accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Fuchs <>
Subject Re: complement in security label expression?
Date Sun, 02 Sep 2012 02:13:35 GMT
Hi Rob,

I think that a complement operator would fit naturally into Accumulo's
cell-level security mechanism. The computation wouldn't be any harder, and
the language wouldn't be significantly more complex. This would be a great
project for you to take on. Please let us know if you need any guidance on
how to approach it.

The main reason why it isn't in there yet is because we haven't found a
direct need for it. I would caution you to avoid coupling policy too
closely with the data labels, since policy tends to change over time and
isn't necessarily directly correlated with the data being labeled. Try to
keep your labels as close to a description of the data as possible. For
example, if you are labeling my medical records, you would want to label
them with something like (AdamsMedicalRecord) rather than (DoctorBob). The
policy in this domain applied to my doctor would give Dr. Bob access to the
attribute/role "AdamsMedicalRecord". Obviously, this is a toy example, but
the more policy you can apply by changing which users have access to which
labels rather than complicating the set of labels with policy elements, the

I would love to see more details on your particular attribute scheme. If
you can share those here I'm sure they would be very helpful to the
community, and then we can also comment on whether they make sense.


On Sat, Sep 1, 2012 at 1:57 PM, Rob Nichols <> wrote:

> What I understand from the documentation for 1.4 is that the security
> label expressions support AND, OR, and Grouping, but do not support NOT.
>  Is this planned for a future release?  Would there be opposition to adding
> complement to the expressions?
> Our use case involves a hierarchy of roles, and the ability to exclude one
> sub group.  For concretness, say we have a label that is Group.  Say we
> also have labels Group1, Group2, etc...  We would occationally add sub
> groups, like Group5, Group6 after the data is populated.  The authorization
> would include both "Group" and the subgroupd ("Group1").  The label
> expression for a cell might be "(Group & !Group1)".
> Should we handle this some other way?  Have I misunderstood the
> documentation?  Should I begin working on adding complement to the
> expressions?
> Thanks,
> Rob

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message