Tagging Volumes, Directories, and Files with Security Policies

Associate security policies with data objects in the file system, including volumes, directories, and files. Associate up to sixteen security policies with a data object in the file system.

Tagging Volumes

About this task

Associate security policies after you create or modify a volume from the Control System, CLI, or REST API. Note that security policies are not supported with tenant volumes and tenant volume resources, and tagging via nfsv3/nfsv4 is not supported since these protocols do not support extended attributes.

Associate security policies with a volume, the volume mount path, or both the volume and the volume mount path. You can only tag a volume mount path through the maprcli create volume command with the rootdirsecuritypolicy option. You cannot tag a volume mount path through the Control System.

IMPORTANT

A snapshot contains the security policy that was tagged on the volume after the snapshot was taken. If you modify the security policy on the volume after creating the snapshot, the snapshot continues to use the older security policy.

CLI

The basic command to tag a volume with a security policy is:

/opt/mapr/bin/maprcli volume create -name <volName> -path <mountPath> -securitypolicy <policy1,policy2,...>

REST API

Send a request of type POST. For example:

curl -k -X POST 'https://<hostname>:8443/rest/volume/create?name=<volName>&path=<volPath>&securityPolicy=<policy>' --user mapr:mapr

TIP

For more information, including a complete list of required and optional properties, see volume create.

Control System

Log in to the Control System and go to the Create New Volume page or the Edit Volume page.
Enter or select the name of the security policies to associate with the volume in the SECURITY POLICIES field under the Security section.
Complete the steps to create or modify the volume.

TIP

See Creating a Volume or Modifying a Volume for more information.

Tagging Directories and Files

About this task

Associate security policies with directories and files using hadoop mfs, extended attributes, and Java APIs.

hadoop mfs

Use the following command syntax to tag a directory or file with one or more security policies:

hadoop mfs -setsecuritypolicytag <policyName> <filePath>

TIP

For more information, see hadoop mfs.

Extended attributes

For Linux, use the setfattr command to tag and restore security attributes. Security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.
For Hadoop, security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.
For Java and C APIs, security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.

Command Type
Linux	Tag an extended attribute name	Use the following command to set an extended attribute name on a file/directory and/or a FUSE-mounted file path: `setfattr {-n attribute-name} [-v value] [-h] pathToDataObject`
	Associate one or more security policies	To associate one or more security policies with the file `/mapr/lab/foo.txt`, specify a comma-separated list of security policy names. For example, to associate two security policies named `Lab_Security_Policy` and `Sensitive_Data` to `/mapr/lab/foo.txt`, use: `setfattr -n security.mapr.policy -v "Lab_Security_Policy,Sensitive_Data" /mapr/lab/foo.txt`
	Replace security policies	The `setfattr` command replaces any existing security policies with the specified policies. To remove the `Sensitive_Data` policy and keep the `Lab_Security_Policy`, specify the `Lab_Security_Policy` in the `-v` argument without the `Sensitive_Data` policy: `setfattr -n security.mapr.policy -v "Lab_Security_Policy" /mapr/lab/foo.txt`
	Associate a security policy with a directory	Use a similar command to associate a security policy to a directory: `setfattr -n security.mapr.policy -v "Lab_Security_Policy,Sensitive_Data" /mapr/lab` If a directory is tagged with one or more security policies: The data access Access Control Expression (ACE)s in the security policy tags apply when files and sub-directories are created within that directory. These tags are inherited by new files and directories created within the directory, if the `setinherit` flag is set to `true` (default). If the `setinherit` flag is set to `false`, then new files and directories are created with no tags. The files and directories get the default ACE, which is the empty string for all access types; POSIX mode bits are set on the files and directories in the traditional way.
Hadoop	Set security policy attributes	`hadoop fs -setfattr -n security.mapr.policy -v comma-separated list of policy names path` The `-v` parameter is mandatory, and is a comma-separated list of security policy tags. For example, to associate a security policy `Lab_Security_Policy` with the file `/mapr/lab/foo.txt`, use the command: `hadoop fs -setfattr -n security.mapr.policy -v "Lab_Security_Policy" /mapr/lab/foo.txt` If security policy tags already exist for the specified object, this command replaces any existing security policies with the specified policies. Assume that there are two security policies - `Sensitive_Data_Policy` and `Lab_Security_Policy` tagged to the file `/mapr/lab/foo.txt`. To remove `Sensitive_Data_Policy`, and keep `Lab_Security_Policy`, specify only `Lab_Security_Policy` in the `-v` parameter: `hadoop fs -setfattr -n security.policy -v "Lab_Security_Policy" /mapr/lab/foo.txt` You can use the hadoop mfs command as well. To add policies to an already exisitng set of policies, use the format: `hadoop mfs [-addsecuritypolicytag [-R] <comma-separated list of security policy tags> <path>]` To overwrite existing policies with the new policies, use the format: `hadoop mfs [-setsecuritypolicytag [-R] <comma-separated list of security policy tags> <path>]`
Java API	Tag security policy attributes	`public void setXAttr(Path path, String name, byte[] value) throws IOException` The following example demonstrates how to use the Java API to tag the security policy as an extended attribute `security.mapr.policy` with the value `Lab_Security_Policy` for the file `/mapr/lab/foo.txt`: `import java.net.; import org.apache.hadoop.fs.; import org.apache.hadoop.conf.*; … Configuration conf = new Configuration(); FileSystem fs = FileSystem.get(conf); Path path = Paths.get("/mapr/lab/foo.txt"); fs.setXAttr(path, "security.mapr.policy", "Lab_Security_Policy");`
C APIs	Associate a security policy with a file system object in C	Use the `setxattr` or `fsetxattr` system call. The brief synopsis is as follows. For more details, refer to the `setxattr`(2) Linux manual pages. `NAME` `setxattr, fsetxattr -- set an extended attribute value` `SYNOPSIS` `#include <sys/xattr.h> int setxattr (const char path, const char name, void value, size_t size, u_int32_t position, int options); int fsetxattr (int fd, const char name, void *value, size_t size, u_int32_t position, int options);`

Java APIs

Associate security policies with data objects using the file system Java APIs. See Security Policy Java APIs for more information.

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0