Setting Global Configuration Options for Policy-Based Security
The CLDB stores global configuration settings for Policy-Based Security. Before
creating security policies, an administrator must designate a master security policy cluster
through the cldb.pbs.global.master
option.
You can modify global configuration settings through the maprcli config
save
command and the REST API.
Parameter | Default | Description |
cldb.pbs.max.security.policy |
10000 |
Maximum number of configured security policies allowed. Prevents users from arbitrarily creating numerous security policies which could impact performance. |
cldb.pbs.global.master |
0 |
(Required) Sets the master security policy cluster for
the global namespace. Configure a cluster to perform one of the
following roles:
NOTE Policy creation or
modification on a member cluster is not
allowed. |
cldb.pbs.audit.only.policy.check |
0 |
Set the value to 1 to enforce permissive mode across all volumes in the cluster. In permissive mode, the system only enforces resource-level ACEs and POSIX mode bits. The system checks the security policies for access and audits denied access events. (It does not actually deny access.) See Volume-Level Security Policy Enforcement Mode. |
cldb.pbs.access.control.enabled |
1 |
Enables and disables policy ACEs set in security policies at the cluster-level. It is set to 0 to disable policy access checks across all volumes in the cluster. The DataAce enforcement mode is automatically enabled. See Disabling Policy Access Controls at the Cluster-Level and Volume-Level Security Policy Enforcement Mode for additional information. |
Setting the Policy-Based Security Mode Using the CLI and REST API
maprcli config save -values '{"cldb.pbs.global.master":"1"}'
curl -X POST 'https://<hostname>:8443/rest/config/save?values={"cldb.pbs.global.master":"1"}' --user <username>:<password>
Setting the Policy-Based Security Mode Using the Control System
From the Control System, to set the cluster as the Master for security policies:
- Click the Security Settings icon.
- Click the PBS Mode setting.
- Select PBS Mode as Master from the drop-down.
- Click Submit to save the setting.
Changing the Policy-Based Security Global Master
- Make sure that the cluster to be set as the master is still a member
and not a master already. The value of
cldb.pbs.global.master
on this cluster should be0
. - Ensure that no policies are being created or modified on the current master cluster.
- Export all policies from the current master cluster, and then import them to the cluster you want to set as the new master.
- Demote the current master cluster to a member by setting
cldb.pbs.global.master
to0
. - Promote the cluster to be set as the master to be the global master by
setting
cldb.pbs.global.master
to1
.