Security Policy Enforcement Process
The HPE Ezmeral Data Fabric database and file system enforce security policies hierarchically, starting at the volume level.
Order of Enforcement
If the volume-level enforcement mode is set to PolicyAceAndDataAce
(default setting), the system evaluates and enforces the ACEs directly applied to data
objects AND the ACEs defined in the security policies applied to data objects. When a user
submits a data-operation request, the system evaluates and enforces the ACEs hierarchically,
starting with the volume in which the data resides.
For example, to perform a write operation on a file, the system first evaluates permissions
on the volume in which the file resides. If at least one security policy is applied to the
volume, the system evaluates the ACEs set in the security policy AND the ACEs or POSIX mode
bits directly applied to the volume. Both sets of ACEs must allow permit the user to access
the volume. If one set of ACEs does not permit access to the volume, the system denies the
user permission to perform the operation. If both sets of ACEs permit access to the volume,
the system checks access permissions on the file. The system evaluates security policies
applied to the file AND any ACEs or POSIX mode bits applied directly to the file. Both sets
of ACEs must permit the user write access on the file. If they both allow access
(writefileeace
), the user can perform the data operation on the file. If
not, the system denies access.
- When set to
PolicyAceOnly
, the system only enforces the ACEs set in security policies. A user can only perform data operations on a data object if the security policies associated with the data object allow the user access. However, if a data object is not associated with at least one security policy, the system enforces any ACEs or POSIX mode bits set directly on the data object. In this case, a user can only access the data object if the ACEs or POSIX mode bits set directly on the data object allow the user access. - In
PolicyAceOnly
andPolicyAceAndDataAce
modes, if a security policy is applied to a data object, and ACEs are not defined in the policy (""
), the system continues to the next level data object to evaluate permissions.
Data Fabric File System Enforcement Process
- Volumes
- Files/DirectoriesNOTEThe system only enforces directory ACEs when determining access to the directory during directory operations. For read and write operations, directory ACEs are enforced during the path-walk operation when opening a file. If the user has a handle (FID) to the file, the user can access the file directly with the FID. In that case, the system ignores directory ACEs.
PolicyAceOnly
:The following diagram shows the order in which the Data Fabric file system evaluates
and enforces data operations on data objects when the enforcement mode is set to
|
PolicyAceAuditAndDataAce
(permissive mode):Data Fabric Database Enforcement Process
The security policies and ACEs applied to a volume also apply to JSON tables within that volume. The user that issues a data operation against a table in a volume must have permission to access the data in the volume through ACEs or security policies set on that volume.
- Volume
- JSON column families
- JSON fields
Data Fabric Database supports ACEs for the following types of data operations:
- Read
- Write
- Traverse (JSON Only)
- Append (Binary Only – Currently, Policy-Based Security does not support binary tables.)
- JSON table
- JSON column family
- JSON field
PolicyAceAndDataAce
(default
mode):