Viewing the List of Security Policies

View the list of security policies using the Control System and extended attributes.

You can retrieve and view the list of security policies using the Control System, the CLI, and REST API.

Parent topic: Creating a Security Policy

Viewing the List of Security Policies Using the Control System

Log in to the Control System and go to the Security Policies tab in the Admin > Cluster Settings page.
The list of security policies display in the Security Policies pane. You can filter the list of policies by one of the following Access Control statuses: All, Armed, Disarmed, Denied. For each security policy, the page displays the following:
Column Name Description
Policy Name The name of the policy.
Access Control Indicates whether access control is enforced by the Access Control Expression (ACE) setting in the policy:
  • Armed
  • Disarmed
  • Denied
See Changing the State of a Security Policy.
Tagging Indicates whether data objects can be tagged with the policy. See Changing the State of a Security Policy.
Description The description of the policy.
Date Created The date when the policy was created.
Date Modified The date when the policy was last modified.

Viewing the List of Security Policies Using the CLI and REST API

CLI
The basic command to retrieve the list of security policies that you are allowed to view is: 
/opt/mapr/bin/maprcli security policy list -json
REST
Send a request of type GET. For example: 
curl -k -X GET 'https://<host>:8443/rest/security/policy/list' --user mapr:mapr
For more information, see policy list.

Retrieving Security Policies Using Extended Attributes

Describes how to retrieve security policies that are tagged using extended attributes.
Linux Commands

Security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.

To retrieve extended attributes, you run one of the following commands:

  • getfattr [-hRLP] -n name pathname...
  • getfattr [-hRLP] -d [-m pattern] pathname...

These commands retrieve both policy tags as well as other extended attributes.

For example, to retrieve all extended attributes for the file /mapr/lab/foo.txt, use: 

getfattr -d /mapr/lab/foo.txt
 # file: /mapr/lab/foo.txt
 security.mapr.policy="Lab_Security_Policy,Sensitive_data" ← policy tag
 user.test="test"                                     ← other attributes

To retrieve the security policy tags without retrieving the rest of the extended attributes, use the -n option to match the security policy extended attribute name:

getfattr -d -n security.mapr.policy /mapr/lab/foo.txt
 # file: /mapr/lab/foo.txt
 security.mapr.policy="Lab_Security_Policy,Sensitive_Data"
Hadoop Commands
Security policies use a special format for the extended attribute name, which is always set to the keyword security.mapr.policy.

To retrieve security policy attributes, use the command:

hadoop fs -getfattr [-R] -n security.mapr.policy | -d <pathname>

For example, to retrieve security policy attributes for the file /mapr/lab/foo.txt, use:

hadoop fs -getfattr -n security.mapr.policy | -d /mapr/lab/foo.txt
Alternatively, use the Hadoop MFS command to retrieve security policy attributes.
hadoop mfs -getsecuritypolicytag [-R] <path>
Java APIs

To retrieve security policy attributes, use the following Java APIs:

  • public byte[] getXAttr(Path path, String name) throws IOException Gets an extended attribute name and value for a file or directory. The name must be prefixed with the namespace, followed by ".". For security policy tags, the extended attribute name is security.mapr.policy.
  • public Map<String,byte[]> getXAttrs(Path path) throws IOException Gets all the extended attribute name/value pairs for a file or directory. Only those extended attributes that the logged-in user has permissions to view, are returned.
  • public Map<String,byte[]> getXAttrs(Path path, List<String> names) throws IOException Gets the extended attributes specified by the given list of names. Only those extended attributes that the logged-in user has permissions to view, are returned.
  • public List<String> listXAttrs(Path path) throws IOException Gets all the extended attribute names for a file or directory. Only those extended attribute names that the logged-in user has permissions to view, are returned.
C APIs

Security policies use a special format for the extended attribute name, and is always set to the keyword security.mapr.policy.

Retrieve extended attribute values

The getxattr, lgetxattr, and fgetxattr system calls are used to retrieve an extended attribute value associated with a file system object, which may be either a file or directory. The synopsis of these commands are as follows. For details, refer to the getxattr(2) Linux manual page.

NAME

getxattr, lgetxattr, fgetxattr - retrieve an extended attribute value

SYNOPSIS

#include <sys/types.h>
#include <attr/xattr.h>
 ssize_t getxattr (const char *path, const char *name, void *value, 
                                        size_t size);
 ssize_t lgetxattr (const char *path, const char *name, void *value, 
                                        size_t size);
 ssize_t fgetxattr (int filedes, const char *name, void *value, 
                                        size_t size);

List extended attribute values

Use the listxattr, llistxattr, and flistxattr to list extended attribute names. For more details, refer to the listxattr(2) Linux manual page.

NAME

listxattr, llistxattr, flistxattr - list extended attribute names

#include <sys/types.h>
#include <attr/xattr.h>
 ssize_t listxattr (const char *path, char *list, size_t size);
 ssize_t llistxattr (const char *path, char *list, size_t size);
 ssize_t flistxattr (int filedes, char *list, size_t size);