Security Policy Permissions
Permissions define which administrative users can create, view, and modify security policies. Administrators set the permissions on security policies through cluster-level and security policy-level ACLs.
Permission Levels
Policy-based security supports cluster-level and policy-level permissions.
Permission Level | Description |
---|---|
Cluster-level |
|
Policy-level |
|
- Data Fabric UI
maprcli acl set|edit
commands-
maprcli security policy create
commands
- On a fresh cluster install, the
root
user and the Data Fabric user (typically namedmapr
orhadoop
on each node) havecp
permission. On an upgraded cluster, only the Data Fabric user hascp
permission. - As the cluster owner, the Data Fabric user
(typically named
mapr
orhadoop
on each node), has overriding permission on security policies, including the administrative ACLs. The Data Fabric user can create, view, and modify security policies, regardless of the cluster-level and policy-level permission specified. - By default, administrators
do not have permission to create security policies. Administrators need cluster-level
cp (create security policy)
permission to create security policies. Administrators with cluster-levela (admin)
permission can grantcp
permission to themselves or other administrators.TIPYou must designate a cluster as the global policy master before you create security policies. Setting a global policy master creates a global namespace for security policies. See Designating a Fabric as Global Policy Master. - Any user with a valid Data Fabric ticket can view security policy IDs and names. This allows non-administrative users to determine which security policies to apply to data objects.
Permission Codes
Cluster-level and security
policy-level permission codes that are set through ACLs grant security policy access to
administrators. An administrator (with cluster-level a (admin)
and
cp (create security policy)
permissions) that creates a security policy
has full control over the security policy unless they specifically grant other
administrators access to the security policy through policy-level permissions.
The following sections describe the cluster-level and policy-level permission codes for security policy access:
- Cluster-Level Permission Codes
-
The following table lists some cluster-level permission codes and how they relate to security policies.
Cluster-level permission code Description a (admin)
- Grants administrative access to cluster ACLs.
- Can grant
create security policy (cp)
permission to themselves or other administrators. - Cannot view or edit the details of any security policy created by other admins. Can only view the security policy ID and name.
- Needs security policy-level permissions to view or edit security policies created by other admins.
cp (create security policy)
ATTENTIONAdministrators need this permission to create security policies.- Administrators with
a (admin)
cluster-level permission can grantcp
permission to themselves or other administrators. - Administrators can view and edit all parts of the security policies they create, including the ACEs and permissions on the security policies.
- Grants the administrator that creates a security policy the following
security policy-level permissions on the security policy:
Full Control (fc)
Admin (a)
Read (r)
- Administrators who create security policies can override their access to the security policies by designating policy owners who can then manage the security policies.
fc (full control)
- Grants full control over the cluster and enables all cluster-level administrative options.
- Cannot change the cluster-level ACLs.
- Can view all security policies.
- Cannot create security policies.
- Cannot edit the details of any security policy unless specifically granted access to a security through policy-level permissions.
- Policy-Level Permission Codes
-
Separate read
(r)
and edit(fc)
permissions for policy owners allow some policy owners to view policy information while others can edit policy information. This allows most administrators to administer the system without seeing the data and also prevents some policy owners from adding their credentials to the administrative ACLs to manipulate the data access ACEs.Policy-level permissions are set on a per-policy basis. Permissions set on one security policy do not apply to other security policies.
The following table lists the policy-level permission codes needed to perform actions on security policies.Policy-level permission code Description a (admin)
- Can view and modify permissions on the security policy.
- Cannot view or modify the security policy; can only view the security policy name and ID.
fc (full control)
- Can view and edit any part of the security policy, including the data access ACEs.
- Cannot view or modify permissions on the security policy.
r (read)
Can view all parts of a security policy, but cannot modify any part of the security policy. - Permissions Table
- The following table lists the cluster-level and policy-level permissions needed to
perform specific actions on security policies:NOTEAdministrators who create a security policy have policy-level
r
,a
, andfc
permission on the security policy.Action Cluster-Level Policy-Level Create a security policy cp
-- View details of all security policies fc
-- View details of a security policy -- r
View and edit permissions on a security policy (ACLs) -- a
View and edit the details of a security policy (ACEs, auditing, wire-level encryption) -- fc