Return-Path: X-Original-To: apmail-accumulo-dev-archive@www.apache.org Delivered-To: apmail-accumulo-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E377C9BE2 for ; Mon, 13 Aug 2012 23:35:08 +0000 (UTC) Received: (qmail 30289 invoked by uid 500); 13 Aug 2012 23:35:08 -0000 Delivered-To: apmail-accumulo-dev-archive@accumulo.apache.org Received: (qmail 30140 invoked by uid 500); 13 Aug 2012 23:35:08 -0000 Mailing-List: contact dev-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@accumulo.apache.org Delivered-To: mailing list dev@accumulo.apache.org Received: (qmail 30131 invoked by uid 99); 13 Aug 2012 23:35:08 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Aug 2012 23:35:08 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of david.medinets@gmail.com designates 209.85.215.41 as permitted sender) Received: from [209.85.215.41] (HELO mail-lpp01m010-f41.google.com) (209.85.215.41) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Aug 2012 23:35:00 +0000 Received: by lahd3 with SMTP id d3so2329828lah.0 for ; Mon, 13 Aug 2012 16:34:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=NVLMJocEAEQ2auv5v3G+T30HScwwXs5UmzDG4jr2eUI=; b=IvUcaxY9Vdx4fS9hENHcdqOwJtXDPg/JbNK+wb8PB6IUt7hIWs/hNWNvmtu/MDO4Cq 15qKFxFlf0i75mWODkOckBEJTabP+n8M9/jJ6vQxRKIG0BocK/A6go0uaQILJ8iUDggU 7MXTFCx7ZJ7mOKD+bKrUvnMMc39cvYZnjUFWma2t3YZlkmR9IxlHLMyxOaDSdNjMYgHn lTUfqkOWdMCH4JTv6ETLD3+c1O/hATiIf3Bpz8p1r12R422zjw8b9tmVMCYBmYSK+BkT Xa8dBfhFTx0rg3wa1FRFPrKOFKSevmoNDk25wWPuuQjDk/zXSESAKvS/78Xn/tvO2G2a Gv2Q== MIME-Version: 1.0 Received: by 10.112.104.3 with SMTP id ga3mr7040706lbb.77.1344900879944; Mon, 13 Aug 2012 16:34:39 -0700 (PDT) Received: by 10.112.41.227 with HTTP; Mon, 13 Aug 2012 16:34:39 -0700 (PDT) Received: by 10.112.41.227 with HTTP; Mon, 13 Aug 2012 16:34:39 -0700 (PDT) In-Reply-To: References: Date: Mon, 13 Aug 2012 19:34:39 -0400 Message-ID: Subject: Re: Role label grammar From: David Medinets To: dev@accumulo.apache.org Content-Type: multipart/alternative; boundary=14dae9d71976350c1e04c72e2320 --14dae9d71976350c1e04c72e2320 Content-Type: text/plain; charset=ISO-8859-1 +1 for a pluggable solution. Put the complex stuff in contrib. On Aug 13, 2012 4:31 PM, "Adam Fuchs" wrote: > There are a couple of ways to interpret this suggestion. One is that the > syntax and semantics of the cell-level label attached to each key syntax be > augmented, and the other is that the user authorization sets be augmented > to include these concepts, both in the storage and in the scanning API. > > With respect to the former, I think that it complicates the grammar too > much to add in range checking, and I'm not sure this is really what we want > anyway. In the case of the time-windowed restriction for accessing an > object, I would hypothesize that the bounds of the window are not > necessarily calculable from only the object itself, but also require > attributes of the user and policy. User attributes and policy can change > independently of the object, so it makes sense to move that logic > elsewhere. > > The other alternative interpretation that might fit the use case better is > to give the user access to a particular authorization only for a particular > time period. ACCUMULO-238 and ACCUMULO-259 would open up the ability to > handle this type of thing at an external authorization-provider, rather > than using the built-in, relatively static set of maximal authorizations > that Accumulo supports out of the box. Also, it's not really necessary to > extend the current authorization syntax, since we could just explicitly > represent the time bounds in an extended API. > > Adam > > > > On Mon, Aug 13, 2012 at 3:26 PM, Edmon Begoli wrote: > > > Folks, > > > > These are just some thoughts inspired by our discussion on user list > > and the multi-level representation for labels. > > > > What do you think if role labels could have embedded, interpretable, > > simple micro-grammar structure > > that if present could be used to augment the role label semantics with > > additional meaning - e.g. place, time, relationship. > > > > For example: > > > > if regular label is followed by : > > > > :read:4294967295 or read:4294967295-4294967312 > > > > this would mean that this role label is effective between these > timestamps. > > > > We could further expand the grammar to include some of the simple and > > easily verifiable conventions. > > > > for instance label: > > > > administrator@tn > > > > could mean that this is a role of an administrator but effective only > > for the state of Tennessee. > > > > = could mean "is" > > > > read=administrator@tn > > > > Would indicate read privileges at the admin level at Tennessee. > > > > -- > > Edmon > > > --14dae9d71976350c1e04c72e2320--