You can create, retrieve, and remove security policies, and associate security policies with a data object using filesystem APIs.
The standard Linux extended attributes to tag filesystem objects are POSIX-compliant. You can use these attributes on any Linux or POSIX-compliant client without installing additional MapR software.
However, with the extended attribute syntax, applications need to ensure that to combine tags, they first retrieve the old tags and then combine them with the new tags. Otherwise, the new tags replace the old tags. Alternatively, your applications can use an API with the following features:
The extended MapRFileSystem Java class provides such an API for setting
policy tags.
The list of MapRFileSystem API methods for data tagging is as follows:
public class MapRFileSystem extends FileSystem;| Method and Description | Modifier and Type |
|---|---|
| Add a Security Policy Tag | |
|
Use this method to add a single security policy tag to the list of existing security policy tags (if any) for the file or directory specified in path. The securityPolicyTag parameter contains a security policy tag. |
public int |
|
Use this method to add one or more security policies to the list of existing security policies (if any) for the file or directory specified in path. The securityPolicyTags parameter contains a list of one or more security policy tags. |
public int |
| Replace a Security Policy Tag | |
|
Use this method to set the security policy tag to the file or directory specified in path, replacing all existing tags. The securityPolicyTag parameter contains a security policy tag. |
public int |
|
Use this method to set one or more security policy tags for the file or directory specified in path, replacing any existing security policy tags. The securityPolicyTags parameter contains a list of one or more security policy tags. |
public int |
| Remove a Security Policy Tag | |
|
Use this method to remove the security policy tag contained in the securityPolicyTag parameter from the list of existing security policy tags (if any) for the file or directory specified in path. |
public int |
|
Use this method to remove one or more security policy tags from the list of existing security policy tags (if any) for the file or directory specified in path. The securityPolicyTags parameter contains a list of one or more security policy tags. |
public int |
|
Use this method to remove all security policies tagged to the file or directory specified by path. |
public int |
| Retrieve Security Policy Tags | |
|
Use this method to retrieve the security policy tags associated with the file or directory specified in path. The securityPolicyTags parameter contains a list of one or more security policy tags. |
public int |
The following example illustrates the usage of filesystem APIs, and the interchangeability of using the filesystem API with the extended attribute APIs:
general, hipaa, and
pci, on the file /mapr/lab/foo.txt. getSecurityPolicyTag API.pci. Two tags remain: hipaa and
general.topsecret. The two existing tags,
general and hipaa, are preserved. Finally, there are
three tags: general, hipaa, and
topsecret.
Use the Java addSecurityPolicyTag API to set three security policies,
pci, general, and hipaa, for the file
/mapr/lab/foo.txt as follows.
import java.net.*;
import org.apache.hadoop.fs.*;
import org.apache.hadoop.conf.*;
import com.mapr.fs.MapRFileSystem;
import java.util.List;
import java.util.ArrayList;
…
Configuration conf = new Configuration();
FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
List<String> securityPolicies = new ArrayList<String>();
securityPolicies.add ("pci");
securityPolicies.add ("general");
securityPolicies.add ("hipaa");
((MapRFileSystem fs).addSecurityPolicyTag (path, securityPolicies);The getSecurityPolicyTag API returns the same set of security policies
general, hipaa, and pci in a List of String object,
instead of a comma-separated list:
List<String> securityPolicies = new ArrayList<String>();
int status = getSecurityPolicyTag (path, securityPolicies); Alternatively, use the getfattr extended attribute API, to retrieve the three
security policy tags:
getfattr -d /mapr/lab/foo.txt
# file: /mapr/lab/foo.txt
security.mapr.policy="general,hipaa,pci"The tags are always returned in alphabetical order regardless of the tags that you set first. All security policies are considered equal in terms of determining access rights.
Use the extended attribute Java API getXAttr to obtain the same result: retrieve
the three security policy tags. The following segment prints the comma-separated list:
general,hipaa,pci.
import java.net.*;
import org.apache.hadoop.fs.*;
import org.apache.hadoop.conf.*;
…
Configuration conf = new Configuration();
FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
byte[] securityPolicyBytes = fs.getXAttr(path, "security.mapr.policy");
System.out.println ("Security Policies: " + securityPolicyBytes.toString());At this point, the example has three tags for /mapr/lab/foo.txt:
general, hipaa, and pci. Now, remove
the tag pci using the removeSecurityPolicyTag API:
Configuration conf = new Configuration();
FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
…
((MapRFileSystem fs).removeSecurityPolicyTag (path, "pci"); Use
any of the methods listed in step 2, to see that the pci tag is
removed.
Add a tag topsecret using the
addSecurityPolicyTag
API:
FileSystem fs = FileSystem.get(conf);
Path path = Paths.get("/mapr/lab/foo.txt");
…
((MapRFileSystem fs).addSecurityPolicyTag (path, "topsecret");Since this API sets the tags in an additive fashion, it preserves the two existing tags
general and hipaa. The final output is three tags:
general, hipaa and topsecret.
The following sample program uses the tagging APIs on the file
/user/root/disks.txt.
This program does the following tasks:
general, and pci. general, and pci.pci.general.hipaa.general, and hipaa.
package com.mapr.fs;
import java.net.*;
import org.apache.hadoop.fs.*;
import org.apache.hadoop.conf.*;
import java.io.*;
import com.mapr.fs.MapRFileSystem;
import java.util.List;
import java.util.ArrayList;
class SecurityPolicyTest
{
public static void main (String [] args) throws IOException
{
Configuration conf = new Configuration();
if (args.length != 1) {
System.out.println ("Usage: com.mapr.fs.SecurityPolicyTest <path>");
System.exit(-1);
}
String pathName = args[0];
System.out.println ("Path name: " + pathName);
FileSystem fs = FileSystem.get(conf);
Path path = new Path (pathName);
List<String> securityPolicies = new ArrayList<String>();
System.out.println ("Adding general,pci");
securityPolicies.clear();
securityPolicies.add ("general");
securityPolicies.add ("pci");
((MapRFileSystem)fs).setSecurityPolicyTag(path, securityPolicies);
List<String> tags = new ArrayList<String>();
int status = ((MapRFileSystem)fs).getSecurityPolicyTag(path, tags);
if (status == 0) {
System.out.println ("Tags:");
for (int i=0; i<tags.size(); i++) {
System.out.println (tags.get(i));
}
}
System.out.println ("Removing pci");
((MapRFileSystem)fs).removeSecurityPolicyTag (path,"pci");
tags.clear();
status = ((MapRFileSystem)fs).getSecurityPolicyTag(path, tags);
if (status == 0) {
System.out.println ("Tags:");
for (int i=0; i<tags.size(); i++) {
System.out.println (tags.get(i));
}
}
System.out.println ("Add hipaa");
((MapRFileSystem)fs).addSecurityPolicyTag(path, "hipaa");
tags.clear();
status = ((MapRFileSystem)fs).getSecurityPolicyTag(path, tags);
if (status == 0) {
System.out.println ("Tags:");
for (int i=0; i<tags.size(); i++) {
System.out.println (tags.get(i));
}
}
}
}Output
# sh RUN
# export CLASSPATH=`mapr classpath`
# java -cp $CLASSPATH com.mapr.fs.SecurityPolicyTest /user/root/disks.txt
Path name: /user/root/disks.txt
Adding general,pci
Tags:
general,pci
Removing pci
Tags:
general
Add hipaa
Tags:
general,hipaa