Navigator Encrypt Access Control List
Managing the Access Control List
Cloudera Navigator Encrypt manages file system permissions with an access control list (ACL). This ACL is a security access control created by Cloudera that enables a predefined Linux process to access a file or directory managed by Navigator Encrypt.
The ACL uses rules to control process access to files. The rules specify whether a Linux process has access permissions to read from or write to a specific Navigator Encrypt path.
# TYPE @CATEGORY PATH PROCESS PARAMETERS
Component | Description |
---|---|
TYPE | Specifies whether to allow or deny a process. It can have either of the following values: ALLOW or DENY. |
@CATEGORY | This is a user-defined shorthand, or container, for the encrypted dataset that the process will have access to. For example, if you are encrypting the directory /var/lib/mysql, you could use the category @mysql to indicate that this rule is granting access to a process on the MySQL data. See Listing Categories for instructions on viewing existing categories. |
PATH | Specifies the rights permissions of a specific path. For example: *, www/*.htaccess. Omit the leading slash (/). |
PROCESS | Specifies the process or command name for the rule. |
PARAMETERS |
Tells the process the parent-child process to be executed: --shell defines the script for Navigator Encrypt to allow for executable process. Supported shells are /usr/bin/bash, /bin/bash, /usr/bin/dash, and /bin/bash. --children defines for Navigator Encrypt which child processes to allow that are executed by a process/script. Example: --shell=/bin/bash, --children=/bin/df,/bin/ls |
All rules are stored in an encrypted policy file together with a set of process signatures that are used by Navigator Encrypt to authenticate each Linux process. This file is encrypted with the Navigator Encrypt key you defined during installation.
$ sudo /usr/sbin/navencrypt set --mode=permissive
To view the current mode, run navencrypt status -d. For more information on access modes, see Access Modes.
deny2allow
- Save the dmesg content to a file:
$ sudo dmesg > /tmp/dmesg.txt
- Use the dmesg.txt file content as input to the deny2allow command to analyze the action="denied" messages and display a list of required ACL rules based on the action="denied" messages. Here is an example command and output:
$ sudo /usr/sbin/navencrypt deny2allow /tmp/dmesg.txt ALLOW @mysql employees/* /usr/sbin/mysqld ALLOW @mysql * /bin/bash ALLOW @mysql * /bin/ls
If you need to clear the dmesg log and start fresh, run dmesg -c.
If a rule is displayed in the output from the command, it does not automatically mean the ACL rule must be added. You must determine which rules are actually needed. For example, the rule for ls would not typically be added as an ACL rule.
$ sudo /usr/sbin/navencrypt set --mode=enforcing
Adding ACL Rules
$ sudo /usr/sbin/navencrypt acl --add --rule="ALLOW @mysql * /usr/sbin/mysqld"
See Listing Categories for instructions on viewing existing categories.
$ sudo /usr/sbin/navencrypt acl --add --file=/mnt/private/acl_rules
ALLOW @mysql * /usr/sbin/mysqld ALLOW @log * /usr/sbin/mysqld ALLOW @apache * /usr/lib/apache2/mpm-prefork/apache2
Navigator Encrypt releases 3.10 and higher support comments in the policy file. Comments begin with the hash (#) symbol. You can use comments to annotate the policy file, or to temporarily disable a rule for testing. For example:
# Cloudera Navigator Encrypt policy file # Allow mysqld to access all database files ALLOW @mysql * /usr/sbin/mysqld # Allow mysqld to write logs ALLOW @log * /usr/sbin/mysqld # ALLOW @apache * /usr/lib/apache2/mpm-prefork/apache2
Using a policy file is the fastest way to add multiple rules because it only requires the security key one time.
It is also possible to overwrite the entire current rules set with the option --overwrite. When this command is executed, all current rules are replaced by the ones specified in the file that contains the new set of rules. Cloudera recommends to save a copy of your current set of rules by printing it with the option --print.
$ sudo /usr/sbin/navencrypt acl --overwrite --file=/mnt/private/acl_rules
Adding ACL Rules by Profile
If your environment requires more granular controls on the processes that can access the data, you can add extra controls by using profiles. Profiles set requirements on a process other than just having the correct fingerprint. They can include such things as process owner and group, required open files, and the current working directory. To see more about adding rules by profile, see ACL Profile Rules. For details about fingerprints, see Process-Based Access Control List.
Deleting ACL Rules
- Manually specifying the rule to delete using the command line.
- Specifying the line number of the rule to delete.
$ sudo /usr/sbin/navencrypt acl --del --rule="ALLOW @mysql * /usr/sbin/mysqld "
If you remove a MySQL ALLOW rule, the MySQL cache must be cleaned by executing the FLUSH TABLES; MySQL statement. Otherwise, it will still be possible to view data from encrypted table.
$ sudo /usr/sbin/navencrypt acl --del --line 3
$ sudo /usr/sbin/navencrypt acl --del --line=1,3
See Printing ACL Rules for information on determining line numbers.
Printing ACL Rules
$ sudo /usr/sbin/navencrypt acl --print
$ sudo /usr/sbin/navencrypt acl --print --file=policy-backup
$ sudo /usr/sbin/navencrypt acl --list
Universal ACL Rules
Universal ACLs will allow or deny a process access to all files or directories encrypted with Navigator Encrypt.
The rule ALLOW @* * /process allows the designated process to access anything from all encrypted categories.
The rule ALLOW @data * * allows all processes access to any path under the @data category.
The rule ALLOW @* * * allows all processes access to all encrypted categories. Cloudera does not recommend using this rule. Use it only in test environments.
$ sudo /usr/sbin/navencrypt acl --add --rule="ALLOW @* * /usr/sbin/mysqld" Type MASTER passphrase: 1 rule(s) were added # navencrypt acl --listType MASTER passphrase: # - Type Category Path Profile Process 1 ALLOW @* * /usr/sbin/mysqld
Enabling Shell Scripts to Be Detected by ACL
All of the previous rules work for binary files. There may be times a script, such as a shell script, must be allowed to access the encrypted directory.
ALLOW @scripts * /root/script.sh --shell=/bin/bash
The --shell option identifies which executable process is used to execute the script. Supported shells are /usr/bin/bash, /bin/bash, /usr/bin/dash, and /bin/bash
If the script is altered, it will no longer be trusted by the ACL because the fingerprint has changed. If you edit the script you must invoke the update option to update the ACL with the new fingerprint.
ALLOW @scripts * /root/script.sh --shell=/bin/bash --children=/bin/df
The --children option tells Navigator Encrypt to allow the /bin/df binary process if it is executed by /root/script.sh.
ALLOW @scripts * /root/script.sh --shell=/bin/bash --children=/bin/df,/bin/ls
$ sudo /usr/sbin/navencrypt acl --add --rule="ALLOW @mysql * /usr/bin/mysqld_safe \ --shell=/bin/bash --children=/bin/df,/bin/ls"
ACL Profile Rules
If your environment requires more granular controls on the processes that can access the data, you can add extra controls by using profiles. Profiles set requirements on a process other than just having the correct fingerprint. They can include such things as process owner and group, required open files, and the current working directory.
$ usr/sbin/navencrypt-profile --pid=<pid>
- -c, --with-cwd
Output the current working directory
- -e, --with-egid
Output the egid
- -g, --with-gid
Output the gid
- -u, --with-euid
Output the euid
{ "uid":"0", "comm":"NetworkManager", "cmdline":"NetworkManager –pid-file=/var/run/NetwrkManager/NetworkManager.pid", "gid":"0" "cwd":"/", "fd0":"/dev/null", "fd1":"/dev/null", "fd2":"/dev/null" }
$ ps -p <pid_of_process> -o euid,egid
"cmdline":"NetworkManager –pid-file=/var/run/NetworkManager/NetworkManager.pid \ -logfile=/var/log/NetworkManager/log-20130808152300.log"
"cmdline":"NetworkManager –pid-file=/var/run/NetworkManager/NetworkManager.pid -logfile=##"
With the above configuration, the ACL will allow any value for the -logfile cmdline parameter.
$ sudo /usr/sbin/navencrypt acl --add --rule="ALLOW @mysql * /usr/sbin/mysqld" \ –-profile-file=/path/to/profile/file
$ sudo /usr/sbin/navencrypt acl --list --all Type MASTER passphrase: # - Type Category Path Profile Process 1 ALLOW @mysql * YES /usr/sbin/mysqld PROFILE: {"uid":"120","comm":"mysqld","cmdline":"mysqld"}
Categories: ACLs | Encryption | Navigator | Security | All Categories