Example Security Policy File

The security policy file, example_policy.txt, was created using the Admin CLI by issuing the command:

as-admin> create security_policy policy_name "example/exdomain"
 encrypt false policy_file "example_policy.txt"

This generates a security policy file named example_policy.txt containing the following:

• One security domain named exdomain.
• A metaspace access list with a default metaspace_access entry of:
• metaspace_access=metaspace=ms;discovery=tcp://127.0.0.1:50000
• An unencrypted private key and public certificate for the security domain's identity.
• A data encryption key for the security domain.

When you use security, you must use TCP transport. Notice that the discovery URL in the metaspace_access entry is tcp://127.0.0.1:50000. This URL designates the loopback IP address of 127.0.0.1 and port 50000 as the discovery IP address and port, which will keep metaspace discovery messages on your local machine.

The generated policy file, example_policy.txt, was edited as follows:

• The data_encryption setting was changed from false to true.
• The group entry, group1 = user1, was added under Access Control Groups.
• The following permission entry was added under Access Control Permissions:

   ms/* group1=seeder,read,write,encrypt

The example security policy file uses the default metaspace name of ms in the metaspace_access list. If you wish to use a different metaspace name, you must change the metaspace name in the following line:

metaspace_access=metaspace=ms;discovery=tcp://127.0.0.1:50000

Without any modifications, the example security policy file can be used to ensure secure transports are used for communication throughout a metaspace.

It can also be used to run most of the examples with an encrypted data field added to the space used by example.

See User Authentication and User Access Control for information on how to change the example security policy file to turn on user authentication or user access control.