accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Vines (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-677) Remove (deprecate) createUser call with authorizations argument
Date Wed, 01 Aug 2012 20:47:02 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13426877#comment-13426877
] 

John Vines commented on ACCUMULO-677:
-------------------------------------

I agree, we need add/remove instead of set.

As for data owners, I agree with you, but I don't think there's a clean way to do it. I could
see a combination of a System.GRANT_AUTH and any authorizations the user possesses. That would
provide a decent balance of ownership without making it too complex for people in less rigorous
circumstances.

1 - Reasonable concern, but that could very well happen now in the case of changing auths
for a user you did not create

2 - This is up to the Authorizor implementation, which should on create/delete (or both) ensure
that users list of authorizations is empty

3- Yes, which is why I want to try to find a middle ground that provides the limitation of
Authorizations while not making them unusable to those who aren't in dire need of them.
                
> Remove (deprecate) createUser call with authorizations argument
> ---------------------------------------------------------------
>
>                 Key: ACCUMULO-677
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-677
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: client
>    Affects Versions: 1.4.1, 1.4.2
>            Reporter: John Vines
>            Assignee: John Vines
>            Priority: Minor
>              Labels: acl, alter, api, create, permissions, security, user
>             Fix For: 1.5.0
>
>
> Creating a user depends on a different ACL than granting Authorizations. If the user
can do one, but not the other it will still create the user but float back an error. This
can be confusing to end users, so I think we should isolate createUser to just creating the
user. They can then be granted authorizations as need be.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message