Tagging Volumes, Directories, and Files with Security Policies
Associate security policies with data objects in the file system, including volumes, directories, and files. Associate up to sixteen security policies with a data object in the file system.
Tagging Volumes
About this task
Associate security policies with a volume, the volume mount path,
or both the volume and the volume mount path. You can only tag a volume mount
path through the maprcli create volume
command with the
rootdirsecuritypolicy
option. You cannot tag a volume mount
path through the Control System.
- CLI
- The basic command to tag a volume with a security policy is:
/opt/mapr/bin/maprcli volume create -name <volName> -path <mountPath> -securitypolicy <policy1,policy2,...>
- REST API
- Send a request of type POST. For example:
curl -k -X POST 'https://<hostname>:8443/rest/volume/create?name=<volName>&path=<volPath>&securityPolicy=<policy>' --user mapr:mapr
TIPFor more information, including a complete list of required and optional properties, seevolume create
.
- Control System
-
- Log in to the Control System and go to the Create New Volume page or the Edit Volume page.
- Enter or select the name of the security policies to associate with the volume in the SECURITY POLICIES field under the Security section.
- Complete the steps to create or modify the volume.
Tagging Directories and Files
About this task
hadoop mfs
, extended attributes, and Java APIs.- hadoop mfs
- Use the following command syntax to tag a directory or file with one or
more security
policies:
hadoop mfs -setsecuritypolicytag <policyName> <filePath>
- Extended attributes
-
- For Linux, use the
setfattr
command to tag and restore security attributes. Security policies use a special format for the extended attribute name, which is always set to the keywordsecurity.mapr.policy
. - For Hadoop, security policies use a special format for
the extended attribute name, which is always set to the keyword
security.mapr.policy
. - For Java and C APIs, security policies use a special
format for the extended attribute name, which is always set to
the keyword
security.mapr.policy
.
Command Type Linux Tag an extended attribute name Use the following command to set an extended attribute name on a file/directory and/or a FUSE-mounted file path: setfattr {-n attribute-name} [-v value] [-h] pathToDataObject
Associate one or more security policies To associate one or more security policies with the file /mapr/lab/foo.txt
, specify a comma-separated list of security policy names. For example, to associate two security policies namedLab_Security_Policy
andSensitive_Data
to/mapr/lab/foo.txt
, use:setfattr -n security.mapr.policy -v "Lab_Security_Policy,Sensitive_Data" /mapr/lab/foo.txt
Replace security policies The setfattr
command replaces any existing security policies with the specified policies. To remove theSensitive_Data
policy and keep theLab_Security_Policy
, specify theLab_Security_Policy
in the-v
argument without theSensitive_Data
policy:setfattr -n security.mapr.policy -v "Lab_Security_Policy" /mapr/lab/foo.txt
Associate a security policy with a directory Use a similar command to associate a security policy to a directory:
If a directory is tagged with one or more security policies:setfattr -n security.mapr.policy -v "Lab_Security_Policy,Sensitive_Data" /mapr/lab
- The data access Access Control Expression (ACE)s in the security policy tags apply when files and sub-directories are created within that directory.
- These tags are inherited by new files and
directories created within the directory, if the
setinherit
flag is set totrue
(default). - If the
setinherit
flag is set tofalse
, then new files and directories are created with no tags. The files and directories get the default ACE, which is the empty string for all access types; POSIX mode bits are set on the files and directories in the traditional way.
Hadoop Set security policy attributes hadoop fs -setfattr -n security.mapr.policy -v comma-separated list of policy names path
The
-v
parameter is mandatory, and is a comma-separated list of security policy tags.For example, to associate a security policy
Lab_Security_Policy
with the file/mapr/lab/foo.txt
, use the command:hadoop fs -setfattr -n security.mapr.policy -v "Lab_Security_Policy" /mapr/lab/foo.txt
If security policy tags already exist for the specified object, this command replaces any existing security policies with the specified policies. Assume that there are two security policies -
Sensitive_Data_Policy
andLab_Security_Policy
tagged to the file/mapr/lab/foo.txt
.To remove
Sensitive_Data_Policy
, and keepLab_Security_Policy
, specify onlyLab_Security_Policy
in the-v
parameter:hadoop fs -setfattr -n security.policy -v "Lab_Security_Policy" /mapr/lab/foo.txt
You can use the hadoop mfs command as well.
To add policies to an already exisitng set of policies, use the format:hadoop mfs [-addsecuritypolicytag [-R] <comma-separated list of security policy tags> <path>]
To overwrite existing policies with the new policies, use the format:hadoop mfs [-setsecuritypolicytag [-R] <comma-separated list of security policy tags> <path>]
Java API Tag security policy attributes public void setXAttr(Path path, String name, byte[] value) throws IOException
The following example demonstrates how to use the Java API to tag the security policy as an extended attribute
security.mapr.policy
with the valueLab_Security_Policy
for the file/mapr/lab/foo.txt
:import java.net.*; import org.apache.hadoop.fs.*; import org.apache.hadoop.conf.*; … Configuration conf = new Configuration(); FileSystem fs = FileSystem.get(conf); Path path = Paths.get("/mapr/lab/foo.txt"); fs.setXAttr(path, "security.mapr.policy", "Lab_Security_Policy");
C APIs Associate a security policy with a file system object in C Use the setxattr
orfsetxattr
system call. The brief synopsis is as follows. For more details, refer to thesetxattr
(2) Linux manual pages.NAME
setxattr, fsetxattr -- set an extended attribute value
SYNOPSIS
#include <sys/xattr.h> int setxattr (const char *path, const char *name, void *value, size_t size, u_int32_t position, int options); int fsetxattr (int fd, const char *name, void *value, size_t size, u_int32_t position, int options);
- For Linux, use the
- Java APIs
- Associate security policies with data objects using the file system Java APIs. See Security Policy Java APIs for more information.