Troubleshooting Security Policies
This topic describes problems that you may encounter when creating and using security policies. It includes recommendations on how to troubleshoot and resolve problems.
Cannot Create a Security Policy
You encounter the following error when attempting to create a security policy:
ERROR (1) - Security policy create of XXX failed: Security policy creation failed: No privileges to create a security policy
You must have cluster-level create/delete security policy (cp
) permission
to create a security policy.
To check your cluster-level permissions, assuming you have cluster-level
login
permission, run the following command:
maprcli acl show -type cluster
The following shows sample output for a user with the necessary cp
permission:
Allowed actions Principal
[login, cp] User PolicyAdmin
Cannot view a Security Policy
If you receive an error when running the maprcli security policy info
command, the root cause depends on the error you encounter:
- No Data Fabric Ticket
-
ERROR (22) - You do not have a ticket to communicate with 10.10.20.40:7222. Retry after obtaining a new ticket using maprlogin
This indicates that you do not have a Data Fabric ticket to access the secure Data Fabric cluster.
Create a Data Fabric ticket by running
maprlogin password
. - No Policy-Level Permission
-
ERROR (2) - Security policy lookup of XXX failed, Operation not permitted
The possible reasons for this error are as follows:
Possible Cause Troubleshooting Steps Either you or the group that you belong to does not have the policy-level read
permission.- Ask the user who granted you access to confirm your policy-level
permission by
running:
maprcli security policy info \ -name XXX \ -columns acl -json
- Request access if you do not have the
read
permission.
You are not a member of a group that has policy-level permission. - Run the
id
command to verify your group membership. - If you are not a member of the group, request an administrator to add you.
- If you are using Data Fabric tickets, recreate your ticket after updating your group membership.
Your Data Fabric ticket does not reflect your updated group membership because you created the ticket before changing your group membership. - Verify your Data Fabric ticket by
examining the output from
maprlogin print
. - If the ticket does not include the group that has policy-level permission, then recreate your Data Fabric ticket.
- Ask the user who granted you access to confirm your policy-level
permission by
running:
Cannot Modify a Security Policy
Depending on the property you are trying to modify, you must have certain policy-level permissions:
- Update Non-Permission Properties of a Policy
-
If you encounter the following error:
ERROR (1) - Security policy update of XXX failed: Insufficient privileges to update general section for security policy XXX
You must have one of the following cluster-level or policy-level permissions:
- Cluster-level
cp
,a
, orfc
permission - Policy-level
a
orfc
permission
- Cluster-level
- Update Permission Properties of a Policy
-
If you encounter the following error:
ERROR (1) - Security policy update of XXX failed: Insufficient privileges to update ACL for security policy XXX
You must have one of the following cluster-level or policy-level permissions:
- Cluster-level
cp
oradmin
permission - Policy-level
admin
permission
- Cluster-level
- Cannot tag a security policy to a data object
-
If you cannot tag a policy to a data object or the volume page search in the Control System is not displaying a security policy, verify that
allowtagging
is set totrue
, as described in Changing the State of a Security Policy. - Policies not visible after the CLDB starts
- After the CLDB master starts, it can take a couple of minutes for the policyserver to come up. Currently, only the policy server on the cluster designated as the global policy master serves operations. Member clusters standby and do not serve operations. Wait for the policyserver to come up.
- Mirroring/Restore fails due to no policies
-
If mirroring or restore fails due to no policies, import the policies from the global policy master or a member cluster that has the policies, as described in Security Policy Domain and Policy Management.
- Access check on mirror source and destination clusters differ
-
The policies may have been modified on the global policy master and not propagated to either of them. Get the latest policies, as described in Security Policy Domain and Policy Management.
- Access checks fail
-
View the file system audit logs on the master node.
- Where are the logs?
- The following table lists the log locations for components related to security
policies:
Component Location PolicyServer cldb.log Access Check MFS Audit Logs NC master node FS Audit Logs Client (For tagging) Regular Client logs (ffs.log or enable Hadoop debug then stdout)