foo.txt
:
general
, hipaa
, and pci
. Now, remove
the tag pci
using the removeSecurityPolicyTag
API:
Configuration conf = new Configuration();
FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
…
((MapRFileSystem fs).removeSecurityPolicyTag (path, "pci");
Use
any of the methods listed in step 2, to see that the pci
tag is
removed.
Step 4: Add a Security Policy Tag
Add a tag topsecret
using the
addSecurityPolicyTag
API:
FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
…
((MapRFileSystem fs).addSecurityPolicyTag (path, "topsecret");
Since this API sets the tags in an additive fashion, it preserves the two existing tags
general
and hipaa
. The final output is three tags:
general
, hipaa
and topsecret
.
Complete Example of Setting and Retrieving Security Policies
The following sample program uses the tagging APIs on the file
/user/root/disks.txt
.
This program does the following tasks:
- Tags the file with two tags, namely
general
, andpci
. - Retrieve the tags. The output should display
general
, andpci
. - Remove the tag
pci
. - Retrieve the tags. The output should display
general
. - Add the tag
hipaa
. - Retrieve the tags. The output should display
general
, andhipaa
.
package com.mapr.fs;
import java.net.*;
import org.apache.hadoop.fs.*;
import org.apache.hadoop.conf.*;
import java.io.*;
import com.mapr.fs.MapRFileSystem;
import java.util.List;
import java.util.ArrayList;
class SecurityPolicyTest
{
public static void main (String [] args) throws IOException
{
Configuration conf = new Configuration();
if (args.length != 1) {
System.out.println ("Usage: com.mapr.fs.SecurityPolicyTest <path>");
System.exit(-1);
}
String pathName = args[0];
System.out.println ("Path name: " + pathName);
FileSystem fs = FileSystem.get(conf);
Path path = new Path (pathName);
List<String> securityPolicies = new ArrayList<String>();
System.out.println ("Adding general,pci");
securityPolicies.clear();
securityPolicies.add ("general");
securityPolicies.add ("pci");
((MapRFileSystem)fs).setSecurityPolicyTag(path, securityPolicies);
List<String> tags = new ArrayList<String>();
int status = ((MapRFileSystem)fs).getSecurityPolicyTag(path, tags);
if (status == 0) {
System.out.println ("Tags:");
for (int i=0; i<tags.size(); i++) {
System.out.println (tags.get(i));
}
}
System.out.println ("Removing pci");
((MapRFileSystem)fs).removeSecurityPolicyTag (path,"pci");
tags.clear();
status = ((MapRFileSystem)fs).getSecurityPolicyTag(path, tags);
if (status == 0) {
System.out.println ("Tags:");
for (int i=0; i<tags.size(); i++) {
System.out.println (tags.get(i));
}
}
System.out.println ("Add hipaa");
((MapRFileSystem)fs).addSecurityPolicyTag(path, "hipaa");
tags.clear();
status = ((MapRFileSystem)fs).getSecurityPolicyTag(path, tags);
if (status == 0) {
System.out.println ("Tags:");
for (int i=0; i<tags.size(); i++) {
System.out.println (tags.get(i));
}
}
}
}
Output
# sh RUN
# export CLASSPATH=`mapr classpath`
# java -cp $CLASSPATH com.mapr.fs.SecurityPolicyTest /user/root/disks.txt
Path name: /user/root/disks.txt
Adding general,pci
Tags:
general,pci
Removing pci
Tags:
general
Add hipaa
Tags:
general,hipaa