Modifying a Security Policy

Describes how to modify a security policy.

About this task

You can modify a security policy using the Control System, the CLI, and REST API. You can change the following settings if you edit a security policy:
  • Security policy state
  • Wire-level encryption and auditing
  • Data access control
  • Security policy administration control
If you modify a security policy that is currently tagged (or in use), changes to the policy are enforced within 5 minutes.

Modifying a Security Policy Using the Control System

Prerequisites

If not already done, you must first set the related cluster as the global policy master node for the Container Location Database (CLDB) associated with the security policy being modified. See Configuring the Global Policy Master for more information.

Procedure

  1. Log in to the Control System and go to the Security Policies tag in the Admin > Cluster Settings page to view the list of security policies that you are allowed to see.
  2. Click the name of the security policy to display the Edit Security Policy page.
  3. Make changes to the security policy status by selecting the state to transition to from the drop-down list of statuses next to the Edit Security Policy label.
    See Changing the State of a Security Policy for more information on the various states and the valid state to which you need to transition a security policy.
  4. Modify any of the following properties:
    Description The description of the policy. The maximum length of the description is 128 characters.
    Enable Wire-level Encryption The wire-level encryption setting. Enable (Yes) or disable (No) wire-level encryption by moving the slider.
    Enable Audit Operations The audit setting for files, directories, tables, and streams. Enable (Yes) or disable (No) auditing of operations on files, directories, tables, and streams by moving the slider.
    Audit Operations (Visible only if auditing is enabled) The list of file, directory, table, and stream operations to audit. Select the default list of operations to audit by choosing the Default radio button. Select specific file, directory, table, and streams operations to audit by choosing the Custom radio button. Enabling setattr automatically enables the following operations:
    • chown
    • chgrp
    • chperm
    If you disable setattr, these operations are automatically disabled. If you do nothing with setattr (neither enable nor disable), you can enable or disable chown, chgrp, and chperm in any combination and they will not affect setattr.
    Allow Tagging

    (For JSON Tables)

    		 The setting to enable (Yes) or disable (No) tagging of JSON tables for this security policy. If Yes, users can tag data objects of JSON tables with this policy. If No, users cannot tag data objects of JSON tables with this security policy. See Changing the State of a Security Policy for more information.
  5. Make changes to data access control as needed in the Data Access Control section.
    1. Select one of the following state for access control.
      • Disarmed—Indicates access control is not enforced by the Access Control Expression (ACE) settings defined in the policy
      • Armed—Indicates access control is enforced by the ACE settings defined in the policy
      • Denied—Indicates access control is always denied.
      For more information on access control states, see Changing the State of a Security Policy.
    2. Set new or modify existing ACEs for users, groups, and/or roles.
      You can:
      • Create a copy of an existing ACE setting for an entity (user, group, or role) by clicking , which you can then modify.
      • Remove ACEs for an entity (user, group, or role) by clicking .
      • Set new ACEs if you have not set ACEs before for users, groups, or roles by clicking Add Access Permission.
      • Add ACEs for another user, group, or role by clicking Add Another.
      • Modify an existing ACE setting for an entity (user, group, or role) by clicking .
      After you click Add Access Permission, Add Another, or , the Add Access Permission window displays. You can:
      1. Enter new or modify the existing comma-separated list of users, groups, or roles to grant access to in the Users, Groups, and Roles text boxes respectively. Select the Custom ACE checkbox to manually enter the ACE in the text box that appears.

        For more information on how to build the custom access control expression, see Managing Access Control Expressions.

      2. Click Next: Select Permissions to display the Add Access Permissions page.
        The following table describes the permissions that can be granted to the specified users, groups, or roles in this page:
        Object Permission
        Directories
        • Read the contents of a directory. If you do not select this option, mode bits are used to determine read access. To read the contents of a directory that is tagged with this security policy, the user must also have read permissions on the volume, the parent directory (if any), and the file.

          This is the same as the readdirace property in the CLI.

        • Lookup or list the contents in a directory. If you do not select this option, mode bits are used to determine lookup access. To read the contents of a directory that is tagged with this security policy, the user must also have read permissions on the volume and the directory.

          This is the same as the lookupdirace property in the CLI.

        • Add a file or subdirectory. If you do not select this option, mode bits are used to determine permissions to create files or subdirectories. To add a child to a directory that is tagged with this security policy, the user must also have write permissions on the volume and the parent directory, add child permission on the parent directory, and read and execute permissions on all directories in the path.

          This is the same as the addchildace property in the CLI.

        • Delete a file or subdirectory. If you do not select this option, mode bits are used to determine permissions to create files or subdirectories. To delete a child of a directory that is tagged with this security policy, the user must also have write permissions on the volume and the parent directory, delete child permission on the parent directory, and read and execute permissions on all directories in the path.

          This is the same as the deletechildace property in the CLI.

        For more information, see Managing File and Directory ACEs.
        Files
        • Read a file. If you do not select this option, mode bits are used to determine read access to the file. To read a file that is tagged with this security policy, the user must also have read permissions on the volume.

          This is the same as the readfileace property in the CLI.

        • Write to a file. If you do not select this option, mode bits are used to determine read access to the file. To write to a file that is tagged with this security policy, the user must also have write permissions on the volume.

          This is the same as the writefileace property in the CLI.

        • Execute a file. If you do not select this option, mode bits are used to determine execute access to the file. To execute a file that is tagged with this security policy, the user must also have read permissions on the volume.

          This is the same as the executefileace property in the CLI.

        For more information, see Managing File and Directory ACEs.
        Tables
        • Read new column families that are created in the table.

          This the same as the readdbace property in the CLI.

          See Security on JSON Tables for more information.

        • Traverse CF to descend a hierachy of column families.

          This is the same as the traversedbace property in the CLI.

          See Security on JSON Tables for more information.

        • Write to new column families that are created in the table.

          This is the same as the writedbace property in the CLI.

          See Security on JSON Tables and Enabling Table and Stream Authorizations with ACEs for more information.

        • Unmasked Data. If you do not select this option, disallows the viewing of select and sensitive table fields of a column family.

          See Dynamic Data Masking for more information on data masking.
      3. Select the checkbox associated with the individual permission to grant that type of permission to the user, group, or role, or click the following:
        • Reads to grant:
          • read permission on directories, files, and tables
          • lookup permission on directories
          • traverse column family permission on tables
          This is the same as the readaces property in the CLI.
        • Writes to grant:
          • write permission on files and tables
          • add and delete child permissions on directories
          This is the same as the writeaces property in the CLI.
        • Executes to grant execute permission on files.

          This is the same as the executefileace property in the CLI.

      4. Click Add to add the data access permissions to the policy.
  6. Make changes as needed to perform administrative operations on the policy in the Policy Administration Control section.
    You can:
    • Create a copy of an existing policy administration control setting for an entity by clicking , which you can then modify.
    • Remove a policy administration control setting for an entity by clicking .
    • Add a policy administration control setting for another user or group by clicking Add Another.
    • Modify an existing policy administration control setting for an entity.
    To add or modify an existing policy administration control setting for an entity, you can:
    1. Select new or modify an existing entity type, user or group, from the Type drop-down list, or enter a new or modify an existing entity name in the Entities field.
    2. Select or deselect the checkbox associated with the following permissions to grant or deny (respectively) that type of permission for the entity:
      • Read access for the policy
      • Admin access to set and modify ACLs on the policy
      • Full control over the policy
  7. Click Save for the changes to take effect.

Modifying a Security Policy Using the CLI and REST API

About this task

  • CLI
  • REST
The basic command to modify an existing security policy is: 
/opt/mapr/bin/maprcli security policy modify -name <policyName> -json
Send a request of type POST. For example: 
curl -X POST 'https://<host>:port/rest/security/policy/modify?name=<policyName>' --user <username>:<password>
For more information, see policy modify.