policy create
Describes how to create a security policy using the CLI.
Syntax
- CLI
-
/opt/mapr/bin/maprcli security policy create -name <security-policy-name> [ -description <description> ] [ -cluster cluster-name] [ -allowtagging true|false ] [ -accesscontrol Armed|Disarmed|Denied ] [ -auditenabled true|false ] [ -dataauditops <+|- operations>|all ] [ -wiresecurityenabled true|false ] [ -readfileace <file read ACE> ] [ -writefileace <file write ACE> ] [ -executefileace <file execute ACE> ] [ -readdirace <directory read ACE> ] [ -addchildace <directory add child ACE> ] [ -deletechildace <directory delete child ACE> ] [ -lookupdirace <directory lookup ACE> ] [ -readdbace <db cf read ACE]> ] [ -writedbace <db cf write ACE]> ] [ -traversedbace <db cf traverse ACE> ] [ -readaces <file, directory, db, streams ACE> ] [ -writeaces <file, directory, db, streams ACE> ] [ -unmaskedreaddbace <DB unmasked read ace> ] [ -user <user:permission,permission,... user:permission,permission,...> ] [ -group <group:permission,permission,... group:permission,permission,...> ]
- REST
Request Type POST Request URL http[s]://<host>:<port>/rest/security/policy/create?<parameters>
Parameters
Parameter |
Description |
---|---|
name |
The name of this security policy. Security policy names must be unique within the cluster and must contain only alphanumeric characters, hyphen (-) and underscore (_). Other characters like space and commas are not allowed. Maximum length of the security policy name is 128 characters. This parameter is mandatory. |
description |
The description of the policy. The maximum length of the description is 128 characters. |
|
The cluster name on which to run the command. This parameter is optional. The local cluster is the default cluster. |
|
Allows or disallows tagging for the security policy. If set to
|
|
Determines whether the relevant Access Control Expression (ACE)s in this security policy are enforced for HPE Ezmeral Data Fabric resources that are tagged with this security policy. The following settings are supported:
|
|
Specifies whether or not to enable auditing for this
policy. Set to Default:
|
|
The comma separated list of filesystem operations to include (specified with a preceding plus sign (+)), or exclude (specified with a preceding minus sign (-)) from auditing. To exclude the first operation in the list of operations from auditing, precede the operation by two minus (--) signs. Precede subsequent operations to exclude by only a single minus (-) sign, irrespective of whether the first operation was included (using a plus (+) sign) or excluded (using two minus (--) signs). If neither sign is specified, the given operation is included for auditing. The operations that can be included (+) or excluded (-) from auditing are listed in Auditing Data-Access Operations. Alternatively, you can group all the operations using the keyword all, which:
All specified operations must either be included or excluded from auditing. You cannot specify a mixed list of included and excluded operations. Other than the specified operations, by default, all other operations are:
setattr automatically enables the following
operations:
If you exclude |
|
Determines whether or not to perform wire-level
encryption on the returned data. Set to
Default: |
|
An ACE that controls who can read from this file. If you
do not set an ACE, basic file permissions are used. Files created with
basic file permissions have mode
|
|
An ACE that controls who can write to this file. If you
do not set an ACE, basic file permissions are used. Files created with
basic file permissions have mode
|
|
An ACE that controls who can execute this file. If you do
not set an ACE expression, basic file permissions are used. Files created with
basic file permissions have mode
|
|
Controls who can read the contents of files in this directory. If you do not set an
ACE, basic file permissions are used. Directories created with basic
file permissions have mode
|
|
Controls who can create objects (files and directories) in this directory. If you
do not set an ACE, basic file permissions are used. Directories created
with basic file permissions have mode
|
|
Controls who can delete objects (files and directories) in this directory. If you
do not set an ACE, basic file permissions are used. Directories created
with basic file permissions have mode
|
|
Controls who can list the contents (files and directories) of this directory. If
you do not set an ACE, basic file permissions are used. Directories
created with basic file permissions have mode
|
|
The ACE for column reads. Fields within the column family inherit this permission. Default: To read fields in JSON DB column families tagged with this security policy, you must have the following permissions:
|
|
The ACE for column writes (puts and deletes). Fields within the column family inherit this permission. Default: To perform column writes, you must have the following permissions:
|
|
DB CF traverse permission settings, which determine the permission to pass over fields in JSON documents. Fields within the column family inherit this permission. Default: To traverse fields in JSON DB column families tagged with this security policy, you must have the following permissions:
|
|
A convenience option to set read permissions for all objects. This is
equivalent to setting the same ACE for the
readfileace , readdirace ,
lookupdirace ,
readdbace , and
traversedbace
options. |
|
A convenience option to set write permissions for all objects. This is
equivalent to setting the same ACE for writefileace ,
addchildace , deletechildace ,
and writedbace
options. |
unmaskedreaddbace |
This is the ACE for determining whether the users have the
unmaskedreadperm permission to enable them to read the masked
column data unmasked. These users must also have readdbace
permission. The unmaskedreadperm permission will not be
automatically set when using the convenience readaces parameter.
The unmaskedreadperm permission must be specifically enabled in the
security policy by using the unmaskedreaddbace ACE. See Dynamic Data Masking for more information. |
|
Space separated list of If you do not specify this option, a security policy level administrative ACL is
added for the administrator who created this security policy to have full
privileges by default, that is
[r,a,fc] . However, another user
with admin (a) privilege for this security policy can
subsequently remove this privilege . Specifying this option overwrites the default
setting to give security policy level privileges only to the users specified in
the -user list. CAUTION You must specify
admin (a) privilege for at least one administrator (for
example, -user admin1:r,a,fc ) in addition to privileges for any
other users to modify this security policy after creation. If the
-user or -group options are specified but
without admin (a) or full control (fc)
permission, (for example, -user operator:r ), only the
mapr user can modify the security policy. |
|
Space separated list of group:permission,permission pairs. Use commas to
separate each permission, and spaces to separate each group. For example, to give
group operators read (r) permission, and group secadmin
full control (fc) permission, use -group operators:r
secadmin:a,fc
|
Examples
/opt/mapr/bin/maprcli security policy create -name TOPSECRET -allowtagging true -accesscontrol Armed -wiresecurityenabled true -user "user7:a,fc user10:a"
/opt/mapr/bin/maprcli security policy info -name TOPSECRET -json
{
"timestamp":1554275257851,
"timeofday":"2019-04-03 12:07:37.851 GMT-0700 AM",
"status":"OK",
"total":1,
"data":[
{
"policyname":"TOPSECRET",
"policyid":5,
"mtime":"Wed Apr 03 00:06:48 PDT 2019",
"ctime":"Wed Apr 03 00:06:48 PDT 2019",
"wiresecurity":"1",
"audited":"0",
"allowtagging":"1",
"accesscontrol":"Armed",
"enableddataauditoperations":"getattr,setattr,chown,chperm,chgrp,getxattr,listxattr,setxattr,removexattr,read,write,create,delete,mkdir,readdir,rmdir,createsym,lookup,rename,createdev,truncate,tablecfcreate,tablecfdelete,tablecfmodify,tablecfScan,tableget,tableput,tablescan,tablecreate,tableinfo,tablemodify,getperm,getpathforfid,hardlink,filescan,fileoffload,filerecall,filetierjobstatus,filetierjobabort,filetieroffloadevent,filetierrecallevent",
"disableddataauditoperations":"",
"acl":[
{
"Principal":"User user7",
"Allowed actions":"[r, a, fc]"
},
{
"Principal":"User user10",
"Allowed actions":"[a]"
}
]
}
]
}
curl -u mapr:mapr -X POST -k "https://host:8443/rest/security/policy/create?name=TOPSECRET&allowtagging=true&accesscontrol=Armed&wiresecurityenabled=true&user=user7%3Aa%2Cfc%20user10%3Aa"
curl -u mapr:mapr -X GET -k "https://host:8443/rest/security/policy/info?name=TOPSECRET"
{"timestamp":1554788296883,"timeofday":"2019-04-08 10:38:16.883 GMT-0700 PM","status":"OK","total":1,"data":[{"policyname":"TOPSECRET","policyid":1,"mtime":"Mon Apr 08 22:33:52 PDT 2019","ctime":"Mon Apr 08 22:33:52 PDT 2019","wiresecurity":"1","audited":"0","allowtagging":"1","accesscontrol":"Armed","enableddataauditoperations":"getattr,setattr,chown,chperm,chgrp,getxattr,listxattr,setxattr,removexattr,read,write,create,delete,mkdir,readdir,rmdir,createsym,lookup,rename,createdev,truncate,tablecfcreate,tablecfdelete,tablecfmodify,tablecfScan,tableget,tableput,tablescan,tablecreate,tableinfo,tablemodify,getperm,getpathforfid,hardlink,filescan,fileoffload,filerecall,filetierjobstatus,filetierjobabort,filetieroffloadevent,filetierrecallevent","disableddataauditoperations":"","acl":[{"Principal":"User user7","Allowed actions":"[r, a, fc]"},{"Principal":"User user10","Allowed actions":"[a]"}]}]}