Security Policy Inheritance and Replication
Security policies are inherited during data-object creation and copied over during mirroring and replication.
Security policies cannot be mirrored or replicated unless you have configured a global policy master. For information about the security policy domain and configuring a global policy master, see Security Policy Domain and Policy Management.
How Volumes, Directories, and Tables Inherit Security Policy Settings
- Volume Inheritance
- By default, child and mirror (remote and local) volumes inherit the following volume
properties:
securitypolicy
enforcementmode
- Directory Inheritance
- The
setinherit
flag controls whether or not subdirectories and files inherit the security policies applied to the parent directory. Whensetinherit
is enabled (true), new files and directories under the parent directory inherit the security policies applied to the parent directory. If you modify the security policies applied to the parent directory, existing files and subdirectories within the parent directory do not change - Table Inheritance
- JSON tables inherit the
enforcementmode
set on the parent volume. The enforcement mode controls which data access controls the system enforces on the volume and data objects within the volume. You cannot set the enforcement mode directly on a table. See Enforcing Security Policies at the Volume-Level.When a security policy is applied to a table, column families created within the table inherit the security policy, as described:
- Any new column family created (without a security policy) inherits and enforces the table security policy during runtime. The security policy of the column family, which is undefined, remains unchanged.
- Any new column family created (with a column family security policy) enforces the security policy of the table in conjunction with the security policy applied to the column family.
- Modifying the security policy applied to the table does not affect the security policies applied to column families, whether they are defined or not.
- All column families (without security policies) inherit and enforce the latest security policies of the table.
How Security Policy Settings Propagate During Volume and Table Replication
- Volume Replication
- The following table describes how security policy settings propagate during volume
replication:
Data Object Behavior Standard and local mirror volumes The system copies the security policy settings over during replication. Remote mirror volumes The system copies the security policy settings and policies with which the resource is tagged, over to the destination cluster during replication, if the following condition is met: The remote mirror volume cluster must be associated with the same master security policy cluster as the source volume cluster.
For information about master security policy clusters, see Setting Global Configuration Options for Policy-Based Security.
Tiered volumes The system does not propagate the security policy settings because security is enforced by the primary (or front-end) volume Files and directories When individual files and directories are copied, the security policies associated with the files and directories are also copied over. - JSON Table Replication
- When tables are replicated, all security policies attached are transferred at time of
replication.
The following table describes how security policy settings propagate during some common replication scenarios:
Replication Scenario Description Replicate tables from a data-fabric 6.2.x cluster to a pre-data-fabric 6.2.0 cluster Replication fails because the pre-data-fabric 6.2.0 destination cluster does not support Policy-Based Security. Replicate tables from a data-fabric 6.2.x cluster to another data-fabric 6.2.x (or later) cluster The security policies applied to tables, column families, and columns are preserved. Note these considerations for replication in this scenario: - When creating the replica as part of the ReplicaSetup phase in Autosetup, the destination table is created with the same security policy settings, and column family and column security policies as the source.
- The security policies defined for the source cluster must be available on the destination cluster by way of the security policy global namespace. See Setting Global Configuration Options for Policy-Based Security.
- If a security policy defined for the source is not found on the destination, creation of the table, column family, or column will fail, thereby failing the ReplicaSetup. Autosetup will keep retrying the ReplicaSetup until the tags are replicated.
- Column-family creation from the Gateway during replication is not distinguishable from column-family creation from the client.
Change Data Capture (CDC) When you replicate to a CDC stream, the system ignores and drops the security policies. Secondary-index table schema While security policies are not replicated as part of a secondary-index table schema, the same security policies are enforced as the primary table. This behavior is similar to the behavior of ACEs on column families and columns.