Troubleshooting Security Policies

This topic describes problems that you may encounter when creating and using security policies. It includes recommendations on how to troubleshoot and resolve problems.

Cannot Create a Security Policy

You encounter the following error when attempting to create a security policy:

ERROR (1) -  Security policy create of XXX failed: Security policy creation failed: No privileges to create a security policy

You must have cluster-level create/delete security policy (cp) permission to create a security policy.

To check your cluster-level permissions, assuming you have cluster-level login permission, run the following command:

maprcli acl show -type cluster

The following shows sample output for a user with the necessary cp permission:

Allowed actions             Principal         
[login, cp]              User PolicyAdmin 

Cannot view a Security Policy

If you receive an error when running the maprcli security policy info command, the root cause depends on the error you encounter:

No Data Fabric Ticket
ERROR (22) -  You do not have a ticket to communicate with 10.10.20.40:7222. Retry after obtaining a new ticket using maprlogin

This indicates that you do not have a Data Fabric ticket to access the secure Data Fabric cluster.

Create a Data Fabric ticket by running maprlogin password.

No Policy-Level Permission
ERROR (2) -  Security policy lookup of XXX failed, Operation not permitted

The possible reasons for this error are as follows:

Possible Cause Troubleshooting Steps
Either you or the group that you belong to does not have the policy-level read permission.
  1. Ask the user who granted you access to confirm your policy-level permission by running:
    maprcli security policy info \
      -name XXX \
      -columns acl -json
  2. Request access if you do not have the read permission.
You are not a member of a group that has policy-level permission.
  1. Run the id command to verify your group membership.
  2. If you are not a member of the group, request an administrator to add you.
  3. If you are using Data Fabric tickets, recreate your ticket after updating your group membership.
Your Data Fabric ticket does not reflect your updated group membership because you created the ticket before changing your group membership.
  1. Verify your Data Fabric ticket by examining the output from maprlogin print.
  2. If the ticket does not include the group that has policy-level permission, then recreate your Data Fabric ticket.

Cannot Modify a Security Policy

Depending on the property you are trying to modify, you must have certain policy-level permissions:

Update Non-Permission Properties of a Policy

If you encounter the following error:

ERROR (1) -  Security policy update of XXX failed: Insufficient privileges to update general section for security policy XXX

You must have one of the following cluster-level or policy-level permissions:

  • Cluster-level cp, a, or fc permission
  • Policy-level a or fc permission
Update Permission Properties of a Policy

If you encounter the following error:

ERROR (1) -  Security policy update of XXX failed: Insufficient privileges to update ACL for security policy XXX

You must have one of the following cluster-level or policy-level permissions:

  • Cluster-level cp or admin permission
  • Policy-level admin permission
Cannot tag a security policy to a data object

If you cannot tag a policy to a data object or the volume page search in the Control System is not displaying a security policy, verify that allowtagging is set to true, as described in Changing the State of a Security Policy.

Policies not visible after the CLDB starts
After the CLDB master starts, it can take a couple of minutes for the policyserver to come up. Currently, only the policy server on the cluster designated as the global policy master serves operations. Member clusters standby and do not serve operations. Wait for the policyserver to come up.
Mirroring/Restore fails due to no policies

If mirroring or restore fails due to no policies, import the policies from the global policy master or a member cluster that has the policies, as described in Security Policy Domain and Policy Management.

Access check on mirror source and destination clusters differ

The policies may have been modified on the global policy master and not propagated to either of them. Get the latest policies, as described in Security Policy Domain and Policy Management.

Access checks fail

View the file system audit logs on the master node.

Where are the logs?
The following table lists the log locations for components related to security policies:
Component Location
PolicyServer cldb.log
Access Check MFS
Audit Logs NC master node FS Audit Logs
Client (For tagging) Regular Client logs (ffs.log or enable Hadoop debug then stdout)