Disabling Policy Access Controls at the Cluster-Level

You can disable policy access controls (ACEs set in security policies) at the cluster-level through the cldb.pbs.access.control.enabled option in the CLI and REST API and through the Ignore Policy Access Control option in the Control System.

Typically, you would only disable security policies at the cluster-level if they are causing issues. The cldb.pbs.access.control.enabled option is the fastest way for administrators to turn security policies off in a cluster.

CAUTION:

Before you disable policy access controls at the cluster-level, verify that POSIX mode bits or ACEs are directly applied to data objects to prevent unauthorized access to data. See hadoop mfs, and refer to the -getace parameter.

The following table summarizes how security policy enforcement works when policy access controls are enabled and disabled in a cluster:

Policy Access Controls	Description
Enabled	Default. The system enforces all policy access controls (ACEs set in security policies).
Disabled	The system does not enforce any policy access controls (ACEs set in security policies). ACEs set in security policies are not applied during any data operations in the cluster. Policy access controls (ACEs set in the security policies) are disabled only for the indicated cluster. It does not matter if the cluster is a master or member security policy cluster; disabling the access controls does not affect the security policy settings and behaviors in any other cluster. The system still enforces: Resource controls (POSIX mode bits and ACEs) directly applied to data objects to determine data access. Wire-level encryption and auditing settings in the security policies.

Policy Access Controls

Description

Enabled

Default.
The system enforces all policy access controls (ACEs set in security policies).

Disabled

The system does not enforce any policy access controls (ACEs set in security policies). ACEs set in security policies are not applied during any data operations in the cluster.
Policy access controls (ACEs set in the security policies) are disabled only for the indicated cluster. It does not matter if the cluster is a master or member security policy cluster; disabling the access controls does not affect the security policy settings and behaviors in any other cluster.
The system still enforces:
- Resource controls (POSIX mode bits and ACEs) directly applied to data objects to determine data access.
- Wire-level encryption and auditing settings in the security policies.

The following sections describe how to enable and disable policy access controls (ACEs set in security policies) at the cluster-level:

Disable Policy Access Controls Using the Control System

Log in to the Control System and click to display the Security settings page.
Move the slider associated with Ignore Policy Access Control to Yes to disable access control or No to enable access control using security policies.
If set to Yes, access control enforcement is disabled for all the security policies on the cluster. If set to No, you can set the enforcement mode setting at the volume level to Policy Ace and Data Ace or Policy Ace Only to enable access control enforcement using security policy ACEs.

Disable Policy Access Controls Using the CLI

Run the config save command and set the cldb.pbs.access.control.enabled property to one of the following values:

0 — disables security policy ACE enforcement for data operations in the cluster
1 — enables security policy ACE enforcement for data operations in the cluster

Example:

/opt/mapr/bin/maprcli config save -values '{"cldb.pbs.access.control.enabled":"0"}'
/opt/mapr/bin/maprcli config save -values '{"cldb.pbs.access.control.enabled":"1"}'